sieve-connect security update to 0.85

Bug #1169349 reported by Phil Pennock on 2013-04-15
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sieve-connect (Ubuntu)

Bug Description

I'm the author of sieve-connect. Version 0.85 is a security update. More details in the announcement on the announcements mailing-list.

Sorry for the inconvenience.

Short version: failure to verify TLS certificate against the hostname (API confusion and stupidity on my part).

CVE References

information type: Private Security → Public
Seth Arnold (seth-arnold) wrote :

Since sieve-connect is in Universe, it is maintained by the community: anyone can prepare debdiffs for updating any of our releases.

We prefer updates to be minimal where possible -- which ought to be fine, since libio-socket-ssl-perl is version 1.31-1 in our oldest supported distribution, 10.04 LTS -- if you're able to prepare a minimal patch for our releases, that would be best. (It _is_ possible to get an exception for just taking full releases, see for details.)


Changed in sieve-connect (Ubuntu):
status: New → Incomplete
Phil Pennock (phil.pennock) wrote :

I don't use Debian or Ubuntu enough to be familiar with the tools, it'll be a wait for me to find time to figure the stuff out. I develop on FreeBSD.

I can try to figure this stuff out, or I can point out that from:

you want line 49/49 (old/new), 87/97, 1880/2084 and new 554-562. Slightly nicer if you take the full 554-565 and then the new 572-587 too, for improved diagnostics, but not strictly necessary.

Launchpad Janitor (janitor) wrote :

[Expired for sieve-connect (Ubuntu) because there has been no activity for 60 days.]

Changed in sieve-connect (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers