ubuntu-mail-server team mailing list archive

[Stuart Gathman <644046@xxxxxxxxxxxxxxxxxx>]

** Changed in: pydkim
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Mail Server, which is subscribed to pydkim in Ubuntu.
https://bugs.launchpad.net/bugs/644046

Title:
  should test handling of multiple From addresses

Status in Module for DKIM signing and verification in Python:
  Fix Committed
Status in “pydkim” package in Ubuntu:
  Confirmed

Bug description:
  Scott Kitterman mentioned problems in some dkim implementations.  By
  inspection I don't think pydkim is vulnerable to this but it would be
  nice to add a test.  He asked that this be kept confidential for now.

  ----

  I've recently become aware that there are potential problems with multiple 
  From addresses and DKIM.  At least one vendor has modified their code to deal 
  with the problem of a message being DKIM signed with one From and then later 
  the bad guy adds a second from to the message and resends it.  Since the 
  original From is still there, the signature still validates, but many MUAs 
  will display the second one leading to a case where users might be presented a 
  DKIM validates message and a From that isn't the one in the signature.

  The solution is to make sure when you are canonicalizing the message include 
  all From headers and not just one.  That way if a From is added, the signature 
  validation will fail.

  I have not had time to check pydkim to see how it handles this.  If I do, I'll 
  let you know.  Since this is a protocol vulnerability, it will take some time 
  to get a coordinated resolution, so if you change things in the meantime, 
  please don't say you're doing it for security reasons.

  Scott K

To manage notifications about this bug go to:
https://bugs.launchpad.net/pydkim/+bug/644046/+subscriptions