lubuntu-qa team mailing list archive
Mailing list archive
Re: Fwd: [Bug 1301274] Re: SSL validation problem (or sync Sylpheed from Debian sid)
On Thu, 11 Sep 2014 11:40:15 -0700
∅ <carsrcoffins23@xxxxxxxxx> wrote:
> Could you all verify that this problem is solved, so we can get an SRU
> going? We need to act fast!
> ---------- Forwarded message ----------
> From: Julien Lavergne <julien.lavergne@xxxxxxxxx>
> Date: Thu, Sep 11, 2014 at 6:15 AM
> Subject: [Bug 1301274] Re: SSL validation problem (or sync Sylpheed
> from Debian sid)
> To: carsrcoffins23@xxxxxxxxx
> As this update should fix a security issue, I would be glad if someone
> from the security team could check this update, to see if the issue is
> really fixed.
> I also ask for people to help in the testing, to validate the SRU.
> You received this bug notification because you are a member of Lubuntu
> Packages Team, which is subscribed to sylpheed in Ubuntu.
> SSL validation problem (or sync Sylpheed from Debian sid)
> Status in “sylpheed” package in Ubuntu:
> Fix Released
> Status in “sylpheed” source package in Trusty:
> Fix Committed
> Bug description:
> SRU statement :
> * Actual sylpheed has 2 major issues :
> - Security problem (SSL certificate validation)
> - Losing mail using POP3
> The problem is that the security fix is separated into several
> commits, so it's not easy and secure to cheery pick commits, and maybe
> other commits that could be necessary and not labeled « SSL fix ».
> So, the easiest and more secure way to fix this is to take the whole
> upstream release. It will also fix the other major issue.
> Since 3.4.0 beta7 (include in trusty), the changelog to 3.4.1 is :
> Mac OS X support was improved.
> SSL certificate hostname is validated now (#167).
> The Japanese manual was modified so that IE correctly detect its
> character encoding.
> The rightmost column of folder view and summary view became easier to resize.
> Appropriate columns of folder view, summary view, etc. are
> auto-expanded by window resize when using GTK+ 2.14 or later.
> The initial setup dialog is now resizable.
> PGP encrypt-to-self feature was added.
> The display period of notification window became configurable.
> Win32: OpenSSL was updated to 0.9.8y.
> Win32: libpng was updated to 1.2.51.
> SSL wildcard certificate is also validated now (#167).
> The compile error with OpenSSL disabled was fixed.
> This release fixes an important bug that would lose mails when local
> mailbox was inaccessible on POP3 receiving.
> The others fixes are mininal when you compare to the 2 major fixes +
> the risk to miss something by cherry-picking commits.
> [Test Case]
> Detail of the security issue is described on the upstream bug
> tracker : http://sylpheed.sraoss.jp/redmine/issues/167
> Since it's a security issue, it's not really easy to reproduce.
> Also, details about the lost of email are on upstream bug tracker
> [Regression Potential]
> I can't see any regressions. The fixes are upstream since quite some
> time, and there is no new releases fixing again those issues (no I
> assume the actual fixes are good).
> Changelog :
> sylpheed (3.4.1-0ubuntu0.1) trusty-proposed; urgency=medium
> * New upstream release
> - Fix SSL validation (LP: #1301274).
> - Fix losing mails when local mailbox is inaccessible on POP3 receiving.
> -- Julien Lavergne <gilir@xxxxxxxxxx> Fri, 16 May 2014 15:29:20
> Debdiff is attached.
> Original report :
> Ubuntu 14.04 LTS Trusty Tahr currently only has the old Sylpheed 3.4
> beta 7:
> whereas Debian sid has the new Sylpheed 3.4 stable:
> The new Sylpheed 3.4 stable also has a security fix that Sylpheed 3.4
> beta 7 does not have, see:
> So, please update the package in Ubuntu 14.04 LTS Trusty Tahr, so that
> it will have the new Sylpheed 3.4 stable as well.
> The changelog of Sylpheed is available over there:
> It would be much appreciated.
> To manage notifications about this bug go to:
> Mailing list: https://launchpad.net/~lubuntu-qa
> Post to : lubuntu-qa@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~lubuntu-qa
> More help : https://help.launchpad.net/ListHelp
How exactly do I test this don't I need to have an SSL certificate that is signed? The upstream report doesn't make clear what own domain is.
Am I testing that someone can't have an SSL certificate for my site that is valid and then can decrypt my emails in transit as I recieve them on that end. I don't have a valid SSL cert.