ubuntu-mail-server team mailing list archive

Thread
Date
[Bug 1170896] Re: SRU Debian Wheezy Fixes for Quantal

To: ubuntu-mail-server@xxxxxxxxxxxxxxxxxxx
From: Scott Kitterman <ubuntu@xxxxxxxxxxxxx>
Date: Sun, 28 Apr 2013 16:29:49 -0000
Reply-to: Bug 1170896 <1170896@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Uploaded for precise now.

** Description changed:

- There are a few fixes that were accepted by the Debian release team for
- Wheezy that should get into Quantal as well (all already fixed in
- Raring):
+ Updated for proposed precise SRU.
  
-   * Backport fix from upstream to log the correct message selector
-     (Closes: #695145) (fix was included as part of the just released 2.7.4)
-   * Add missing depends on openssl to opendkim-tools so opendkim-genkey will
-     work (Closes: #693188)
+ This is a very unconventional SRU, but I think it should be accepted.
+ 
+ Why:
+ 
+ 1.  There is an outstanding security issue in the 2.5 series that
+ precise shipped with that was fixed in 2.6.8.See #1071139 for details.
+ This important for two reasons, users of precise who do not install from
+ backports will be verifying messages with no indication they are using
+ insecure keys (this is the security bug).  Additionally, they may be
+ signing messages with keys that are now generally considered insecure
+ and their signatures are being ignored by corrected implementations that
+ will not verify messages signed with keys shorter than 1024 bits.  I did
+ try to extract this change from 2.6.8 and backport it to 2.5.2, but
+ could not get it to work, so the only reasonable way to solve this is to
+ update to 2.6.8.
+ 
+ 2.  Currently (after the SRU that was just moved to quantal-updates),
+ Debian Wheezy and Ubuntu Quantal have identical opendkim packages.  I
+ would like to extend that to Precise since it's LTS and will be around
+ for Wheezy's lifetime.  That way any maintenance issues can be jointly
+ addressed in both distros off of a common code base.
+ 
+ See the regression risk section for discussions about what's changed and
+ why I think it's OK.
  
  [Impact]
  
-  * The message selector logging bug makes it very difficult to troubleshoot some types of configuration issues.
-  * The opendkim-genkey dependency issue  makes it impossible to set up the package if openssl is not installed.
+  * In addition to the issues discussed above, there are a large number
+ of bug fixes that should make the new package more reliable.
  
  [Test Case]
  
-  * Examine your opendkim logs and see that the correct selector is logged.
-  * Check that opendkim-tools pull in openssl on installation
+  * Install the updated package and verify correct operation.
  
  [Regression Potential]
  
-  * Nil.
+  * Small - I have run essentially this exact same package via backports
+ in production on precise since November of last year without issues.
+ I've had no reports from anyone else about problems with it either.  I
+ believe if 2.6.8 on precise were an issue, I'd have either seen it or
+ heard about it by now.
  
  [Other Info]
-  
-  * These fixes are both in Wheezy and it would be nice to have a common version to support.
+ 
+  * This will hit binary New.  That's unavoidable since upstream bumps
+ soname with every major release.  There are no external rdepends, so no
+ other packages are affected.

** Tags removed: verification-done

** Changed in: opendkim (Ubuntu Precise)
       Status: New => In Progress

** Description changed:

  Updated for proposed precise SRU.
  
  This is a very unconventional SRU, but I think it should be accepted.
  
  Why:
  
  1.  There is an outstanding security issue in the 2.5 series that
- precise shipped with that was fixed in 2.6.8.See #1071139 for details.
- This important for two reasons, users of precise who do not install from
- backports will be verifying messages with no indication they are using
- insecure keys (this is the security bug).  Additionally, they may be
- signing messages with keys that are now generally considered insecure
- and their signatures are being ignored by corrected implementations that
- will not verify messages signed with keys shorter than 1024 bits.  I did
- try to extract this change from 2.6.8 and backport it to 2.5.2, but
- could not get it to work, so the only reasonable way to solve this is to
- update to 2.6.8.
+ precise shipped with that was fixed in 2.6.8.See bug #1071139 for
+ details.  This important for two reasons, users of precise who do not
+ install from backports will be verifying messages with no indication
+ they are using insecure keys (this is the security bug).  Additionally,
+ they may be signing messages with keys that are now generally considered
+ insecure and their signatures are being ignored by corrected
+ implementations that will not verify messages signed with keys shorter
+ than 1024 bits.  I did try to extract this change from 2.6.8 and
+ backport it to 2.5.2, but could not get it to work, so the only
+ reasonable way to solve this is to update to 2.6.8.
  
