ubuntu-mail-server team mailing list archive

Thread
Date
[Bug 1071139] Re: DomainKeys Identified Mail (DKIM) Verifiers may inappropriately convey message trust

To: ubuntu-mail-server@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1071139@xxxxxxxxxxxxxxxxxx>
Date: Wed, 22 May 2013 02:31:30 -0000
Reply-to: Bug 1071139 <1071139@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package opendkim - 2.6.8-0ubuntu1.0.1

---------------
opendkim (2.6.8-0ubuntu1.0.1) precise-proposed; urgency=low

  * New upstream security release to add capability to exclude use of
    insecure keys (Closes: #691394, LP: #1071139)
    - Fix bug #SF3539449: Clarify legal "Socket" values.  Requested by Scott
      Kitterman.
    - Fix bug #SF3539493: Handle certain cases of data set names that appear
      to be comma-separated lists which include IPv6 addresses.  Reported by
      Scott Kitterman. (Closes: #679548)
    - Rename libopendkim6 to libopendkim7 to match new soname
      - Update package and dependencies in debian/control
      - Rename .install and .doc files
    - Drop --enable-xtags from configure in debian/rules since it is now on by
      default
    - Update debian/copyright
    - Remove dversionmangle from debian/watch
    - Update README.Debian to reflect documentation no longer being stripped
  * Update 2.6.8 in Precise to match Debian Wheezy and Quantal (LP: #1170896)
  * Backport fix from upstream to log the correct message selector
    (Closes: #695145) (fix was included as part of the just released 2.7.4)
  * Add missing depends on openssl to opendkim-tools so opendkim-genkey will
    work (Closes: #693188)
  * Drop obsolete configure option enable-selector_header
  * Use restorecon to apply a SE Linux label after creating a run dir
    (Closes: #679852)
  * Use CFLAGS, CPPFLAGS, and LDFLAGS from dpkg-buildflags
  * Split opendkim into opendkim and opendkim-tools since the command line
    support tools are now bigger than the application
  * Add status option to /etc/init.d/opendkim
    - Add depends on lsb-base
  * Add Description to /etc/init.d/opendkim header
  * Enable Vouch By Reference support:
    - Add --enable-vbr in debian/rules
    - Update libopendkim install files to be more specific and not install
      libvbr related files
    - Add libvbr2 and libvbr-dev to debian/control
    - Add debian/libvbr2.docs, libvbr2.install, and libvbr-dev.install
  * Enable extensions for adding arbitrary experimental signature tags and
    values in libopendkim (neeeded for ATPS support)
    - Add --enable-xtags in debian/rules
  * Enable support for RFC 6541 DKIM Authorized Third-Party Signatures (ATPS)
    - Add --enable-atps in debian/rules
  * Enable support for optional oversigning of header fields to prevent
    malicious parties from adding additional instances of the field
    - Add --enable-oversign to debian/rules
    - Modify debian/opendkim.conf to use OversignHeaders for From by default
  * Add required build-arch and build-indep targets to debian/rules
  * Added new opendkim.NEWS entry to describe changed defaults with this
    revision
  * Update debian/copyright (Closes: #664132)
  * Add debian/watch
  * Remove unneeded shlibs:Depends for libdkim-dev
 -- Scott Kitterman <scott@xxxxxxxxxxxxx>   Sun, 28 Apr 2013 12:02:43 -0400

** Changed in: opendkim (Ubuntu Precise)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Mail Server, which is subscribed to opendkim in Ubuntu.
https://bugs.launchpad.net/bugs/1071139

Title:
  DomainKeys Identified Mail (DKIM) Verifiers may inappropriately convey
  message trust

Status in Lucid Backports:
  Fix Released
Status in Precise Backports:
  Fix Released
Status in “opendkim” package in Ubuntu:
  Fix Released
Status in “opendkim” source package in Lucid:
  New
Status in “opendkim” source package in Natty:
  New
Status in “opendkim” source package in Oneiric:
  New
Status in “opendkim” source package in Precise:
  Fix Released
Status in “opendkim” source package in Quantal:
  Fix Released
Status in “opendkim” source package in Raring:
  Fix Released
Status in “opendkim” package in Debian:
  Fix Released

Bug description:
  See http://www.kb.cert.org/vuls/id/268267, VU#268267

  opendkim in squeeze, wheezy, sid offers no method to prevent use of keys
  less than 1024 bits.  This is added in the new upstream release, 2.6.8, that
  was released just for this issue.

  [IMPACT]

   * DKIM verifiers using opendkim will use insecure keys to produce
  valid results.

  [TESTCASE]

   * The new functionality to limit key sizes is not easy to test, but is covered by
     additions to the test suite.

   * In order to verify this package, it needs to be installed and tested that it
     generally works as before.

   * Because of the specialized nature of this package, it's not possible to produce
     a test case that just anyone can verify.

  [Regression Potential]

   * Regression potential is very small as the only code changes in this release are 
     the changes to resolve this issue.

  [Other Info]

   * Almost all of the diff is tool related noise.  I've attached the non-noise part
     of the diff to this bug for reference.  I think it's lower risk to just update
     to the new release to match what upstream is doing since there are no other 
     changes in this release.
   
   * The security team has reviewed this bug and said it should go via SRU and not in
     -security since it causes a config file change.

To manage notifications about this bug go to:
https://bugs.launchpad.net/lucid-backports/+bug/1071139/+subscriptions
References

[Bug 1071139] [NEW] DomainKeys Identified Mail (DKIM) Verifiers may inappropriately convey message trust
From: Scott Kitterman, 2012-10-25