DomainKeys Identified Mail (DKIM) Verifiers may inappropriately convey message trust

Bug #1071139 reported by Scott Kitterman on 2012-10-25
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Lucid Backports
High
Scott Kitterman
Precise Backports
High
Scott Kitterman
opendkim (Debian)
Fix Released
Unknown
opendkim (Ubuntu)
High
Scott Kitterman
Precise
Undecided
Unassigned
Quantal
High
Scott Kitterman
Raring
High
Scott Kitterman

Bug Description

See http://www.kb.cert.org/vuls/id/268267, VU#268267

opendkim in squeeze, wheezy, sid offers no method to prevent use of keys
less than 1024 bits. This is added in the new upstream release, 2.6.8, that
was released just for this issue.

[IMPACT]

 * DKIM verifiers using opendkim will use insecure keys to produce valid results.

[TESTCASE]

 * The new functionality to limit key sizes is not easy to test, but is covered by
   additions to the test suite.

 * In order to verify this package, it needs to be installed and tested that it
   generally works as before.

 * Because of the specialized nature of this package, it's not possible to produce
   a test case that just anyone can verify.

[Regression Potential]

 * Regression potential is very small as the only code changes in this release are
   the changes to resolve this issue.

[Other Info]

 * Almost all of the diff is tool related noise. I've attached the non-noise part
   of the diff to this bug for reference. I think it's lower risk to just update
   to the new release to match what upstream is doing since there are no other
   changes in this release.

 * The security team has reviewed this bug and said it should go via SRU and not in
   -security since it causes a config file change.

information type: Public → Public Security
Scott Kitterman (kitterman) wrote :

Uploaded 2.6.8 for raring.

Changed in opendkim (Ubuntu Raring):
status: New → Fix Committed
importance: Undecided → High
assignee: nobody → Scott Kitterman (kitterman)
milestone: none → ubuntu-13.04-beta-1
Changed in opendkim (Debian):
status: Unknown → Confirmed
Seth Arnold (seth-arnold) wrote :

Since opendkim is in universe, it is community maintained. If you are able, please post a debdiff for this issue.

When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Thanks

Marc Deslauriers (mdeslaur) wrote :

Actually, this is more an enhancement, and requires a config file change.

I think this would be better handled by an SRU than a security update.

Changed in opendkim (Debian):
status: Confirmed → Fix Released
Scott Kitterman (kitterman) wrote :
description: updated
Changed in opendkim (Ubuntu Quantal):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Scott Kitterman (kitterman)
milestone: none → quantal-updates
Changed in precise-backports:
importance: Undecided → High
status: New → In Progress
assignee: nobody → Scott Kitterman (kitterman)
Changed in lucid-backports:
assignee: nobody → Scott Kitterman (kitterman)
importance: Undecided → High
status: New → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package opendkim - 2.6.8-1

---------------
opendkim (2.6.8-1) experimental; urgency=low

  * New upstream security release to add capability to exclude use of
    insecure keys (Closes: #691394, LP: #1071139)

 -- Scott Kitterman <email address hidden> Thu, 25 Oct 2012 01:04:27 -0400

Changed in opendkim (Ubuntu Raring):
status: Fix Committed → Fix Released

Hello Scott, or anyone else affected,

Accepted opendkim into quantal-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/opendkim/2.6.8-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in opendkim (Ubuntu Quantal):
status: In Progress → Fix Committed
tags: added: verification-needed
Clint Byrum (clint-fewbar) wrote :

Since this is a fairly thorny issue, and a large patch to solve it, verification needs to include extensive documentation of what testing was done.

On Wednesday, November 07, 2012 10:26:23 PM you wrote:
> Since this is a fairly thorny issue, and a large patch to solve it,
> verification needs to include extensive documentation of what testing
> was done.

Almost all the patch was tool noise, so it's pretty low risk. There isn't a
good way to verify the key length checks are doing precisely what they are
supposed to, but be can validate no regressions. I'm in contact with upstream
and they've had no reports of issues, so I'm confident the upstream changes
work.

Scott Kitterman (kitterman) wrote :

B/I/R on lucid and precise.

Scott Kitterman (kitterman) wrote :

Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading opendkim_2.6.8-0ubuntu1~ubuntu12.04.1.dsc: done.
  Uploading opendkim_2.6.8.orig.tar.gz: done.
  Uploading opendkim_2.6.8-0ubuntu1~ubuntu12.04.1.diff.gz: done.
  Uploading opendkim_2.6.8-0ubuntu1~ubuntu12.04.1_source.changes: done.
Successfully uploaded packages.

