lubuntu-qa team mailing list archive

[Brendan Perrine <walterorlin@xxxxxxxxx>]

On Thu, 11 Sep 2014 11:40:15 -0700
∅ <carsrcoffins23@xxxxxxxxx> wrote:

> Could you all verify that this problem is solved, so we can get an SRU
> going? We need to act fast!
> 
> wxl
> 
> 
> ---------- Forwarded message ----------
> From: Julien Lavergne <julien.lavergne@xxxxxxxxx>
> Date: Thu, Sep 11, 2014 at 6:15 AM
> Subject: [Bug 1301274] Re: SSL validation problem (or sync Sylpheed
> from Debian sid)
> To: carsrcoffins23@xxxxxxxxx
> 
> 
> As this update should fix a security issue, I would be glad if someone
> from the security team could check this update, to see if the issue is
> really fixed.
> I also ask for people to help in the testing, to validate the SRU.
> 
> --
> You received this bug notification because you are a member of Lubuntu
> Packages Team, which is subscribed to sylpheed in Ubuntu.
> https://bugs.launchpad.net/bugs/1301274
> 
> Title:
>   SSL validation problem (or sync Sylpheed from Debian sid)
> 
> Status in “sylpheed” package in Ubuntu:
>   Fix Released
> Status in “sylpheed” source package in Trusty:
>   Fix Committed
> 
> Bug description:
>   SRU statement :
>   [Impact]
> 
>   * Actual sylpheed has 2 major issues :
>   - Security problem (SSL certificate validation)
>   - Losing mail using POP3
> 
>   The problem is that the security fix is separated into several
>   commits, so it's not easy and secure to cheery pick commits, and maybe
>   other commits that could be necessary and not labeled « SSL fix ».
> 
>   So, the easiest and more secure way to fix this is to take the whole
>   upstream release. It will also fix the other major issue.
> 
>   Since 3.4.0 beta7 (include in trusty), the changelog to 3.4.1 is :
> 
>   Mac OS X support was improved.
>   SSL certificate hostname is validated now (#167).
>   The Japanese manual was modified so that IE correctly detect its
> character encoding.
>   The rightmost column of folder view and summary view became easier to resize.
>   Appropriate columns of folder view, summary view, etc. are
> auto-expanded by window resize when using GTK+ 2.14 or later.
>   The initial setup dialog is now resizable.
>   PGP encrypt-to-self feature was added.
>   The display period of notification window became configurable.
>   Win32: OpenSSL was updated to 0.9.8y.
>   Win32: libpng was updated to 1.2.51.
> 
>   SSL wildcard certificate is also validated now (#167).
>   The compile error with OpenSSL disabled was fixed.
> 
>   This release fixes an important bug that would lose mails when local
>   mailbox was inaccessible on POP3 receiving.
> 
>   The others fixes are mininal when you compare to the 2 major fixes +
>   the risk to miss something by cherry-picking commits.
> 
>   [Test Case]
>   Detail of the security issue is described on the upstream bug
> tracker : http://sylpheed.sraoss.jp/redmine/issues/167
>   Since it's a security issue, it's not really easy to reproduce.
> 
>   Also, details about the lost of email are on upstream bug tracker
>   http://sylpheed.sraoss.jp/redmine/issues/193
> 
> 
>   [Regression Potential]
> 
>   I can't see any regressions. The fixes are upstream since quite some
>   time, and there is no new releases fixing again those issues (no I
>   assume the actual fixes are good).
> 
>   Changelog :
>   sylpheed (3.4.1-0ubuntu0.1) trusty-proposed; urgency=medium
> 
>     * New upstream release
>      - Fix SSL validation (LP: #1301274).
>      - Fix losing mails when local mailbox is inaccessible on POP3 receiving.
> 
>    -- Julien Lavergne <gilir@xxxxxxxxxx>  Fri, 16 May 2014 15:29:20
>   +0200
> 
>   Debdiff is attached.
> 
>   Original report :
>   Hello,
> 
>   Ubuntu 14.04 LTS Trusty Tahr currently only has the old Sylpheed 3.4
>   beta 7:
> 
>   http://packages.ubuntu.com/trusty/sylpheed
> 
>   whereas Debian sid has the new Sylpheed 3.4 stable:
> 
>   https://packages.debian.org/sid/sylpheed
> 
>   The new Sylpheed 3.4 stable also has a security fix that Sylpheed 3.4
>   beta 7 does not have, see:
> 
>   http://sylpheed.sraoss.jp/redmine/issues/167
> 
>   So, please update the package in Ubuntu 14.04 LTS Trusty Tahr, so that
>   it will have the new Sylpheed 3.4 stable as well.
> 
>   The changelog of Sylpheed is available over there:
> 
>   http://sylpheed.sraoss.jp/en/news.html
> 
>   It would be much appreciated.
> 
>   Regards
> 
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/sylpheed/+bug/1301274/+subscriptions
> 
> -- 
> Mailing list: https://launchpad.net/~lubuntu-qa
> Post to     : lubuntu-qa@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~lubuntu-qa
> More help   : https://help.launchpad.net/ListHelp
How exactly do I test this don't I need to have an SSL certificate that is signed? The upstream report doesn't make clear what own domain is. 

Am I testing that someone can't have an SSL certificate for my site that is valid and then can decrypt my emails in transit as I recieve them on that end. I don't have a valid SSL cert.

-- 
brendanperrine <walterorlin@xxxxxxxxx>