SRU Security and Debian Wheezy Fixes for Precise

Bug #1170896 reported by Scott Kitterman
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
opendkim (Ubuntu)
Fix Released
Medium
Unassigned
Precise
Fix Released
Medium
Scott Kitterman
Quantal
Fix Released
Medium
Scott Kitterman

Bug Description

Updated for proposed precise SRU.

This is a very unconventional SRU, but I think it should be accepted.

Why:

1. There is an outstanding security issue in the 2.5 series that precise shipped with that was fixed in 2.6.8.See bug #1071139 for details. This important for two reasons, users of precise who do not install from backports will be verifying messages with no indication they are using insecure keys (this is the security bug). Additionally, they may be signing messages with keys that are now generally considered insecure and their signatures are being ignored by corrected implementations that will not verify messages signed with keys shorter than 1024 bits. I did try to extract this change from 2.6.8 and backport it to 2.5.2, but could not get it to work, so the only reasonable way to solve this is to update to 2.6.8.

2. Currently (after the SRU that was just moved to quantal-updates), Debian Wheezy and Ubuntu Quantal have identical opendkim packages. I would like to extend that to Precise since it's LTS and will be around for Wheezy's lifetime. That way any maintenance issues can be jointly addressed in both distros off of a common code base.

See the regression risk section for discussions about what's changed and why I think it's OK.

[Impact]

 * In addition to the issues discussed above, there are a large number of bug fixes that should make the new package more reliable.

[Test Case]

 * Install the updated package and verify correct operation.

[Regression Potential]

 * Small - I have run essentially this exact same package via backports in production on precise since November of last year without issues. I've had no reports from anyone else about problems with it either. I believe if 2.6.8 on precise were an issue, I'd have either seen it or heard about it by now.

[Other Info]

 * This will hit binary New. That's unavoidable since upstream bumps soname with every major release. There are no external rdepends, so no other packages are affected.

Changed in opendkim (Ubuntu):
status: New → Fix Released
importance: Undecided → Medium
Changed in opendkim (Ubuntu Quantal):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Scott Kitterman (kitterman)
milestone: none → quantal-updates
Revision history for this message
Adam Conrad (adconrad) wrote : Please test proposed package

Hello Scott, or anyone else affected,

Accepted opendkim into quantal-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/opendkim/2.6.8-0ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in opendkim (Ubuntu Quantal):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
Scott Kitterman (kitterman) wrote : Re: SRU Debian Wheezy Fixes for Quantal

Tested out and works fine.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Colin Watson (cjwatson) wrote : Update Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Revision history for this message
Launchpad Janitor (janitor) wrote : Re: SRU Debian Wheezy Fixes for Quantal

This bug was fixed in the package opendkim - 2.6.8-0ubuntu1.1

---------------
opendkim (2.6.8-0ubuntu1.1) quantal-proposed; urgency=low

  * Update 2.6.8 in Ubuntu to match Debian Wheezy (LP: #1170896)
  * Backport fix from upstream to log the correct message selector
    (Closes: #695145) (fix was included as part of the just released 2.7.4)
  * Add missing depends on openssl to opendkim-tools so opendkim-genkey will
    work (Closes: #693188)
 -- Scott Kitterman <email address hidden> Sat, 20 Apr 2013 03:17:20 -0400

Changed in opendkim (Ubuntu Quantal):
status: Fix Committed → Fix Released
Changed in opendkim (Ubuntu Precise):
importance: Undecided → Medium
milestone: none → precise-updates
assignee: nobody → Scott Kitterman (kitterman)
Revision history for this message
Scott Kitterman (kitterman) wrote :

Uploaded for precise now.

description: updated
tags: removed: verification-done
Changed in opendkim (Ubuntu Precise):
status: New → In Progress
description: updated
summary: - SRU Debian Wheezy Fixes for Quantal
+ SRU Security and Debian Wheezy Fixes for Precise
Revision history for this message
Adam Conrad (adconrad) wrote : Please test proposed package

Hello Scott, or anyone else affected,

Accepted opendkim into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/opendkim/2.6.8-0ubuntu1.0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in opendkim (Ubuntu Precise):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
Scott Kitterman (kitterman) wrote :

Installed the updated package and verified both proper signing and signature verification.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package opendkim - 2.6.8-0ubuntu1.0.1

---------------
opendkim (2.6.8-0ubuntu1.0.1) precise-proposed; urgency=low

  * New upstream security release to add capability to exclude use of
    insecure keys (Closes: #691394, LP: #1071139)
    - Fix bug #SF3539449: Clarify legal "Socket" values. Requested by Scott
      Kitterman.
    - Fix bug #SF3539493: Handle certain cases of data set names that appear
      to be comma-separated lists which include IPv6 addresses. Reported by
      Scott Kitterman. (Closes: #679548)
    - Rename libopendkim6 to libopendkim7 to match new soname
      - Update package and dependencies in debian/control
      - Rename .install and .doc files
    - Drop --enable-xtags from configure in debian/rules since it is now on by
      default
    - Update debian/copyright
    - Remove dversionmangle from debian/watch
    - Update README.Debian to reflect documentation no longer being stripped
  * Update 2.6.8 in Precise to match Debian Wheezy and Quantal (LP: #1170896)
  * Backport fix from upstream to log the correct message selector
    (Closes: #695145) (fix was included as part of the just released 2.7.4)
  * Add missing depends on openssl to opendkim-tools so opendkim-genkey will
    work (Closes: #693188)
  * Drop obsolete configure option enable-selector_header
  * Use restorecon to apply a SE Linux label after creating a run dir
    (Closes: #679852)
  * Use CFLAGS, CPPFLAGS, and LDFLAGS from dpkg-buildflags
  * Split opendkim into opendkim and opendkim-tools since the command line
    support tools are now bigger than the application
  * Add status option to /etc/init.d/opendkim
    - Add depends on lsb-base
  * Add Description to /etc/init.d/opendkim header
  * Enable Vouch By Reference support:
    - Add --enable-vbr in debian/rules
    - Update libopendkim install files to be more specific and not install
      libvbr related files
    - Add libvbr2 and libvbr-dev to debian/control
    - Add debian/libvbr2.docs, libvbr2.install, and libvbr-dev.install
  * Enable extensions for adding arbitrary experimental signature tags and
    values in libopendkim (neeeded for ATPS support)
    - Add --enable-xtags in debian/rules
  * Enable support for RFC 6541 DKIM Authorized Third-Party Signatures (ATPS)
    - Add --enable-atps in debian/rules
  * Enable support for optional oversigning of header fields to prevent
    malicious parties from adding additional instances of the field
    - Add --enable-oversign to debian/rules
    - Modify debian/opendkim.conf to use OversignHeaders for From by default
  * Add required build-arch and build-indep targets to debian/rules
  * Added new opendkim.NEWS entry to describe changed defaults with this
    revision
  * Update debian/copyright (Closes: #664132)
  * Add debian/watch
  * Remove unneeded shlibs:Depends for libdkim-dev
 -- Scott Kitterman <email address hidden> Sun, 28 Apr 2013 12:02:43 -0400

Changed in opendkim (Ubuntu Precise):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.