Hello community, here is the log from the commit of package claws-mail for openSUSE:12.2 checked in at 2012-08-13 19:53:19 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.2/claws-mail (Old) and /work/SRC/openSUSE:12.2/.claws-mail.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "claws-mail", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:12.2/claws-mail/claws-mail.changes 2012-07-23 10:15:23.000000000 +0200 +++ /work/SRC/openSUSE:12.2/.claws-mail.new/claws-mail.changes 2012-08-13 19:53:31.000000000 +0200 @@ -1,0 +2,64 @@ +Thu Aug 9 12:59:41 UTC 2012 - [email protected] + +- Add claws-mail-verify-hostname.patch: fix SSL negotiation and + hostname verification. +- Drop claws-mail-certbundle-path.patch: integrated in the upstram + patch. + +------------------------------------------------------------------- +Sun Aug 5 01:47:20 UTC 2012 - [email protected] + +- Updated to version 3.8.1: + + Replied and Forwarded message status flags are now non- + exclusive. Introduced a new message state (and relevant icon + in message list) where both the Replied and Forwarded flags + are set. + + 'Send to...' has been added to the context menu of a message's + parts. This causes a new Compose window to open with the + selected mime part attached. + + 'Hide' and 'View Log' buttons have been added to the Send and + Receive dialogues. The former will hide the dialogue, the + latter will open the Network Log dialogue. + + A short symbol has been added the QuickSearch Extended mode: + 'ha', an abbreviated form of 'has_attachment'. + + Basic session statistics are now available, from the + Statistics tab in About dialog and the command-line. + + The display of attached patches, (text/x-patch or text/x-diff) + is now colourised. The colours are controlled by 3 new hidden + preferences: diff_added_color, diff_deleted_color, and + diff_hunk_color. + + Updated translations. + + Bug fixes: + - Bug 1090, 'Standard-folders appear again after rescanning + tree'. + - Bug 1924, 'Messages marked move to Trash appear identical to + messages marked move to $FOLDER'. + - Bug 2598, 'Actions can move locked messages'. + - Bug 2501, 'opened message blanks when moved to other + folder'. + - Bug 2574, 'Statement might be overflowing a buffer in + strncat'. + - Bug 2577, 'Focus rectangle on folder list and message list + headings doesn't get properly cleared when switching heading + and horizontally scrolling list (underlines and vertical + lines remain on screen)'. + - Bug 2582, 'Expanded mimeview drag n drop no longer works'. + - Bug 2595, 'Change expand behavior for message list / message + view'. + - Bug 2620, 'shift+tab from subject field not working'. + - Bug 2624, 'dialog "Action Configuration" cannot be closed'. + - Bug 2646, 'Compile fails with gnutls-3.0.18'. + - Bug 2659, 'E-mail attachments are handled inconsistently'. + - Bug 2662, '"ag" quicksearch adds "1" to value'. + - Fix bug in search criteria when doing a complete directory + search using '*'. + - Fix sensitivity of toolbar's get_btn (retrieve mail from + current account) and of mainwindows's relevant entry when + current account is not able to retrieve (SMTP-only). + - Don't do TLS if not requested by user. fixes connecting to + servers which, for example, want SSL 3 only. +- Drop claws-mail-fix-bufferoverflowstrncat.patch as this has been + upstreamed. +- Drop claws-mail-gnutls318.patch as this has been upstreamed. + +------------------------------------------------------------------- Old: ---- claws-mail-3.8.0.tar.bz2 claws-mail-certbundle-path.patch claws-mail-fix-bufferoverflowstrncat.patch claws-mail-gnutls318.patch New: ---- claws-mail-3.8.1.tar.bz2 claws-mail-verify-hostname.