ubuntu-mail-server team mailing list archive

Thread
Date

Re: [Bug 1071139] Re: DomainKeys Identified Mail (DKIM) Verifiers may inappropriately convey message trust

To: ubuntu-mail-server@xxxxxxxxxxxxxxxxxxx
From: Scott Kitterman <ubuntu@xxxxxxxxxxxxx>
Date: Thu, 08 Nov 2012 03:32:53 -0000
Reply-to: Bug 1071139 <1071139@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

On Wednesday, November 07, 2012 10:26:23 PM you wrote:
> Since this is a fairly thorny issue, and a large patch to solve it,
> verification needs to include extensive documentation of what testing
> was done.

Almost all the patch was tool noise, so it's pretty low risk.  There isn't a 
good way to verify the key length checks are doing precisely what they are 
supposed to, but be can validate no regressions.  I'm in contact with upstream 
and they've had no reports of issues, so I'm confident the upstream changes 
work.

-- 
You received this bug notification because you are a member of Ubuntu
Mail Server, which is subscribed to opendkim in Ubuntu.
https://bugs.launchpad.net/bugs/1071139

Title:
  DomainKeys Identified Mail (DKIM) Verifiers may inappropriately convey
  message trust

Status in Lucid Backports:
  In Progress
Status in Precise Backports:
  In Progress
Status in “opendkim” package in Ubuntu:
  Fix Released
Status in “opendkim” source package in Lucid:
  New
Status in “opendkim” source package in Natty:
  New
Status in “opendkim” source package in Oneiric:
  New
Status in “opendkim” source package in Precise:
  New
Status in “opendkim” source package in Quantal:
  Fix Committed
Status in “opendkim” source package in Raring:
  Fix Released
Status in “opendkim” package in Debian:
  Fix Released

Bug description:
  See http://www.kb.cert.org/vuls/id/268267, VU#268267

  opendkim in squeeze, wheezy, sid offers no method to prevent use of keys
  less than 1024 bits.  This is added in the new upstream release, 2.6.8, that
  was released just for this issue.

  [IMPACT]

   * DKIM verifiers using opendkim will use insecure keys to produce
  valid results.

  [TESTCASE]

   * The new functionality to limit key sizes is not easy to test, but is covered by
     additions to the test suite.

   * In order to verify this package, it needs to be installed and tested that it
     generally works as before.

   * Because of the specialized nature of this package, it's not possible to produce
     a test case that just anyone can verify.

  [Regression Potential]

   * Regression potential is very small as the only code changes in this release are 
     the changes to resolve this issue.

  [Other Info]

   * Almost all of the diff is tool related noise.  I've attached the non-noise part
     of the diff to this bug for reference.  I think it's lower risk to just update
     to the new release to match what upstream is doing since there are no other 
     changes in this release.
   
   * The security team has reviewed this bug and said it should go via SRU and not in
     -security since it causes a config file change.

To manage notifications about this bug go to:
https://bugs.launchpad.net/lucid-backports/+bug/1071139/+subscriptions

References

[Bug 1071139] [NEW] DomainKeys Identified Mail (DKIM) Verifiers may inappropriately convey message trust
From: Scott Kitterman, 2012-10-25
[Bug 1071139] Re: DomainKeys Identified Mail (DKIM) Verifiers may inappropriately convey message trust
From: Clint Byrum, 2012-11-07