Bug#931126: unblock: enigmail/2:2.0.11+ds1-2
Control: tags -1 + moreinfo On Sat, 2019-07-20 at 23:43 -0400, Daniel Kahn Gillmor wrote: > On Sat 2019-07-20 21:41:12 -0300, Jonathan Wiltshire wrote: > > Hi, > > > > On Mon, Jul 01, 2019 at 01:21:22PM -0400, Daniel Kahn Gillmor > > wrote: > > > On Sun 2019-06-30 20:01:21 +0200, Paul Gevers wrote: > > > > The time for unblocks for buster has come and gone. The > > > > deadline was > > > > last Tuesday, we are now in deep freeze and we were not able to > > > > process > > > > your unblock request and give it an exception. I assume this > > > > should be > > > > fixed via the security archive, please confirm that (and I'll > > > > fix this > > > > bugs metadata). Otherwise I propose you prepare a stable > > > > release update > > > > targeting buster, such that this can be fixed in the first > > > > point release. > > > > > > I'm fine with this going through either security or the first > > > buster > > > point release. So yes, Paul, if you can update this issue to be > > > treated > > > as a security issue, that would be great. > > > > Would you prefer to do this as a security upload (in which case > > this > > unblock bug should be closed) or as a no-dsa (we will repurpose it > > for a > > p-u)? > > At this point, given the upstream changes and the issues with the SKS > keyserver network, i think we should aim to import 2.0.12 into > buster, not 2.0.11. > > I would love it if someone else wants to step up and help with this. > I'm currently working on an update to GnuPG for buster, and have not > had time yet to do the 2.0.12 upload for Buster (either as a security > or point release). Tagging as moreinfo for now, until there's a definite plan and diff either way. Regards, Adam
Bug#931126: unblock: enigmail/2:2.0.11+ds1-2
On Sat 2019-07-20 21:41:12 -0300, Jonathan Wiltshire wrote: > Hi, > > On Mon, Jul 01, 2019 at 01:21:22PM -0400, Daniel Kahn Gillmor wrote: >> On Sun 2019-06-30 20:01:21 +0200, Paul Gevers wrote: >> > The time for unblocks for buster has come and gone. The deadline was >> > last Tuesday, we are now in deep freeze and we were not able to process >> > your unblock request and give it an exception. I assume this should be >> > fixed via the security archive, please confirm that (and I'll fix this >> > bugs metadata). Otherwise I propose you prepare a stable release update >> > targeting buster, such that this can be fixed in the first point release. >> >> I'm fine with this going through either security or the first buster >> point release. So yes, Paul, if you can update this issue to be treated >> as a security issue, that would be great. > > Would you prefer to do this as a security upload (in which case this > unblock bug should be closed) or as a no-dsa (we will repurpose it for a > p-u)? At this point, given the upstream changes and the issues with the SKS keyserver network, i think we should aim to import 2.0.12 into buster, not 2.0.11. I would love it if someone else wants to step up and help with this. I'm currently working on an update to GnuPG for buster, and have not had time yet to do the 2.0.12 upload for Buster (either as a security or point release). --dkg signature.asc Description: PGP signature
Bug#931126: unblock: enigmail/2:2.0.11+ds1-2
