ubuntu-mail-server team mailing list archive

Thread
Date

[Bug 1071139] Re: DomainKeys Identified Mail (DKIM) Verifiers may inappropriately convey message trust

To: ubuntu-mail-server@xxxxxxxxxxxxxxxxxxx
From: Adam Conrad <adconrad@xxxxxxx>
Date: Tue, 14 May 2013 05:55:10 -0000
Reply-to: Bug 1071139 <1071139@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Hello Scott, or anyone else affected,

Accepted opendkim into precise-proposed. The package will build now and
be available at
http://launchpad.net/ubuntu/+source/opendkim/2.6.8-0ubuntu1.0.1 in a few
hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed.  Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: opendkim (Ubuntu Precise)
       Status: New => Fix Committed

** Tags removed: verification-done

** Tags added: verification-needed

-- 
You received this bug notification because you are a member of Ubuntu
Mail Server, which is subscribed to opendkim in Ubuntu.
https://bugs.launchpad.net/bugs/1071139

Title:
  DomainKeys Identified Mail (DKIM) Verifiers may inappropriately convey
  message trust

Status in Lucid Backports:
  Fix Released
Status in Precise Backports:
  Fix Released
Status in “opendkim” package in Ubuntu:
  Fix Released
Status in “opendkim” source package in Lucid:
  New
Status in “opendkim” source package in Natty:
  New
Status in “opendkim” source package in Oneiric:
  New
Status in “opendkim” source package in Precise:
  Fix Committed
Status in “opendkim” source package in Quantal:
  Fix Released
Status in “opendkim” source package in Raring:
  Fix Released
Status in “opendkim” package in Debian:
  Fix Released

Bug description:
  See http://www.kb.cert.org/vuls/id/268267, VU#268267

  opendkim in squeeze, wheezy, sid offers no method to prevent use of keys
  less than 1024 bits.  This is added in the new upstream release, 2.6.8, that
  was released just for this issue.

  [IMPACT]

   * DKIM verifiers using opendkim will use insecure keys to produce
  valid results.

  [TESTCASE]

   * The new functionality to limit key sizes is not easy to test, but is covered by
     additions to the test suite.

   * In order to verify this package, it needs to be installed and tested that it
     generally works as before.

   * Because of the specialized nature of this package, it's not possible to produce
     a test case that just anyone can verify.

  [Regression Potential]

   * Regression potential is very small as the only code changes in this release are 
     the changes to resolve this issue.

  [Other Info]

   * Almost all of the diff is tool related noise.  I've attached the non-noise part
     of the diff to this bug for reference.  I think it's lower risk to just update
     to the new release to match what upstream is doing since there are no other 
     changes in this release.
   
   * The security team has reviewed this bug and said it should go via SRU and not in
     -security since it causes a config file change.

To manage notifications about this bug go to:
https://bugs.launchpad.net/lucid-backports/+bug/1071139/+subscriptions

References

[Bug 1071139] [NEW] DomainKeys Identified Mail (DKIM) Verifiers may inappropriately convey message trust
From: Scott Kitterman, 2012-10-25