ubuntu-mail-server team mailing list archive

[Adam Conrad <adconrad@xxxxxxx>]

Hello Scott, or anyone else affected,

Accepted opendkim into precise-proposed. The package will build now and
be available at
http://launchpad.net/ubuntu/+source/opendkim/2.6.8-0ubuntu1.0.1 in a few
hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed.  Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: opendkim (Ubuntu Precise)
       Status: In Progress => Fix Committed

** Tags added: verification-needed

-- 
You received this bug notification because you are a member of Ubuntu
Mail Server, which is subscribed to opendkim in Ubuntu.
https://bugs.launchpad.net/bugs/1170896

Title:
  SRU Security and Debian Wheezy Fixes for Precise

Status in “opendkim” package in Ubuntu:
  Fix Released
Status in “opendkim” source package in Precise:
  Fix Committed
Status in “opendkim” source package in Quantal:
  Fix Released

Bug description:
  Updated for proposed precise SRU.

  This is a very unconventional SRU, but I think it should be accepted.

  Why:

  1.  There is an outstanding security issue in the 2.5 series that
  precise shipped with that was fixed in 2.6.8.See bug #1071139 for
  details.  This important for two reasons, users of precise who do not
  install from backports will be verifying messages with no indication
  they are using insecure keys (this is the security bug).
  Additionally, they may be signing messages with keys that are now
  generally considered insecure and their signatures are being ignored
  by corrected implementations that will not verify messages signed with
  keys shorter than 1024 bits.  I did try to extract this change from
  2.6.8 and backport it to 2.5.2, but could not get it to work, so the
  only reasonable way to solve this is to update to 2.6.8.

  2.  Currently (after the SRU that was just moved to quantal-updates),
  Debian Wheezy and Ubuntu Quantal have identical opendkim packages.  I
  would like to extend that to Precise since it's LTS and will be around
  for Wheezy's lifetime.  That way any maintenance issues can be jointly
  addressed in both distros off of a common code base.

  See the regression risk section for discussions about what's changed
  and why I think it's OK.

  [Impact]

   * In addition to the issues discussed above, there are a large number
  of bug fixes that should make the new package more reliable.

  [Test Case]

   * Install the updated package and verify correct operation.

  [Regression Potential]

   * Small - I have run essentially this exact same package via
  backports in production on precise since November of last year without
  issues.  I've had no reports from anyone else about problems with it
  either.  I believe if 2.6.8 on precise were an issue, I'd have either
  seen it or heard about it by now.

  [Other Info]

   * This will hit binary New.  That's unavoidable since upstream bumps
  soname with every major release.  There are no external rdepends, so
  no other packages are affected.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/opendkim/+bug/1170896/+subscriptions