Bug#1056285: marked as done (RFS: opendkim/2.11.0~beta2-9 -- DomainKeys Identified Mail (DKIM) signing and verifying milter)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 25 Nov 2023 16:14:09 +0100
with message-id <ZWIPQZFXr9qlYjw6@isildor2.loewenhoehle.ip>
and subject line Re: Bug#1056285: RFS: opendkim/2.11.0~beta2-9 -- DomainKeys Identified Mail (DKIM) signing and verifying milter
has caused the Debian Bug report #1056285,
regarding RFS: opendkim/2.11.0~beta2-9 -- DomainKeys Identified Mail (DKIM) signing and verifying milter
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1056285: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056285
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: RFS: opendkim/2.11.0~beta2-9 -- DomainKeys Identified Mail (DKIM) signing and verifying milter
• From: David Bürgin <dbuergin@gluet.ch>
• Date: Sun, 19 Nov 2023 21:30:22 +0100
• Message-id: <[🔎] ZVpwXiJZ6K2IVX9P@gluet.ch>

Package: sponsorship-requests
Severity: normal

Dear mentors,

I am looking for a sponsor for my package "opendkim":

 * Package name     : opendkim
   Version          : 2.11.0~beta2-9
   Upstream contact : The Trusted Domain Project
 * URL              : http://www.opendkim.org/
 * License          : BSD-3-clause and SOSL, ISC, GPL-3+ with AutoConf exception
 * Vcs              : https://salsa.debian.org/debian/opendkim
   Section          : mail

The source builds the following binary packages:

  opendkim - DomainKeys Identified Mail (DKIM) signing and verifying milter
  opendkim-tools - utilities for administering the OpenDKIM milter
  libopendkim11 - DomainKeys Identified Mail (DKIM) library
  libopendkim-dev - DomainKeys Identified Mail (DKIM) library (development files)
  libvbr2 - Vouch By Reference (VBR) library
  libvbr-dev - Vouch By Reference (VBR) library (development files)
  librbl1 - Real-time Blacklist (RBL) query library
  librbl-dev - Real-time Blacklist (RBL) query library (development files)
  miltertest - utility for testing milter applications

To access further information about this package, please visit the following URL:

  https://mentors.debian.net/package/opendkim/

Alternatively, you can download the package with 'dget' using this command:

  dget -x https://mentors.debian.net/debian/pool/main/o/opendkim/opendkim_2.11.0~beta2-9.dsc

Changes since the last upload:

 opendkim (2.11.0~beta2-9) unstable; urgency=medium
 .
   [ David Bürgin ]
   * debian/patches: Add missing upstream bug metadata, add new patches:
     - rev-ares-deletion.patch: Delete Authentication-Results headers in
       reverse, addresses CVE-2022-48521 (Closes: #1041107).
     - ares-missing-space.patch: Add missing space in Auth-Results header.
   * Replace transitional libldap2-dev with libldap-dev in Build-Depends.
   * Remove obsolete lsb-base dependency in opendkim package.
   * Delete obsolete entries in debian/opendkim.NEWS.
 .
   [ Samuel Thibault ]
   * d/rules: Generalize hurd-i386 into hurd.

Thank you.


-- 
David

--- End Message ---

--- Begin Message ---

• To: David Bürgin <dbuergin@gluet.ch>, 1056285-done@bugs.debian.org
• Subject: Re: Bug#1056285: RFS: opendkim/2.11.0~beta2-9 -- DomainKeys Identified Mail (DKIM) signing and verifying milter
• From: Tobias Frost <tobi@debian.org>
• Date: Sat, 25 Nov 2023 16:14:09 +0100
• Message-id: <ZWIPQZFXr9qlYjw6@isildor2.loewenhoehle.ip>
• In-reply-to: <[🔎] ZWILYQj+5JwKJuht@gluet.ch>
• References: <[🔎] ZVpwXiJZ6K2IVX9P@gluet.ch> <[🔎] ZVpwXiJZ6K2IVX9P@gluet.ch> <[🔎] ZWII3P3kM1xbnvkH@isildor2.loewenhoehle.ip> <[🔎] ZVpwXiJZ6K2IVX9P@gluet.ch> <[🔎] ZWILYQj+5JwKJuht@gluet.ch>

On Sat, Nov 25, 2023 at 03:57:37PM +0100, David Bürgin wrote:
> Control: tags -1 - moreinfo
> 
> Hello Tobi,
> 
> > A question to that: Can you elaborate a bit on the testing you have
> > done to verify that this patch indeed fixes the vulnerability?
> > (Asking, becasue unfortunatly there is not lot of information available
> > e.g from the upstream issue and upstream seems to be generally very
> > silent…
> 
> I developed the upstream patch, and so did do the necessary testing
> locally. You can simply prepare a crafted message containing some
> Authentication-Results headers and then see if the right ones get
> deleted.

Thanks for confirming! And thanks for fixing the issue!

> > Said that, if we have a high confidence in this patch, this fix should
> > also propagate to stable (via stable-proposed-updates) and oldstable.
> > I'm happy to sponsor such uploads.
> 
> I don’t know if I will have the energy to do a stable update, though.

Ok, fair enough. I just wanted to avoid stealing your kudos ;-)
I'll take care about stable / oldstable then ;)

> > Except the information request, this package is ready to be sponsored,
> > and I will do so once the me-being-paranoid-question has been answered
> > ;-)
> 
> Thank you for your interest!

Thanks for your contributions to Debian! (IOW uploaded)

> Ciao,
> David

Attachment: signature.asc
Description: PGP signature

--- End Message ---