  2.  Currently (after the SRU that was just moved to quantal-updates),
  Debian Wheezy and Ubuntu Quantal have identical opendkim packages.  I
  would like to extend that to Precise since it's LTS and will be around
  for Wheezy's lifetime.  That way any maintenance issues can be jointly
  addressed in both distros off of a common code base.
  
  See the regression risk section for discussions about what's changed and
  why I think it's OK.
  
  [Impact]
  
-  * In addition to the issues discussed above, there are a large number
+  * In addition to the issues discussed above, there are a large number
  of bug fixes that should make the new package more reliable.
  
  [Test Case]
  
   * Install the updated package and verify correct operation.
  
  [Regression Potential]
  
   * Small - I have run essentially this exact same package via backports
  in production on precise since November of last year without issues.
  I've had no reports from anyone else about problems with it either.  I
  believe if 2.6.8 on precise were an issue, I'd have either seen it or
  heard about it by now.
  
  [Other Info]
  
   * This will hit binary New.  That's unavoidable since upstream bumps
  soname with every major release.  There are no external rdepends, so no
  other packages are affected.

** Summary changed:

- SRU Debian Wheezy Fixes for Quantal
+ SRU Security and Debian Wheezy Fixes for Precise

-- 
You received this bug notification because you are a member of Ubuntu
Mail Server, which is subscribed to opendkim in Ubuntu.
https://bugs.launchpad.net/bugs/1170896

Title:
  SRU Security and Debian Wheezy Fixes for Precise

Status in “opendkim” package in Ubuntu:
  Fix Released
Status in “opendkim” source package in Precise:
  In Progress
Status in “opendkim” source package in Quantal:
  Fix Released

Bug description:
  Updated for proposed precise SRU.

  This is a very unconventional SRU, but I think it should be accepted.

  Why:

  1.  There is an outstanding security issue in the 2.5 series that
  precise shipped with that was fixed in 2.6.8.See bug #1071139 for
  details.  This important for two reasons, users of precise who do not
  install from backports will be verifying messages with no indication
  they are using insecure keys (this is the security bug).
  Additionally, they may be signing messages with keys that are now
  generally considered insecure and their signatures are being ignored
  by corrected implementations that will not verify messages signed with
  keys shorter than 1024 bits.  I did try to extract this change from
  2.6.8 and backport it to 2.5.2, but could not get it to work, so the
  only reasonable way to solve this is to update to 2.6.8.

  2.  Currently (after the SRU that was just moved to quantal-updates),
  Debian Wheezy and Ubuntu Quantal have identical opendkim packages.  I
  would like to extend that to Precise since it's LTS and will be around
  for Wheezy's lifetime.  That way any maintenance issues can be jointly
  addressed in both distros off of a common code base.

  See the regression risk section for discussions about what's changed
  and why I think it's OK.

  [Impact]

   * In addition to the issues discussed above, there are a large number
  of bug fixes that should make the new package more reliable.

  [Test Case]

   * Install the updated package and verify correct operation.

  [Regression Potential]

   * Small - I have run essentially this exact same package via
  backports in production on precise since November of last year without
  issues.  I've had no reports from anyone else about problems with it
  either.  I believe if 2.6.8 on precise were an issue, I'd have either
  seen it or heard about it by now.

  [Other Info]

   * This will hit binary New.  That's unavoidable since upstream bumps
  soname with every major release.  There are no external rdepends, so
  no other packages are affected.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/opendkim/+bug/1170896/+subscriptions
References

[Bug 1170896] [NEW] SRU Debian Wheezy Fixes for Quantal
From: Scott Kitterman, 2013-04-20