Bug#629350: [pkg-kolab] Bug#629350: STARTTLS vulnerability in kolab-cyrus-imapd
On Thu, Jun 9, 2011 at 00:10, Mathieu Parent math.par...@gmail.com wrote: 2011/6/8 Moritz Muehlenhoff j...@inutil.org: ... Why is kolab-cyrus-imapd a separate source package? Can we fix it for Wheezy to be built from a unified source package, i.e. a separate build target which applies the seven Kolab patches? Yes, this is the way to go. Those 7 patches are not synced with upstream Kolab. [...] After those two, kolabd can depend on cyrus-imapd-2.4 and kolab-cyrus-imapd can be dropped. A README.kolab may be included in the cyrus-imapd pacjage to list the not-applied patches. I don't think that's what Moritz had on the mind (although it would be nice to have it). The way to go now would be to override dh_auto_configure/build/install to build the cyrus-imapd-2.x twice - once without kolab patches and second time with them. I'll try what I can do, but I'll need help from kolab team. O. -- Ondřej Surý ond...@sury.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#629350: [pkg-kolab] Bug#629350: STARTTLS vulnerability in kolab-cyrus-imapd
On Sun, Jun 05, 2011 at 11:30:03PM +0200, Mathieu Parent wrote: 2011/6/5 Ondřej Surý ond...@sury.org: Hi, I have just realized that the same STARTTLS bug affect kolab-cyrus-imapd as well. Ccing Security team, so they can keep track of the security vulnerability. You can find the patch in pkg-cyrus-imapd/cyrus-imapd-2.2 git repository (on alioth) or in cyrus-imapd-2.2 package sources. I would suggest to fix Berkeley DB in one go, since otherwise the bug will prevent building the packager and migration of fixed package to testing. If you don't have a time, please ping me, I'll prepare security uploads and fixes for unstable. Ping. Sorry to be that busy those days. Why is kolab-cyrus-imapd a separate source package? Can we fix it for Wheezy to be built from a unified source package, i.e. a separate build target which applies the seven Kolab patches? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#629350: [pkg-kolab] Bug#629350: STARTTLS vulnerability in kolab-cyrus-imapd
2011/6/8 Moritz Muehlenhoff j...@inutil.org: ... Why is kolab-cyrus-imapd a separate source package? Can we fix it for Wheezy to be built from a unified source package, i.e. a separate build target which applies the seven Kolab patches? Yes, this is the way to go. Those 7 patches are not synced with upstream Kolab. Upstream Kolab use 7 patches (see http://git.kolab.org/server/tree/imapd/patches and https://wiki.kolab.org/Kolab-major-app-patches), sorted by priority: KOLAB_cyrus-imapd-2.3.16_Cyradm_Annotations.patch: This is merged in 2.4. KOLAB_cyrus-imapd-2.3.16_Groups2.patch: Blocker, but this can be reworked on the Kolab side to use pts/ldap. KOLAB_cyrus-imapd-2.3.16_cross-domain-acls.patch: Blocker when using multidomain. Work needed. KOLAB_cyrus-imapd-2.3.16_UID.patch : Allow to log in via uid instead of mail. Probably not a blocker. KOLAB_cyrus-imapd-2.3.16_Folder-names.patch: Modifies the set of accepted characters in folder names for the cyrus imapd server [Version: 2.3.9] = Some work is needed to integrate upstream, probably easy for people knowing the cyrus imapd code. Not a blocker. KOLAB_cyrus-imapd-2.3.16_Logging.patch : Not a blocker. KOLAB_cyrus-imapd-2.3.16_timsieved_starttls-sendcaps.patch: don't know the status. Not a blocker IMO Work should first go to replace Groups2.patch with a pts/ldap config (notify on https://issues.kolab.org/merge6 if you plan to work on this) and integrate crossdomain acls (maybe the patch can be integrated as-is in the Debian package?). After those two, kolabd can depend on cyrus-imapd-2.4 and kolab-cyrus-imapd can be dropped. A README.kolab may be included in the cyrus-imapd pacjage to list the not-applied patches. Regards -- Mathieu -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#629350: [pkg-kolab] Bug#629350: STARTTLS vulnerability in kolab-cyrus-imapd
2011/6/5 Mathieu Parent math.par...@gmail.com: 2011/6/5 Ondřej Surý ond...@sury.org: Hi, I have just realized that the same STARTTLS bug affect kolab-cyrus-imapd as well. Ccing Security team, so they can keep track of the security vulnerability. You can find the patch in pkg-cyrus-imapd/cyrus-imapd-2.2 git repository (on alioth) or in cyrus-imapd-2.2 package sources. I would suggest to fix Berkeley DB in one go, since otherwise the bug will prevent building the packager and migration of fixed package to testing. If you don't have a time, please ping me, I'll prepare security uploads and fixes for unstable. Ping. :) Sorry to be that busy those days. No problem, we all are sometimes. I just happen to have some time for Debian now, so I'll take care of it. O. -- Ondřej Surý ond...@sury.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#629350: [pkg-kolab] Bug#629350: STARTTLS vulnerability in kolab-cyrus-imapd
2011/6/5 Ondřej Surý ond...@sury.org: Hi, I have just realized that the same STARTTLS bug affect kolab-cyrus-imapd as well. Ccing Security team, so they can keep track of the security vulnerability. You can find the patch in pkg-cyrus-imapd/cyrus-imapd-2.2 git repository (on alioth) or in cyrus-imapd-2.2 package sources. I would suggest to fix Berkeley DB in one go, since otherwise the bug will prevent building the packager and migration of fixed package to testing. If you don't have a time, please ping me, I'll prepare security uploads and fixes for unstable. Ping. Sorry to be that busy those days. Regards -- Mathieu -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
