ubuntu-mail-server team mailing list archive

Thread
Date

[Bug 1170896] Re: SRU Security and Debian Wheezy Fixes for Precise

To: ubuntu-mail-server@xxxxxxxxxxxxxxxxxxx
From: Scott Kitterman <ubuntu@xxxxxxxxxxxxx>
Date: Tue, 14 May 2013 10:52:42 -0000
Reply-to: Bug 1170896 <1170896@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Installed the updated package and verified both proper signing and
signature verification.

** Tags removed: verification-needed
** Tags added: verification-done

-- 
You received this bug notification because you are a member of Ubuntu
Mail Server, which is subscribed to opendkim in Ubuntu.
https://bugs.launchpad.net/bugs/1170896

Title:
  SRU Security and Debian Wheezy Fixes for Precise

Status in “opendkim” package in Ubuntu:
  Fix Released
Status in “opendkim” source package in Precise:
  Fix Committed
Status in “opendkim” source package in Quantal:
  Fix Released

Bug description:
  Updated for proposed precise SRU.

  This is a very unconventional SRU, but I think it should be accepted.

  Why:

  1.  There is an outstanding security issue in the 2.5 series that
  precise shipped with that was fixed in 2.6.8.See bug #1071139 for
  details.  This important for two reasons, users of precise who do not
  install from backports will be verifying messages with no indication
  they are using insecure keys (this is the security bug).
  Additionally, they may be signing messages with keys that are now
  generally considered insecure and their signatures are being ignored
  by corrected implementations that will not verify messages signed with
  keys shorter than 1024 bits.  I did try to extract this change from
  2.6.8 and backport it to 2.5.2, but could not get it to work, so the
  only reasonable way to solve this is to update to 2.6.8.

  2.  Currently (after the SRU that was just moved to quantal-updates),
  Debian Wheezy and Ubuntu Quantal have identical opendkim packages.  I
  would like to extend that to Precise since it's LTS and will be around
  for Wheezy's lifetime.  That way any maintenance issues can be jointly
  addressed in both distros off of a common code base.

  See the regression risk section for discussions about what's changed
  and why I think it's OK.

  [Impact]

   * In addition to the issues discussed above, there are a large number
  of bug fixes that should make the new package more reliable.

  [Test Case]

   * Install the updated package and verify correct operation.

  [Regression Potential]

   * Small - I have run essentially this exact same package via
  backports in production on precise since November of last year without
  issues.  I've had no reports from anyone else about problems with it
  either.  I believe if 2.6.8 on precise were an issue, I'd have either
  seen it or heard about it by now.

  [Other Info]

   * This will hit binary New.  That's unavoidable since upstream bumps
  soname with every major release.  There are no external rdepends, so
  no other packages are affected.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/opendkim/+bug/1170896/+subscriptions

References

[Bug 1170896] [NEW] SRU Debian Wheezy Fixes for Quantal
From: Scott Kitterman, 2013-04-20