ubuntu-mail-server team mailing list archive

Thread
Date

[Bug 1071139] Re: DomainKeys Identified Mail (DKIM) Verifiers may inappropriately convey message trust

To: ubuntu-mail-server@xxxxxxxxxxxxxxxxxxx
From: Scott Kitterman <ubuntu@xxxxxxxxxxxxx>
Date: Sat, 27 Oct 2012 05:47:16 -0000
Reply-to: Bug 1071139 <1071139@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Description changed:

  See http://www.kb.cert.org/vuls/id/268267, VU#268267
  
  opendkim in squeeze, wheezy, sid offers no method to prevent use of keys
  less than 1024 bits.  This is added in the new upstream release, 2.6.8, that
  was released just for this issue.
+ 
+ [IMPACT]
+ 
+  * DKIM verifiers using opendkim will use insecure keys to produce valid
+ results.
+ 
+ [TESTCASE]
+ 
+  * The new functionality to limit key sizes is not easy to test, but is covered by
+    additions to the test suite.
+ 
+  * In order to verify this package, it needs to be installed and tested that it
+    generally works as before.
+ 
+  * Because of the specialized nature of this package, it's not possible to produce
+    a test case that just anyone can verify.
+ 
+ [Regression Potential]
+ 
+  * Regression potential is very small as the only code changes in this release are 
+    the changes to resolve this issue.
+ 
+ [Other Info]
+ 
+  * Almost all of the diff is tool related noise.  I've attached the non-noise part
+    of the diff to this bug for reference.  I think it's lower risk to just update
+    to the new release to match what upstream is doing since there are no other 
+    changes in this release.
+  
+  * The security team has reviewed this bug and said it should go via SRU and not in
+    -security since it causes a config file change.

** Changed in: opendkim (Ubuntu Quantal)
       Status: New => In Progress

** Changed in: opendkim (Ubuntu Quantal)
   Importance: Undecided => High

** Changed in: opendkim (Ubuntu Quantal)
     Assignee: (unassigned) => Scott Kitterman (kitterman)

** Changed in: opendkim (Ubuntu Quantal)
    Milestone: None => quantal-updates

** Attachment added: "Abbreviated diff"
   https://bugs.launchpad.net/ubuntu/+source/opendkim/+bug/1071139/+attachment/3415118/+files/patch2.6.7-2.6.8

** Also affects: precise-backports
   Importance: Undecided
       Status: New

** Also affects: lucid-backports
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Mail Server, which is subscribed to opendkim in Ubuntu.
https://bugs.launchpad.net/bugs/1071139

Title:
  DomainKeys Identified Mail (DKIM) Verifiers may inappropriately convey
  message trust

Status in Lucid Backports:
  New
Status in Precise Backports:
  In Progress
Status in “opendkim” package in Ubuntu:
  Fix Committed
Status in “opendkim” source package in Lucid:
  New
Status in “opendkim” source package in Natty:
  New
Status in “opendkim” source package in Oneiric:
  New
Status in “opendkim” source package in Precise:
  New
Status in “opendkim” source package in Quantal:
  In Progress
Status in “opendkim” source package in Raring:
  Fix Committed
Status in “opendkim” package in Debian:
  Fix Released

Bug description:
  See http://www.kb.cert.org/vuls/id/268267, VU#268267

  opendkim in squeeze, wheezy, sid offers no method to prevent use of keys
  less than 1024 bits.  This is added in the new upstream release, 2.6.8, that
  was released just for this issue.

  [IMPACT]

   * DKIM verifiers using opendkim will use insecure keys to produce
  valid results.

  [TESTCASE]

   * The new functionality to limit key sizes is not easy to test, but is covered by
     additions to the test suite.

   * In order to verify this package, it needs to be installed and tested that it
     generally works as before.

   * Because of the specialized nature of this package, it's not possible to produce
     a test case that just anyone can verify.

  [Regression Potential]

   * Regression potential is very small as the only code changes in this release are 
     the changes to resolve this issue.

  [Other Info]

   * Almost all of the diff is tool related noise.  I've attached the non-noise part
     of the diff to this bug for reference.  I think it's lower risk to just update
     to the new release to match what upstream is doing since there are no other 
     changes in this release.
   
   * The security team has reviewed this bug and said it should go via SRU and not in
     -security since it causes a config file change.

To manage notifications about this bug go to:
https://bugs.launchpad.net/lucid-backports/+bug/1071139/+subscriptions

References

[Bug 1071139] [NEW] DomainKeys Identified Mail (DKIM) Verifiers may inappropriately convey message trust
From: Scott Kitterman, 2012-10-25