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ claws-mail.spec ++++++ --- /var/tmp/diff_new_pack.iCWKO4/_old 2012-08-13 19:53:32.000000000 +0200 +++ /var/tmp/diff_new_pack.iCWKO4/_new 2012-08-13 19:53:32.000000000 +0200 @@ -22,22 +22,18 @@ %endif Name: claws-mail -Version: 3.8.0 +Version: 3.8.1 Release: 0 Url: http://www.claws-mail.org/ Summary: A lightweight and highly configurable email client License: GPL-3.0+ Group: Productivity/Networking/Email/Clients -Source0: http://downloads.sourceforge.net/project/sylpheed-claws/Claws%20Mail/3.8.0/%{name}-%{version}.tar.bz2 +Source0: http://downloads.sourceforge.net/project/sylpheed-claws/Claws%20Mail/3.8.1/%{name}-%{version}.tar.bz2 Patch0: claws-mail-python.diff -# PATCH-FIX-UPSTREAM claws-mail-fix-bufferoverflowstrncat.patch [email protected] -- Fix statement might be overflowing a buffer in strncat, http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2574 -Patch1: claws-mail-fix-bufferoverflowstrncat.patch -# PATCH-FIX-UPSTREAM claws-mail-gnutls318.patch [email protected] -- Fix build with gnutls 3.18. Taken from cvs rev 41. -Patch2: claws-mail-gnutls318.patch # PATCH-FIX-UPSTREAM claws-mail-bnc770014.patch bnc#770014 -- Fix crash when trying to view info about pgp/smime sign -Patch3: claws-mail-bnc770014.patch -# PATCH-FIX-UPSTREAM claws-mail-certbundle-path.patch bnc#761503 [email protected] -- Add our own path to the ssl ca bundle. -Patch4: claws-mail-certbundle-path.patch +Patch1: claws-mail-bnc770014.patch +# PATCH-FIX-UPSTREAM claws-mail-verify-hostname.patch bnc#761503 -- Verify peer names when negotiating certificates. +Patch3: claws-mail-verify-hostname.patch BuildRequires: NetworkManager-devel BuildRequires: compface BuildRequires: db-devel @@ -114,9 +110,7 @@ %setup -q %patch0 %patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 +%patch3 -p0 %build %configure \ ++++++ claws-mail-3.8.0.tar.bz2 -> claws-mail-3.8.1.tar.bz2 ++++++ /work/SRC/openSUSE:12.2/claws-mail/claws-mail-3.8.0.tar.bz2 /work/SRC/openSUSE:12.2/.claws-mail.new/claws-mail-3.8.1.tar.bz2 differ: char 11, line 1 ++++++ claws-mail-verify-hostname.patch ++++++ Index: src/common/ssl.c =================================================================== --- src/common/ssl.c.orig +++ src/common/ssl.c @@ -104,6 +104,7 @@ const gchar *claws_ssl_get_cert_file(voi const char *cert_files[]={ "/etc/pki/tls/certs/ca-bundle.crt", "/etc/certs/ca-bundle.crt", + "/etc/ssl/ca-bundle.pem", "/usr/share/ssl/certs/ca-bundle.crt", "/etc/ssl/certs/ca-certificates.crt", "/usr/local/ssl/certs/ca-bundle.crt", Index: src/common/ssl_certificate.c =================================================================== --- src/common/ssl_certificate.c.orig +++ src/common/ssl_certificate.c @@ -833,4 +833,22 @@ void ssl_certificate_get_x509_and_pkey_f gnutls_pkcs12_deinit(p12); } } + +gboolean ssl_certificate_check_subject_cn(SSLCertificate *cert) +{ + return gnutls_x509_crt_check_hostname(cert->x509_cert, cert->host) != 0; +} + +gchar *ssl_certificate_get_subject_cn(SSLCertificate *cert) +{ + gchar subject_cn[BUFFSIZE]; + size_t n = BUFFSIZE; + + if(gnutls_x509_crt_get_dn_by_oid(cert->x509_cert, + GNUTLS_OID_X520_COMMON_NAME, 0, 0, subject_cn, &n)) + strncpy(subject_cn, _("<not in certificate>"), BUFFSIZE); + + return g_strdup(subject_cn); +} + #endif /* USE_GNUTLS */ Index: src/common/ssl_certificate.h =================================================================== --- src/common/ssl_certificate.h.orig +++ src/common/ssl_certificate.h @@ -63,13 +63,13 @@ void ssl_certificate_delete_from_disk(SS char * readable_fingerprint(unsigned char *src, int len); char *ssl_certificate_check_signer (gnutls_x509_crt cert, guint status); -#ifdef USE_GNUTLS gnutls_x509_crt ssl_certificate_get_x509_from_pem_file(const gchar *file); gnutls_x509_privkey ssl_certificate_get_pkey_from_pem_file(const gchar *file); void ssl_certificate_get_x509_and_pkey_from_p12_file(const gchar *file, const gchar *password, gnutls_x509_crt *crt, gnutls_x509_privkey *key); size_t gnutls_i2d_X509(gnutls_x509_crt x509_cert, unsigned char **output); size_t gnutls_i2d_PrivateKey(gnutls_x509_privkey pkey, unsigned char **output); -#endif +gboolean ssl_certificate_check_subject_cn(SSLCertificate *cert); +gchar *ssl_certificate_get_subject_cn(SSLCertificate *cert); #endif /* USE_GNUTLS */ #endif /* SSL_CERTIFICATE_H */ Index: src/gtk/sslcertwindow.c =================================================================== --- src/gtk/sslcertwindow.c.orig +++ src/gtk/sslcertwindow.c @@ -284,6 +284,7 @@ static gboolean sslcert_ask_hook(gpointe } else { hookdata->accept = sslcertwindow_ask_changed_cert(hookdata->old_cert, hookdata->cert); } + return TRUE; } @@ -303,6 +304,24 @@ void sslcertwindow_show_cert(SSLCertific g_free(buf); } +static gchar *sslcertwindow_get_invalid_str(SSLCertificate *cert) +{ + gchar *subject_cn = NULL; + gchar *str = NULL; + + if (ssl_certificate_check_subject_cn(cert)) + return g_strdup(""); + + subject_cn = ssl_certificate_get_subject_cn(cert); + + str = g_strdup_printf(_("Certificate is for %s, but connection is to %s.