2014-04-02 09:27:35 |
N. W. |
bug |
|
|
added bug |
2014-04-02 09:30:22 |
N. W. |
information type |
Private Security |
Public |
|
2014-04-16 21:58:50 |
Julien Lavergne |
summary |
Please sync Sylpheed from Debian sid |
SSL validation problem (or sync Sylpheed from Debian sid) |
|
2014-04-16 21:58:56 |
Julien Lavergne |
nominated for series |
|
Ubuntu Trusty |
|
2014-04-16 21:58:56 |
Julien Lavergne |
bug task added |
|
sylpheed (Ubuntu Trusty) |
|
2014-04-18 18:40:02 |
Marc Deslauriers |
information type |
Public |
Public Security |
|
2014-04-18 18:44:43 |
Marc Deslauriers |
sylpheed (Ubuntu): status |
New |
Incomplete |
|
2014-06-08 14:03:05 |
Julien Lavergne |
sylpheed (Ubuntu): status |
Incomplete |
Fix Released |
|
2014-06-08 14:03:19 |
Julien Lavergne |
sylpheed (Ubuntu Trusty): status |
Incomplete |
New |
|
2014-06-08 14:04:07 |
Julien Lavergne |
description |
Hello,
Ubuntu 14.04 LTS Trusty Tahr currently only has the old Sylpheed 3.4 beta 7:
http://packages.ubuntu.com/trusty/sylpheed
whereas Debian sid has the new Sylpheed 3.4 stable:
https://packages.debian.org/sid/sylpheed
The new Sylpheed 3.4 stable also has a security fix that Sylpheed 3.4 beta 7 does not have, see:
http://sylpheed.sraoss.jp/redmine/issues/167
So, please update the package in Ubuntu 14.04 LTS Trusty Tahr, so that it will have the new Sylpheed 3.4 stable as well.
The changelog of Sylpheed is available over there:
http://sylpheed.sraoss.jp/en/news.html
It would be much appreciated.
Regards |
SRU statement :
[Impact]
* Actual sylpheed has 2 major issues :
- Security problem (SSL certificate validation)
- Losing mail using POP3
The problem is that the security fix is separated into several commits, so it's not easy and secure to cheery pick commits, and maybe other commits that could be necessary and not labeled « SSL fix ».
So, the easiest and more secure way to fix this is to take the whole upstream release. It will also fix the other major issue.
Since 3.4.0 beta7 (include in trusty), the changelog to 3.4.1 is :
Mac OS X support was improved.
SSL certificate hostname is validated now (#167).
The Japanese manual was modified so that IE correctly detect its character encoding.
The rightmost column of folder view and summary view became easier to resize.
Appropriate columns of folder view, summary view, etc. are auto-expanded by window resize when using GTK+ 2.14 or later.
The initial setup dialog is now resizable.
PGP encrypt-to-self feature was added.
The display period of notification window became configurable.
Win32: OpenSSL was updated to 0.9.8y.
Win32: libpng was updated to 1.2.51.
SSL wildcard certificate is also validated now (#167).
The compile error with OpenSSL disabled was fixed.
This release fixes an important bug that would lose mails when local mailbox was inaccessible on POP3 receiving.
The others fixes are mininal when you compare to the 2 major fixes + the risk to miss something by cherry-picking commits.
[Test Case]
Detail of the security issue is described on the upstream bug tracker : http://sylpheed.sraoss.jp/redmine/issues/167
Since it's a security issue, it's not really easy to reproduce.
Also, details about the lost of email are on upstream bug tracker http://sylpheed.sraoss.jp/redmine/issues/193
[Regression Potential]
I can't see any regressions. The fixes are upstream since quite some time, and there is no new releases fixing again those issues (no I assume the actual fixes are good).
Changelog :
sylpheed (3.4.1-0ubuntu0.1) trusty-proposed; urgency=medium
* New upstream release
- Fix SSL validation (LP: #1301274).
- Fix losing mails when local mailbox is inaccessible on POP3 receiving.
-- Julien Lavergne <gilir@ubuntu.com> Fri, 16 May 2014 15:29:20 +0200
Debdiff is attached.
Original report :
Hello,
Ubuntu 14.04 LTS Trusty Tahr currently only has the old Sylpheed 3.4 beta 7:
http://packages.ubuntu.com/trusty/sylpheed
whereas Debian sid has the new Sylpheed 3.4 stable:
https://packages.debian.org/sid/sylpheed
The new Sylpheed 3.4 stable also has a security fix that Sylpheed 3.4 beta 7 does not have, see:
http://sylpheed.sraoss.jp/redmine/issues/167
So, please update the package in Ubuntu 14.04 LTS Trusty Tahr, so that it will have the new Sylpheed 3.4 stable as well.
The changelog of Sylpheed is available over there:
http://sylpheed.sraoss.jp/en/news.html
It would be much appreciated.
Regards |
|
2014-06-08 14:06:35 |
Julien Lavergne |
attachment added |
|
sylpheed_3.4.1-0ubuntu0.1.debdiff https://bugs.launchpad.net/ubuntu/+source/sylpheed/+bug/1301274/+attachment/4127675/+files/sylpheed_3.4.1-0ubuntu0.1.debdiff |
|
2014-06-08 14:32:19 |
Julien Lavergne |
sylpheed (Ubuntu): assignee |
|
Julien Lavergne (gilir) |
|
2014-06-19 22:58:21 |
Brian Murray |
sylpheed (Ubuntu Trusty): status |
New |
Fix Committed |
|
2014-06-19 22:58:23 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2014-06-19 22:58:25 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
2014-06-19 22:58:29 |
Brian Murray |
tags |
|
verification-needed |
|
2014-06-19 23:10:20 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/trusty-proposed/sylpheed |
|
2014-12-08 15:30:14 |
Bartosz Kosiorek |
sylpheed (Ubuntu Trusty): assignee |
|
Bartosz Kosiorek (gang65) |
|
2014-12-08 15:32:45 |
Bartosz Kosiorek |
tags |
verification-needed |
verification-done |
|
2014-12-08 18:33:07 |
Launchpad Janitor |
sylpheed (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|
2014-12-08 18:33:14 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|