Hi, On Mon, Jul 01, 2019 at 01:21:22PM -0400, Daniel Kahn Gillmor wrote: > On Sun 2019-06-30 20:01:21 +0200, Paul Gevers wrote: > > The time for unblocks for buster has come and gone. The deadline was > > last Tuesday, we are now in deep freeze and we were not able to process > > your unblock request and give it an exception. I assume this should be > > fixed via the security archive, please confirm that (and I'll fix this > > bugs metadata). Otherwise I propose you prepare a stable release update > > targeting buster, such that this can be fixed in the first point release. > > I'm fine with this going through either security or the first buster > point release. So yes, Paul, if you can update this issue to be treated > as a security issue, that would be great. Would you prefer to do this as a security upload (in which case this unblock bug should be closed) or as a no-dsa (we will repurpose it for a p-u)? Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Bug#931126: unblock: enigmail/2:2.0.11+ds1-2
On Sun 2019-06-30 20:01:21 +0200, Paul Gevers wrote: > The time for unblocks for buster has come and gone. The deadline was > last Tuesday, we are now in deep freeze and we were not able to process > your unblock request and give it an exception. I assume this should be > fixed via the security archive, please confirm that (and I'll fix this > bugs metadata). Otherwise I propose you prepare a stable release update > targeting buster, such that this can be fixed in the first point release. I'm fine with this going through either security or the first buster point release. So yes, Paul, if you can update this issue to be treated as a security issue, that would be great. thank you for your work on the release. --dkg signature.asc Description: PGP signature
Bug#931126: unblock: enigmail/2:2.0.11+ds1-2
Control: tags -1 moreinfo Hi Daniel, On 26-06-2019 19:13, Daniel Kahn Gillmor wrote: > Please unblock package enigmail > > enigmail 2:2.0.11+ds1-2 includes several usability and security fixes > from upstream, including a fix for CVE-2019-12269 (debian bug #929363). > > The debdiff is attached. > > unblock enigmail/2:2.0.11+ds1-2 > > About half of this bulky debdiff is upstream fixes to the test suite, > which has been improved; this is useful for our own testing, and it > should have no effect on the functionality of the package. > > Some of the code in debian/patches is also obsolete thanks to the new > upstream version. In particular, > debian/patches/0005-avoid-OpenPGP.js-during-key-file-import.patch is now > much simpler -- it now rips out a chunk of unusable code (that > references OpenPGP.js, see #787774) and doesn't need to add very much, > because of adoption of the same gpg-based strategy by upstream. > > Thanks for your work on fine-tuning the debian Buster release! The time for unblocks for buster has come and gone. The deadline was last Tuesday, we are now in deep freeze and we were not able to process your unblock request and give it an exception. I assume this should be fixed via the security archive, please confirm that (and I'll fix this bugs metadata). Otherwise I propose you prepare a stable release update targeting buster, such that this can be fixed in the first point release. Paul signature.asc Description: OpenPGP digital signature
Bug#931126: unblock: enigmail/2:2.0.11+ds1-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Control: affects -1 src:enigmail X-debbugs-cc: Salvatore Bonaccorso , Moritz Mühlenhoff Please unblock package enigmail enigmail 2:2.0.11+ds1-2 includes several usability and security fixes from upstream, including a fix for CVE-2019-12269 (debian bug #929363). The debdiff is attached. unblock enigmail/2:2.0.11+ds1-2 About half of this bulky debdiff is upstream fixes to the test suite, which has been improved; this is useful for our own testing, and it should have no effect on the functionality of the package. Some of the code in debian/patches is also obsolete thanks to the new upstream version. In particular, debian/patches/0005-avoid-OpenPGP.js-during-key-file-import.patch is now much simpler -- it now rips out a chunk of unusable code (that references OpenPGP.js, see #787774) and doesn't need to add very much, because of adoption of the same gpg-based strategy by upstream. Thanks for your work on fine-tuning the debian Buster release! --dkg diff --git enigmail-2:2.0.10+ds1-1/configure.ac enigmail-2:2.0.11+ds1-2/configure.ac index 4db7ecc57..e64eff0c1 100644 --- enigmail-2:2.0.10+ds1-1/configure.ac +++ enigmail-2:2.0.11+ds1-2/configure.ac @@ -2,7 +2,7 @@ AC_PREREQ(2.61) min_automake_version="1.10" -AC_INIT([enigmail],[2.0.10], [https://www.enigmail.net]) +AC_INIT([enigmail],[2.0.11], [https://www.enigmail.net]) AC_PATH_PROG(PYTHON, "python2") diff --git enigmail-2:2.0.10+ds1-1/debian/changelog enigmail-2:2.0.11+ds1-2/debian/changelog index 5baba4f74..234181b12 100644 --- enigmail-2:2.0.10+ds1-1/debian/changelog +++ enigmail-2:2.0.11+ds1-2/debian/changelog @@ -1,3 +1,17 @@ +enigmail (2:2.0.11+ds1-2) unstable; urgency=medium + + * minimize legacy-display protected headers for encrypted mails + + -- Daniel Kahn Gillmor Thu, 30 May 2019 15:40:57 -0400 + +enigmail (2:2.0.11+ds1-1) unstable; urgency=medium + + * new upstream release + * refresh patches + * use the older import-show with --dry-run instead of show-only + + -- Daniel Kahn Gillmor Thu, 23 May 2019 17:06:35 -0400 + enigmail (2:2.0.10+ds1-1) unstable; urgency=medium * new upstream release diff --git enigmail-2:2.0.10+ds1-1/debian/patches/0005-avoid-OpenPGP.js-during-key-file-import.patch enigmail-2:2.0.11+ds1-2/debian/patches/0005-avoid-OpenPGP.js-during-key-file-import.patch index 4496a5ce1..a52cf709a 100644 --- enigmail-2:2.0.10+ds1-1/debian/patches/0005-avoid-OpenPGP.js-during-key-file-import.patch +++ enigmail-2:2.0.11+ds1-2/debian/patches/0005-avoid-OpenPGP.js-during-key-file-import.patch @@ -7,15 +7,18 @@ contingent on GnuPG's mechanisms for reporting standalone revocation certs: https://dev.gnupg.org/T4018 + +This means we depend on a more recent version (or a patched version) +of GnuPG than upstream enigmail does. --- - package/key.jsm | 92 +++-- - 1 file changed, 57 insertions(+), 35 deletions(-) + package/key.jsm | 58 ++--- + 1 file changed, 2 insertions(+), 56 deletions(-) diff --git a/package/key.jsm b/package/key.jsm -index f7976dc..85572cc 100644 +index 0b4a0ef..565273f 100644 --- a/package/key.jsm +++ b/package/key.jsm -@@ -128,7 +128,8 @@ var EnigmailKey = { +@@ -137,7 +137,8 @@ var EnigmailKey = { * - id (key ID) * - fpr * - name (the UID of the key) @@ -24,106 +27,66 @@ index f7976dc..85572cc 100644 + * - revoke? (boolean, true if contains a revocation cert, undefined is the same as false) */ getKeyListFromKeyBlock: function(keyBlockStr, errorMsgObj, interactive = true) { - EnigmailLog.DEBUG("key.jsm: getKeyListFromKeyBlock\n"); -@@ -148,46 +149,67 @@ var EnigmailKey = { - - let keyList = []; + EnigmailLog.DEBUG("key.jsm: getKeyListFromKeyBlock()\n"); +@@ -150,61 +151,6 @@ var EnigmailKey = { + let keyList = getGpgKeyData(keyBlockStr); let key = {}; --for (let b of blocks) { -- let m = EnigmailOpenPGP.openpgp.message.readArmored(b); + +-if (keyList.length === 0) { +- EnigmailLog.DEBUG("key.jsm: getKeyListFromKeyBlock: no data from GnuPG\n"); +- if (keyBlockStr.search(/-BEGIN PGP (PUBLIC|PRIVATE) KEY BLOCK-/) >= 0) { +-blocks = this.splitArmoredBlocks(keyBlockStr); +- } else { +-isBinary = true; +-blocks = [EnigmailOpenPGP.enigmailFuncs.bytesToArmor(EnigmailOpenPGP.openpgp.enums.armor.public_key, keyBlockStr)]; +- } - -- for (let i = 0; i < m.packets.length; i++) { --let packetType = EnigmailOpenPGP.openpgp.enums.read(EnigmailOpenPGP.openpgp.enums.packet, m.packets[i].tag); --switch (packetType) { -- case "publicKey": -- case "secretKey": --key = { -- id: m.packets[i].getKeyId().toHex().toUpperCase(), -- fpr: