[SAC] [OSGeo] #2626: OSGeo6 security remediation

OSGeoTrac · July 12, 2021, 7:43am

#2626: OSGeo6 security remediation
---------------------------+---------------------------------------
Reporter: robe | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2021-II
Component: Systems Admin | Keywords:
---------------------------+---------------------------------------
Disable TLSV1 for http, https, smtp, postfix
Disable SWEET32 cyper suite for https, http
Disable use of JQuery 1.2 (this may be harder as I'm not sure what is
using it. At anyrate needs to be upgrade to 3.5 or later

valid cert for mail, post-fix and disable weak hashing algorithms

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2626>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

OSGeoTrac · July 12, 2021, 10:50pm

#2626: OSGeo6 security remediation
---------------------------+----------------------------------------
Reporter: robe | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2021-II
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+----------------------------------------

Comment (by robe):

to remedy:

1) was pointing at doc.geotools.org -- setup a fake site to show "Nothing
here" as the default
And setup to get a letsencrpt cert for osgeo6.osgeo.osuosl.org

2) Mail was using expired wildcard cert -- changed to use the letsencrypt
one for lists.osgeo.org by editing
/etc/postfix/main.cf and also updated cypers

{{{
#smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK,
aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
smtpd_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2

tls_high_cipherlist =
kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3D$
tls_medium_cipherlist =
kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
}}}

{{{

systemctl restart postfix
}}}

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2626#comment:1>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

OSGeoTrac · August 30, 2021, 12:10am

#2626: OSGeo6 security remediation
---------------------------+----------------------------------------
Reporter: robe | Owner: sac@…
Type: task | Status: closed
Priority: normal | Milestone: Sysadmin Contract 2021-II
Component: Systems Admin | Resolution: fixed
Keywords: |
---------------------------+----------------------------------------
Changes (by robe):

* status: new => closed
* resolution: => fixed

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2626#comment:2>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.