ubuntu-mail-server team mailing list archive

Thread
Date
[Bug 1170896] Re: SRU Security and Debian Wheezy Fixes for Precise

To: ubuntu-mail-server@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1170896@xxxxxxxxxxxxxxxxxx>
Date: Wed, 22 May 2013 02:31:30 -0000
Reply-to: Bug 1170896 <1170896@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package opendkim - 2.6.8-0ubuntu1.0.1

---------------
opendkim (2.6.8-0ubuntu1.0.1) precise-proposed; urgency=low

  * New upstream security release to add capability to exclude use of
    insecure keys (Closes: #691394, LP: #1071139)
    - Fix bug #SF3539449: Clarify legal "Socket" values.  Requested by Scott
      Kitterman.
    - Fix bug #SF3539493: Handle certain cases of data set names that appear
      to be comma-separated lists which include IPv6 addresses.  Reported by
      Scott Kitterman. (Closes: #679548)
    - Rename libopendkim6 to libopendkim7 to match new soname
      - Update package and dependencies in debian/control
      - Rename .install and .doc files
    - Drop --enable-xtags from configure in debian/rules since it is now on by
      default
    - Update debian/copyright
    - Remove dversionmangle from debian/watch
    - Update README.Debian to reflect documentation no longer being stripped
  * Update 2.6.8 in Precise to match Debian Wheezy and Quantal (LP: #1170896)
  * Backport fix from upstream to log the correct message selector
    (Closes: #695145) (fix was included as part of the just released 2.7.4)
  * Add missing depends on openssl to opendkim-tools so opendkim-genkey will
    work (Closes: #693188)
  * Drop obsolete configure option enable-selector_header
  * Use restorecon to apply a SE Linux label after creating a run dir
    (Closes: #679852)
  * Use CFLAGS, CPPFLAGS, and LDFLAGS from dpkg-buildflags
  * Split opendkim into opendkim and opendkim-tools since the command line
    support tools are now bigger than the application
  * Add status option to /etc/init.d/opendkim
    - Add depends on lsb-base
  * Add Description to /etc/init.d/opendkim header
  * Enable Vouch By Reference support:
    - Add --enable-vbr in debian/rules
    - Update libopendkim install files to be more specific and not install
      libvbr related files
    - Add libvbr2 and libvbr-dev to debian/control
    - Add debian/libvbr2.docs, libvbr2.install, and libvbr-dev.install
  * Enable extensions for adding arbitrary experimental signature tags and
    values in libopendkim (neeeded for ATPS support)
    - Add --enable-xtags in debian/rules
  * Enable support for RFC 6541 DKIM Authorized Third-Party Signatures (ATPS)
    - Add --enable-atps in debian/rules
  * Enable support for optional oversigning of header fields to prevent
    malicious parties from adding additional instances of the field
    - Add --enable-oversign to debian/rules
    - Modify debian/opendkim.conf to use OversignHeaders for From by default
  * Add required build-arch and build-indep targets to debian/rules
  * Added new opendkim.NEWS entry to describe changed defaults with this
    revision
  * Update debian/copyright (Closes: #664132)
  * Add debian/watch
  * Remove unneeded shlibs:Depends for libdkim-dev
 -- Scott Kitterman <scott@xxxxxxxxxxxxx>   Sun, 28 Apr 2013 12:02:43 -0400

** Changed in: opendkim (Ubuntu Precise)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Mail Server, which is subscribed to opendkim in Ubuntu.
https://bugs.launchpad.net/bugs/1170896

Title:
  SRU Security and Debian Wheezy Fixes for Precise

Status in “opendkim” package in Ubuntu:
  Fix Released
Status in “opendkim” source package in Precise:
  Fix Released
Status in “opendkim” source package in Quantal:
  Fix Released

Bug description:
  Updated for proposed precise SRU.

  This is a very unconventional SRU, but I think it should be accepted.

  Why:

  1.  There is an outstanding security issue in the 2.5 series that
  precise shipped with that was fixed in 2.6.8.See bug #1071139 for
  details.  This important for two reasons, users of precise who do not
  install from backports will be verifying messages with no indication
  they are using insecure keys (this is the security bug).
  Additionally, they may be signing messages with keys that are now
  generally considered insecure and their signatures are being ignored
  by corrected implementations that will not verify messages signed with
  keys shorter than 1024 bits.  I did try to extract this change from
  2.6.8 and backport it to 2.5.2, but could not get it to work, so the
  only reasonable way to solve this is to update to 2.6.8.

  2.  Currently (after the SRU that was just moved to quantal-updates),
  Debian Wheezy and Ubuntu Quantal have identical opendkim packages.  I
  would like to extend that to Precise since it's LTS and will be around
  for Wheezy's lifetime.  That way any maintenance issues can be jointly
  addressed in both distros off of a common code base.

  See the regression risk section for discussions about what's changed
  and why I think it's OK.

  [Impact]

   * In addition to the issues discussed above, there are a large number
  of bug fixes that should make the new package more reliable.

  [Test Case]

   * Install the updated package and verify correct operation.

  [Regression Potential]

   * Small - I have run essentially this exact same package via
  backports in production on precise since November of last year without
  issues.  I've had no reports from anyone else about problems with it
  either.  I believe if 2.6.8 on precise were an issue, I'd have either
  seen it or heard about it by now.

  [Other Info]

   * This will hit binary New.  That's unavoidable since upstream bumps
  soname with every major release.  There are no external rdepends, so
  no other packages are affected.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/opendkim/+bug/1170896/+subscriptions
References

[Bug 1170896] [NEW] SRU Debian Wheezy Fixes for Quantal
From: Scott Kitterman, 2013-04-20