Security and DKIM signature verification failure issues
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
dkimpy (Ubuntu) |
Fix Released
|
High
|
Scott Kitterman | ||
Precise |
Fix Released
|
High
|
Scott Kitterman | ||
Quantal |
Fix Released
|
High
|
Scott Kitterman |
Bug Description
dkimpy 0.5.1 (in precise) and 0.5.2 (in quantal) both suffer from some severe deficiencies that should be addressed via SRU.
[IMPACT]
* DKIM 0.5.1/2 does not consider key lenth when validating signatures, so it will produce valid sigatures even when insecure keys are used
* 0.5.1 and 2 both make incorrect assumptions about header folding and 0.5.2 has a regression from 0.5.1 that causes it to calculate body hash incorrectly. Both of these issue cause DKIM verification failures for some valid signatures.
[TESTCASE]
* This is very difficult to test in detail. The upstream fixes in 0.5.3 were tested against a number of different signatures generated by different implementations.
* To test that this works, install the updated package and us the dkimsign/dkim verify scripts to verify that DKIM signing and verification still works.
[Regression Potential]
* Low. This is an upstream release that was tested there.
* Regression potential is lower with the new upstream release than with a cherry pick. The only difference between 0.5.2 and 0.5.3 are these fixes. 0.5.1 to 0.5.3 introduces a little more change, but updating to the new version would be lower risk.
[Other Info]
Launchpad uses this module to vaildate mail from Gmail, so it'd be nice to get this fix in soon.
Changed in dkimpy (Ubuntu): | |
importance: | Undecided → Critical |
Changed in dkimpy (Ubuntu Precise): | |
importance: | Undecided → Critical |
Changed in dkimpy (Ubuntu Quantal): | |
importance: | Undecided → Critical |
Changed in dkimpy (Ubuntu): | |
importance: | Critical → High |
Changed in dkimpy (Ubuntu Precise): | |
importance: | Critical → High |
Changed in dkimpy (Ubuntu Quantal): | |
importance: | Critical → High |
Changed in dkimpy (Ubuntu): | |
assignee: | nobody → Scott Kitterman (kitterman) |
Changed in dkimpy (Ubuntu Precise): | |
assignee: | nobody → Scott Kitterman (kitterman) |
Changed in dkimpy (Ubuntu Quantal): | |
assignee: | nobody → Scott Kitterman (kitterman) |
milestone: | none → quantal-updates |
Changed in dkimpy (Ubuntu Precise): | |
milestone: | none → ubuntu-12.04.2 |
Changed in dkimpy (Ubuntu Precise): | |
milestone: | ubuntu-12.04.2 → ubuntu-12.04.3 |
Including the security team as an FYI, but aiming this at the SRU process as we discussed with opendkim.