Changed in precise-backports:
status: In Progress → Fix Released
Scott Kitterman (kitterman) wrote :

Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading opendkim_2.6.8-0ubuntu1~ubuntu10.04.1.dsc: done.
  Uploading opendkim_2.6.8.orig.tar.gz: done.
  Uploading opendkim_2.6.8-0ubuntu1~ubuntu10.04.1.diff.gz: done.
  Uploading opendkim_2.6.8-0ubuntu1~ubuntu10.04.1_source.changes: done.
Successfully uploaded packages.

Changed in lucid-backports:
status: In Progress → Fix Released
Scott Kitterman (kitterman) wrote :

Tested that opendkim is working with the quantal-proposed package. I've got additional verification that the fix is good since I've got the same package backported to precise running in production.

tags: added: verification-done
removed: verification-needed

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package opendkim - 2.6.8-0ubuntu1

---------------
opendkim (2.6.8-0ubuntu1) quantal-proposed; urgency=low

  * New upstream security release to add capability to exclude use of
    insecure keys (Closes: #691394, LP: #1071139)
 -- Scott Kitterman <email address hidden> Thu, 25 Oct 2012 01:04:27 -0400

Changed in opendkim (Ubuntu Quantal):
status: Fix Committed → Fix Released

Hello Scott, or anyone else affected,

Accepted opendkim into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/opendkim/2.6.8-0ubuntu1.0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in opendkim (Ubuntu Precise):
status: New → Fix Committed
tags: removed: verification-done
tags: added: verification-needed
tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package opendkim - 2.6.8-0ubuntu1.0.1

---------------
opendkim (2.6.8-0ubuntu1.0.1) precise-proposed; urgency=low

  * New upstream security release to add capability to exclude use of
    insecure keys (Closes: #691394, LP: #1071139)
    - Fix bug #SF3539449: Clarify legal "Socket" values. Requested by Scott
      Kitterman.
    - Fix bug #SF3539493: Handle certain cases of data set names that appear
      to be comma-separated lists which include IPv6 addresses. Reported by
      Scott Kitterman. (Closes: #679548)
    - Rename libopendkim6 to libopendkim7 to match new soname
      - Update package and dependencies in debian/control
      - Rename .install and .doc files
    - Drop --enable-xtags from configure in debian/rules since it is now on by
      default
    - Update debian/copyright
    - Remove dversionmangle from debian/watch
    - Update README.Debian to reflect documentation no longer being stripped
  * Update 2.6.8 in Precise to match Debian Wheezy and Quantal (LP: #1170896)
  * Backport fix from upstream to log the correct message selector
    (Closes: #695145) (fix was included as part of the just released 2.7.4)
  * Add missing depends on openssl to opendkim-tools so opendkim-genkey will
    work (Closes: #693188)
  * Drop obsolete configure option enable-selector_header
  * Use restorecon to apply a SE Linux label after creating a run dir
    (Closes: #679852)
  * Use CFLAGS, CPPFLAGS, and LDFLAGS from dpkg-buildflags
  * Split opendkim into opendkim and opendkim-tools since the command line
    support tools are now bigger than the application
  * Add status option to /etc/init.d/opendkim
    - Add depends on lsb-base
  * Add Description to /etc/init.d/opendkim header
  * Enable Vouch By Reference support:
    - Add --enable-vbr in debian/rules
    - Update libopendkim install files to be more specific and not install
      libvbr related files
    - Add libvbr2 and libvbr-dev to debian/control
    - Add debian/libvbr2.docs, libvbr2.install, and libvbr-dev.install
  * Enable extensions for adding arbitrary experimental signature tags and
    values in libopendkim (neeeded for ATPS support)
    - Add --enable-xtags in debian/rules
  * Enable support for RFC 6541 DKIM Authorized Third-Party Signatures (ATPS)
    - Add --enable-atps in debian/rules
  * Enable support for optional oversigning of header fields to prevent
    malicious parties from adding additional instances of the field
    - Add --enable-oversign to debian/rules
    - Modify debian/opendkim.conf to use OversignHeaders for From by default
  * Add required build-arch and build-indep targets to debian/rules
  * Added new opendkim.NEWS entry to describe changed defaults with this
    revision
  * Update debian/copyright (Closes: #664132)
  * Add debian/watch
  * Remove unneeded shlibs:Depends for libdkim-dev
 -- Scott Kitterman <email address hidden> Sun, 28 Apr 2013 12:02:43 -0400

Changed in opendkim (Ubuntu Precise):
status: Fix Committed → Fix Released
Adolfo Jayme (fitojb) wrote :

(Untargetting EOLd releases)

no longer affects: opendkim (Ubuntu Lucid)
no longer affects: opendkim (Ubuntu Natty)
no longer affects: opendkim (Ubuntu Oneiric)
Scott Kitterman (kitterman) wrote :

Lucid is still supported on servers. Please don't untarget it for server packages.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.