SRU Security and Debian Wheezy Fixes for Precise
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
opendkim (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Precise |
Fix Released
|
Medium
|
Scott Kitterman | ||
Quantal |
Fix Released
|
Medium
|
Scott Kitterman |
Bug Description
Updated for proposed precise SRU.
This is a very unconventional SRU, but I think it should be accepted.
Why:
1. There is an outstanding security issue in the 2.5 series that precise shipped with that was fixed in 2.6.8.See bug #1071139 for details. This important for two reasons, users of precise who do not install from backports will be verifying messages with no indication they are using insecure keys (this is the security bug). Additionally, they may be signing messages with keys that are now generally considered insecure and their signatures are being ignored by corrected implementations that will not verify messages signed with keys shorter than 1024 bits. I did try to extract this change from 2.6.8 and backport it to 2.5.2, but could not get it to work, so the only reasonable way to solve this is to update to 2.6.8.
2. Currently (after the SRU that was just moved to quantal-updates), Debian Wheezy and Ubuntu Quantal have identical opendkim packages. I would like to extend that to Precise since it's LTS and will be around for Wheezy's lifetime. That way any maintenance issues can be jointly addressed in both distros off of a common code base.
See the regression risk section for discussions about what's changed and why I think it's OK.
[Impact]
* In addition to the issues discussed above, there are a large number of bug fixes that should make the new package more reliable.
[Test Case]
* Install the updated package and verify correct operation.
[Regression Potential]
* Small - I have run essentially this exact same package via backports in production on precise since November of last year without issues. I've had no reports from anyone else about problems with it either. I believe if 2.6.8 on precise were an issue, I'd have either seen it or heard about it by now.
[Other Info]
* This will hit binary New. That's unavoidable since upstream bumps soname with every major release. There are no external rdepends, so no other packages are affected.
Changed in opendkim (Ubuntu): | |
status: | New → Fix Released |
importance: | Undecided → Medium |
Changed in opendkim (Ubuntu Quantal): | |
status: | New → In Progress |
importance: | Undecided → Medium |
assignee: | nobody → Scott Kitterman (kitterman) |
milestone: | none → quantal-updates |
Changed in opendkim (Ubuntu Precise): | |
importance: | Undecided → Medium |
milestone: | none → precise-updates |
assignee: | nobody → Scott Kitterman (kitterman) |
summary: |
- SRU Debian Wheezy Fixes for Quantal + SRU Security and Debian Wheezy Fixes for Precise |
Hello Scott, or anyone else affected,
Accepted opendkim into quantal-proposed. The package will build now and be available at http:// launchpad. net/ubuntu/ +source/ opendkim/ 2.6.8-0ubuntu1. 1 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See https:/ /wiki.ubuntu. com/Testing/ EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed. In either case, details of your testing will help us make a better decision.
Further information regarding the verification process can be found at https:/ /wiki.ubuntu. com/QATeam/ PerformingSRUVe rification . Thank you in advance!