SSL validation problem (or sync Sylpheed from Debian sid)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sylpheed (Ubuntu) |
Fix Released
|
Undecided
|
Julien Lavergne | ||
Trusty |
Fix Released
|
Undecided
|
Bartosz Kosiorek |
Bug Description
SRU statement :
[Impact]
* Actual sylpheed has 2 major issues :
- Security problem (SSL certificate validation)
- Losing mail using POP3
The problem is that the security fix is separated into several commits, so it's not easy and secure to cheery pick commits, and maybe other commits that could be necessary and not labeled « SSL fix ».
So, the easiest and more secure way to fix this is to take the whole upstream release. It will also fix the other major issue.
Since 3.4.0 beta7 (include in trusty), the changelog to 3.4.1 is :
Mac OS X support was improved.
SSL certificate hostname is validated now (#167).
The Japanese manual was modified so that IE correctly detect its character encoding.
The rightmost column of folder view and summary view became easier to resize.
Appropriate columns of folder view, summary view, etc. are auto-expanded by window resize when using GTK+ 2.14 or later.
The initial setup dialog is now resizable.
PGP encrypt-to-self feature was added.
The display period of notification window became configurable.
Win32: OpenSSL was updated to 0.9.8y.
Win32: libpng was updated to 1.2.51.
SSL wildcard certificate is also validated now (#167).
The compile error with OpenSSL disabled was fixed.
This release fixes an important bug that would lose mails when local mailbox was inaccessible on POP3 receiving.
The others fixes are mininal when you compare to the 2 major fixes + the risk to miss something by cherry-picking commits.
[Test Case]
Detail of the security issue is described on the upstream bug tracker : http://
Since it's a security issue, it's not really easy to reproduce.
Also, details about the lost of email are on upstream bug tracker http://
[Regression Potential]
I can't see any regressions. The fixes are upstream since quite some time, and there is no new releases fixing again those issues (no I assume the actual fixes are good).
Changelog :
sylpheed (3.4.1-0ubuntu0.1) trusty-proposed; urgency=medium
* New upstream release
- Fix SSL validation (LP: #1301274).
- Fix losing mails when local mailbox is inaccessible on POP3 receiving.
-- Julien Lavergne <email address hidden> Fri, 16 May 2014 15:29:20 +0200
Debdiff is attached.
Original report :
Hello,
Ubuntu 14.04 LTS Trusty Tahr currently only has the old Sylpheed 3.4 beta 7:
http://
whereas Debian sid has the new Sylpheed 3.4 stable:
https:/
The new Sylpheed 3.4 stable also has a security fix that Sylpheed 3.4 beta 7 does not have, see:
http://
So, please update the package in Ubuntu 14.04 LTS Trusty Tahr, so that it will have the new Sylpheed 3.4 stable as well.
The changelog of Sylpheed is available over there:
http://
It would be much appreciated.
Regards
Related branches
information type: | Private Security → Public |
information type: | Public → Public Security |
Changed in sylpheed (Ubuntu): | |
status: | New → Incomplete |
Changed in sylpheed (Ubuntu): | |
assignee: | nobody → Julien Lavergne (gilir) |
Thanks for your report. I don't think we will be able to update sylpheed in 14.04, however we can include patches from upstream to fix the security issue. I prepared a fixed version, but I don't know how to test it properly. You can found it on https:/ /launchpad. net/~gilir/ +archive/ updates (currently building).