\n" + "You may be connecting to a rogue server.\n\n"), + subject_cn, cert->host); + g_free(subject_cn); + + return str; +} + static gboolean sslcertwindow_ask_new_cert(SSLCertificate *cert) { gchar *buf, *sig_status; @@ -311,9 +330,11 @@ static gboolean sslcertwindow_ask_new_ce GtkWidget *label; GtkWidget *button; GtkWidget *cert_widget; - + gchar *invalid_str = sslcertwindow_get_invalid_str(cert); + const gchar *title; + vbox = gtk_vbox_new(FALSE, 5); - buf = g_strdup_printf(_("Certificate for %s is unknown.\nDo you want to accept it?"), cert->host); + buf = g_strdup_printf(_("Certificate for %s is unknown.\n%sDo you want to accept it?"), cert->host, invalid_str); label = gtk_label_new(buf); gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5); gtk_box_pack_start(GTK_BOX(vbox), label, TRUE, TRUE, 0); @@ -336,7 +357,12 @@ static gboolean sslcertwindow_ask_new_ce cert_widget = cert_presenter(cert); gtk_container_add(GTK_CONTAINER(button), cert_widget); - val = alertpanel_full(_("Unknown SSL Certificate"), NULL, + if (!ssl_certificate_check_subject_cn(cert)) + title = _("SSL certificate is invalid"); + else + title = _("SSL Certificate is unknown"); + + val = alertpanel_full(title, NULL, _("_Cancel connection"), _("_Accept and save"), NULL, FALSE, vbox, ALERT_QUESTION, G_ALERTDEFAULT); @@ -351,9 +377,13 @@ static gboolean sslcertwindow_ask_expire GtkWidget *label; GtkWidget *button; GtkWidget *cert_widget; - + gchar *invalid_str = sslcertwindow_get_invalid_str(cert); + const gchar *title; + vbox = gtk_vbox_new(FALSE, 5); - buf = g_strdup_printf(_("Certificate for %s is expired.\nDo you want to continue?"), cert->host); + buf = g_strdup_printf(_("Certificate for %s is expired.\n%sDo you want to continue?"), cert->host, invalid_str); + g_free(invalid_str); + label = gtk_label_new(buf); gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5); gtk_box_pack_start(GTK_BOX(vbox), label, TRUE, TRUE, 0); @@ -377,7 +407,12 @@ static gboolean sslcertwindow_ask_expire cert_widget = cert_presenter(cert); gtk_container_add(GTK_CONTAINER(button), cert_widget); - val = alertpanel_full(_("Expired SSL Certificate"), NULL, + if (!ssl_certificate_check_subject_cn(cert)) + title = _("SSL certificate is invalid and expired"); + else + title = _("SSL certificate is expired"); + + val = alertpanel_full(title, NULL, _("_Cancel connection"), _("_Accept"), NULL, FALSE, vbox, ALERT_QUESTION, G_ALERTDEFAULT); @@ -394,7 +429,9 @@ static gboolean sslcertwindow_ask_change GtkWidget *label; GtkWidget *button; AlertValue val; - + gchar *invalid_str = sslcertwindow_get_invalid_str(new_cert); + const gchar *title; + vbox = gtk_vbox_new(FALSE, 5); label = gtk_label_new(_("New certificate:")); gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5); @@ -408,7 +445,9 @@ static gboolean sslcertwindow_ask_change gtk_widget_show_all(vbox); vbox2 = gtk_vbox_new(FALSE, 5); - buf = g_strdup_printf(_("Certificate for %s has changed. Do you want to accept it?"), new_cert->host); + buf = g_strdup_printf(_("Certificate for %s has changed.\n%sDo you want to accept it?"), new_cert->host, invalid_str); + g_free(invalid_str); + label = gtk_label_new(buf); gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5); gtk_box_pack_start(GTK_BOX(vbox2), label, TRUE, TRUE, 0); @@ -431,7 +470,11 @@ static gboolean sslcertwindow_ask_change gtk_box_pack_start(GTK_BOX(vbox2), button, FALSE, FALSE, 0); gtk_container_add(GTK_CONTAINER(button), vbox); - val = alertpanel_full(_("Changed SSL Certificate"), NULL, + if (!ssl_certificate_check_subject_cn(new_cert)) + title = _("SSL certificate changed and is invalid"); + else + title = _("SSL certificate changed"); + val = alertpanel_full(title, NULL, _("_Cancel connection"), _("_Accept and save"), NULL, FALSE, vbox2, ALERT_WARNING, G_ALERTDEFAULT); -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
