[MIR] libesmtp

Bug #515996 reported by Ante Karamatić on 2010-02-02
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libesmtp (Debian)
Fix Released
Unknown
libesmtp (Ubuntu)
Wishlist
Unassigned

Bug Description

1. Availability: amd64, armel, i386, ia64, powerpc, sparc

2. Rationale: The package helps meet https://blueprints.edge.launchpad.net/ubuntu/+spec/server-maverick-clusterstack blueprint goal. Needed binary packages are libesmtp5 and libesmtp-dev.

3. Security: No CVEs.
Recent fix of "not check NULL bytes in commonNames of certificates" was issued in debian and already syncing into Ubuntu.

4. QA: 1 openssl/gnutls related bug in Debian, no bugs in Ubuntu. Upstream's last release was in 2005. URL: http://www.stafford.uklinux.net/libesmtp/

5. UI standards: none

6. Dependencies: all in main

7. Standards: no lintian warnings. Package is packaged with debhelper and uses custom developed patch system.

8. Maintenance: simple package, syncs should be enough (there were no Ubuntu changes in package history)

9. Background information: this package is one of dependencies for new cluster stack in Ubuntu.

CVE References

Martin Pitt (pitti) wrote :

approved

Changed in libesmtp (Ubuntu):
status: New → Fix Committed
Kees Cook (kees) wrote :

I need to revoke this approval -- libesmtp is vulnerable to a variation of CVE-2009-2408, in that it does not correctly handle NULL-bytes in the commonName of certificates when comparing domain names. (See smtp-tls.c)

Changed in libesmtp (Ubuntu):
status: Fix Committed → Incomplete
Kees Cook (kees) wrote :

Related to this are failures with CN-specificity:
 https://bugzilla.redhat.com/show_bug.cgi?id=510202

Though it may be a non-issue if TLS doesn't function at all:
 http://bugs.gentoo.org/213066

Kees Cook (kees) wrote :

I wouldn't want to see this in main until a full test suite can be built to check for the CN failures (see lp:qa-regression-testing) as has been done for fetchmail, e.g.

Micha Lenk (micha) on 2010-03-20
summary: - [MIR] libesmtp
+ libesmtp does not check NULL bytes in commonNames of certificates
summary: libesmtp does not check NULL bytes in commonNames of certificates
+ (variant of CVE-2009-2408)
Changed in libesmtp (Debian):
status: Unknown → New
Alexander Sack (asac) on 2010-05-28
summary: - libesmtp does not check NULL bytes in commonNames of certificates
- (variant of CVE-2009-2408)
+ MIR fallout: libesmtp does not check NULL bytes in commonNames of
+ certificates (variant of CVE-2009-2408)
Changed in libesmtp (Debian):
status: New → Confirmed
Changed in libesmtp (Debian):
status: Confirmed → Fix Released
summary: - MIR fallout: libesmtp does not check NULL bytes in commonNames of
- certificates (variant of CVE-2009-2408)
+ [MIR] libesmtp
description: updated
Changed in libesmtp (Ubuntu):
status: Incomplete → New
importance: Undecided → Wishlist
Kees Cook (kees) wrote :

Now that this is fixed, I'm fine with the original MIR approval. Thanks! +1

Changed in libesmtp (Ubuntu):
status: New → In Progress
Colin Watson (cjwatson) wrote :

 o libesmtp: libesmtp-dev libesmtp5
   [Reverse-Depends: pacemaker]
   [Reverse-Build-Depends: pacemaker]

Promoted.

Changed in libesmtp (Ubuntu):
status: In Progress → Fix Released
Matthias Klose (doko) wrote :

not yet promoted. I didn't see any reasons for promotion. please reopen if we should demote this package. now promoted to get the cluster stuff building in main.

2010-12-13 23:42:05 INFO Override Component to: 'main'
2010-12-13 23:42:14 INFO 'libesmtp - 1.0.6-1/universe/libs' source overridden
2010-12-13 23:42:14 INFO 'libesmtp-dev-1.0.6-1/universe/libdevel/OPTIONAL' binary overridden in natty/amd64
2010-12-13 23:42:14 INFO 'libesmtp-dev-1.0.6-1/universe/libdevel/OPTIONAL' binary overridden in natty/armel
2010-12-13 23:42:14 INFO 'libesmtp-dev-1.0.6-1/universe/libdevel/OPTIONAL' binary overridden in natty/i386
2010-12-13 23:42:14 INFO 'libesmtp-dev-1.0.6-1/universe/libdevel/OPTIONAL' binary overridden in natty/powerpc
2010-12-13 23:42:14 INFO 'libesmtp6-1.0.6-1/universe/libs/OPTIONAL' binary overridden in natty/amd64
2010-12-13 23:42:14 INFO 'libesmtp6-1.0.6-1/universe/libs/OPTIONAL' binary overridden in natty/armel
2010-12-13 23:42:14 INFO 'libesmtp6-1.0.6-1/universe/libs/OPTIONAL' binary overridden in natty/i386
2010-12-13 23:42:14 INFO 'libesmtp6-1.0.6-1/universe/libs/OPTIONAL' binary overridden in natty/powerpc

Hello Customer

Order your replica watch in a simple way and wait for delivery of really amazing quality product. We have money back guarantee, and guarantee the reshipping, if your watch arrive damaged or missing.
Everyone will notice your new expensive-looking watch, but nobody will find out that it is a replica watch. Designed as a genuine one to the tiniest detail replica watch differ only in price.

--------------------------------------------------------------------
My order arrived yesterday via registered mail in good order THE WATCH IS BEAUTIFUL AND EVEN BETTER THAN I EXPECTED.
TUVM
                     Clint Rutherford
--------------------------------------------------------------------

Click here ---> http://kravo.ru

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.