On Thu, 11 Sep 2014 11:40:15 -0700 ∅ <carsrcoffin...@yahoo.com> wrote:
> Could you all verify that this problem is solved, so we can get an SRU > going? We need to act fast! > > wxl > > > ---------- Forwarded message ---------- > From: Julien Lavergne <julien.laver...@gmail.com> > Date: Thu, Sep 11, 2014 at 6:15 AM > Subject: [Bug 1301274] Re: SSL validation problem (or sync Sylpheed > from Debian sid) > To: carsrcoffin...@yahoo.com > > > As this update should fix a security issue, I would be glad if someone > from the security team could check this update, to see if the issue is > really fixed. > I also ask for people to help in the testing, to validate the SRU. > > -- > You received this bug notification because you are a member of Lubuntu > Packages Team, which is subscribed to sylpheed in Ubuntu. > https://bugs.launchpad.net/bugs/1301274 > > Title: > SSL validation problem (or sync Sylpheed from Debian sid) > > Status in “sylpheed” package in Ubuntu: > Fix Released > Status in “sylpheed” source package in Trusty: > Fix Committed > > Bug description: > SRU statement : > [Impact] > > * Actual sylpheed has 2 major issues : > - Security problem (SSL certificate validation) > - Losing mail using POP3 > > The problem is that the security fix is separated into several > commits, so it's not easy and secure to cheery pick commits, and maybe > other commits that could be necessary and not labeled « SSL fix ». > > So, the easiest and more secure way to fix this is to take the whole > upstream release. It will also fix the other major issue. > > Since 3.4.0 beta7 (include in trusty), the changelog to 3.4.1 is : > > Mac OS X support was improved. > SSL certificate hostname is validated now (#167). > The Japanese manual was modified so that IE correctly detect its > character encoding. > The rightmost column of folder view and summary view became easier to > resize. > Appropriate columns of folder view, summary view, etc. are > auto-expanded by window resize when using GTK+ 2.14 or later. > The initial setup dialog is now resizable. > PGP encrypt-to-self feature was added. > The display period of notification window became configurable. > Win32: OpenSSL was updated to 0.9.8y. > Win32: libpng was updated to 1.2.51. > > SSL wildcard certificate is also validated now (#167). > The compile error with OpenSSL disabled was fixed. > > This release fixes an important bug that would lose mails when local > mailbox was inaccessible on POP3 receiving. > > The others fixes are mininal when you compare to the 2 major fixes + > the risk to miss something by cherry-picking commits. > > [Test Case] > Detail of the security issue is described on the upstream bug > tracker : http://sylpheed.sraoss.jp/redmine/issues/167 > Since it's a security issue, it's not really easy to reproduce. > > Also, details about the lost of email are on upstream bug tracker > http://sylpheed.sraoss.jp/redmine/issues/193 > > > [Regression Potential] > > I can't see any regressions. The fixes are upstream since quite some > time, and there is no new releases fixing again those issues (no I > assume the actual fixes are good). > > Changelog : > sylpheed (3.4.1-0ubuntu0.1) trusty-proposed; urgency=medium > > * New upstream release > - Fix SSL validation (LP: #1301274). > - Fix losing mails when local mailbox is inaccessible on POP3 receiving. > > -- Julien Lavergne <gi...@ubuntu.com> Fri, 16 May 2014 15:29:20 > +0200 > > Debdiff is attached. > > Original report : > Hello, > > Ubuntu 14.04 LTS Trusty Tahr currently only has the old Sylpheed 3.4 > beta 7: > > http://packages.ubuntu.com/trusty/sylpheed > > whereas Debian sid has the new Sylpheed 3.4 stable: > > https://packages.debian.org/sid/sylpheed > > The new Sylpheed 3.4 stable also has a security fix that Sylpheed 3.4 > beta 7 does not have, see: > > http://sylpheed.sraoss.jp/redmine/issues/167 > > So, please update the package in Ubuntu 14.04 LTS Trusty Tahr, so that > it will have the new Sylpheed 3.4 stable as well. > > The changelog of Sylpheed is available over there: > > http://sylpheed.sraoss.jp/en/news.html > > It would be much appreciated. > > Regards > > To manage notifications about this bug go to: > https://bugs.launchpad.net/ubuntu/+source/sylpheed/+bug/1301274/+subscriptions > > -- > Mailing list: https://launchpad.net/~lubuntu-qa > Post to : lubuntu-qa@lists.launchpad.net > Unsubscribe : https://launchpad.net/~lubuntu-qa > More help : https://help.launchpad.net/ListHelp How exactly do I test this don't I need to have an SSL certificate that is signed? The upstream report doesn't make clear what own domain is. Am I testing that someone can't have an SSL certificate for my site that is valid and then can decrypt my emails in transit as I recieve them on that end. I don't have a valid SSL cert. -- brendanperrine <walteror...@gmail.com> -- Mailing list: https://launchpad.net/~lubuntu-qa Post to : lubuntu-qa@lists.launchpad.net Unsubscribe : https://launchpad.net/~lubuntu-qa More help : https://help.launchpad.net/ListHelp
