ubuntu-mail-server team mailing list archive

Thread
Date

[Bug 1071139] Re: DomainKeys Identified Mail (DKIM) Verifiers may inappropriately convey message trust

To: ubuntu-mail-server@xxxxxxxxxxxxxxxxxxx
From: Scott Kitterman <ubuntu@xxxxxxxxxxxxx>
Date: Thu, 16 May 2013 05:20:20 -0000
Reply-to: Bug 1071139 <1071139@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Tags removed: verification-needed
** Tags added: verification-done

-- 
You received this bug notification because you are a member of Ubuntu
Mail Server, which is subscribed to opendkim in Ubuntu.
https://bugs.launchpad.net/bugs/1071139

Title:
  DomainKeys Identified Mail (DKIM) Verifiers may inappropriately convey
  message trust

Status in Lucid Backports:
  Fix Released
Status in Precise Backports:
  Fix Released
Status in “opendkim” package in Ubuntu:
  Fix Released
Status in “opendkim” source package in Lucid:
  New
Status in “opendkim” source package in Natty:
  New
Status in “opendkim” source package in Oneiric:
  New
Status in “opendkim” source package in Precise:
  Fix Committed
Status in “opendkim” source package in Quantal:
  Fix Released
Status in “opendkim” source package in Raring:
  Fix Released
Status in “opendkim” package in Debian:
  Fix Released

Bug description:
  See http://www.kb.cert.org/vuls/id/268267, VU#268267

  opendkim in squeeze, wheezy, sid offers no method to prevent use of keys
  less than 1024 bits.  This is added in the new upstream release, 2.6.8, that
  was released just for this issue.

  [IMPACT]

   * DKIM verifiers using opendkim will use insecure keys to produce
  valid results.

  [TESTCASE]

   * The new functionality to limit key sizes is not easy to test, but is covered by
     additions to the test suite.

   * In order to verify this package, it needs to be installed and tested that it
     generally works as before.

   * Because of the specialized nature of this package, it's not possible to produce
     a test case that just anyone can verify.

  [Regression Potential]

   * Regression potential is very small as the only code changes in this release are 
     the changes to resolve this issue.

  [Other Info]

   * Almost all of the diff is tool related noise.  I've attached the non-noise part
     of the diff to this bug for reference.  I think it's lower risk to just update
     to the new release to match what upstream is doing since there are no other 
     changes in this release.
   
   * The security team has reviewed this bug and said it should go via SRU and not in
     -security since it causes a config file change.

To manage notifications about this bug go to:
https://bugs.launchpad.net/lucid-backports/+bug/1071139/+subscriptions

References

[Bug 1071139] [NEW] DomainKeys Identified Mail (DKIM) Verifiers may inappropriately convey message trust
From: Scott Kitterman, 2012-10-25