Bug#802331: jessie-pu: package cyrus-imapd-2.4/2.4.17+nocaldav-1

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: 802331@bugs.debian.org
Subject: Bug#802331: jessie-pu: package cyrus-imapd-2.4/2.4.17+nocaldav-1
From: Ondřej Surý <ondrej@debian.org>
Date: Thu, 24 Mar 2016 22:40:37 +0100
Message-id: <[🔎] 1458855637.757356.559003562.17608D8D@webmail.messagingengine.com>
Reply-to: Ondřej Surý <ondrej@debian.org>, 802331@bugs.debian.org
In-reply-to: <[🔎] 1458852754.2441.65.camel@adam-barratt.org.uk>
References: <20151019151252.55968.18447.reportbug@lettie.labs.nic.cz> <1b69be4e5fabd63fc8e3ce367853353f@mail.adam-barratt.org.uk> <1445416009.1023368.416091057.381396DE@webmail.messagingengine.com> <1454343563.3378793.508594378.0B44AD7F@webmail.messagingengine.com> <1454531586.20539.8.camel@adam-barratt.org.uk> <[🔎] 1458766953.2441.28.camel@adam-barratt.org.uk> <[🔎] 1458810912.3462796.558342146.3472ED6B@webmail.messagingengine.com> <1458810972.3463168.558381386.6895DA39@webmail.messagingengine.com> <[🔎] 1458849075.2441.53.camel@adam-barratt.org.uk> <[🔎] 1458850492.739614.558943170.5E56B0C4@webmail.messagingengine.com> <[🔎] 1458851038.2441.58.camel@adam-barratt.org.uk> <[🔎] 1458851614.743369.558966506.18CD005F@webmail.messagingengine.com> <[🔎] 1458852754.2441.65.camel@adam-barratt.org.uk>

On Thu, Mar 24, 2016, at 21:52, Adam D. Barratt wrote:
> On Thu, 2016-03-24 at 21:33 +0100, Ondřej Surý wrote:
> > On Thu, Mar 24, 2016, at 21:23, Adam D. Barratt wrote:
> > > On Thu, 2016-03-24 at 21:14 +0100, Ondřej Surý wrote:
> > > > On Thu, Mar 24, 2016, at 20:51, Adam D. Barratt wrote:
> > > > > On Thu, 2016-03-24 at 10:16 +0100, Ondřej Surý wrote:
> > > > > > And the patches...
> > > > > 
> > > > > Thanks.
> > > > > 
> > > > > While I'm generally more comfortable (happier's not really the right
> > > > > word) with the changes, it looks like some of the changes aren't applied
> > > > > in unstable - particularly the disabling of TLS compression and the
> > > > > fixes for the CVEs; is that correct, or am I missing something?
> > > > 
> > > > Hmm, I though that 2.4.18 upstream version included both, which is true
> > > > for TLS-configuration.patch, CVE-2011-3208.patch and
> > > > CVE-2015-8076.patch, but it looks like CVE-2015-8077.patch and
> > > > CVE-2015-8078.patch:
> > > 
> > > In terms of the TLS changes, the 2.4.18 currently in unstable appears to
> > > include the compression disabling in imtest/imtest.c but not the changes
> > > in imap/tls.c afaict.
> > 
> > $ patch -p1 --dry-run -i /tmp/TLS-configuration.patch 
> > checking file imap/tls.c
> > Reversed (or previously applied) patch detected!  Assume -R? [n] 
> > Apply anyway? [n] 
> > Skipping patch.
> > 6 out of 6 hunks ignored
> > checking file lib/imapoptions
> > Reversed (or previously applied) patch detected!  Assume -R? [n] 
> > Apply anyway? [n] 
> > Skipping patch.
> > 2 out of 2 hunks ignored
> > 
> > Or do you have anything else on mind and I just can't see it?
> 
> I was looking at cyrus-tls-1.2.patch, which includes some compression
> changes. Unstable has
> 
>  lib/imclient.c | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> whereas the equivalently named patch in your jessie upload touches
> imclient.c, imtest.c and tls.c. Similarly:
> 
> adsb@franck:~/cyrus-imapd-2.4-2.4.18$ grep -ir NO_COMPRESSION .
> ./debian/patches/0032-cyrus-tls-1.2.patch:+    off |=
> SSL_OP_NO_COMPRESSION;    /* Disable TLS compression */
> ./lib/prot.c:           zlevel = Z_NO_COMPRESSION;
> ./lib/imclient.c:    off |= SSL_OP_NO_COMPRESSION;      /* Disable TLS
> compression */
> 
> against:
> 
> $ zgrep NO_COMPRESSION
> /srv/release.debian.org/www/proposed-updates/jessie_diffs/cyrus-imapd-2.4_2.4.17+nocaldav-0~deb8u1.debdiff.gz 
> +     off |= SSL_OP_NO_COMPRESSION;     /* Disable TLS compression */
> ++    off |= SSL_OP_NO_COMPRESSION;     /* Disable TLS compression */
> ++    off |= SSL_OP_NO_COMPRESSION;     /* Disable TLS compression */
> ++    off |= SSL_OP_NO_COMPRESSION;     /* Disable TLS compression */
> ++    off |= SSL_OP_NO_COMPRESSION;     /* Disable TLS compression */

This should not be strictly needed as 2.4.18 has new option
'tls_compression' that's disabled by default, but I have restored that
part of the patch anyway.

(Also I am not that sure that BEAST/CRIME/BREACH attacks apply to IMAP
as well, but better be safe then sorry...)

Cheers,
-- 
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server

Reply to:

Follow-Ups:
- Bug#802331: jessie-pu: package cyrus-imapd-2.4/2.4.17+nocaldav-1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

References:
- Bug#802331: jessie-pu: package cyrus-imapd-2.4/2.4.17+nocaldav-1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Bug#802331: jessie-pu: package cyrus-imapd-2.4/2.4.17+nocaldav-1
  - From: Ondřej Surý <ondrej@debian.org>
- Bug#802331: jessie-pu: package cyrus-imapd-2.4/2.4.17+nocaldav-1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Bug#802331: jessie-pu: package cyrus-imapd-2.4/2.4.17+nocaldav-1
  - From: Ondřej Surý <ondrej@debian.org>
- Bug#802331: jessie-pu: package cyrus-imapd-2.4/2.4.17+nocaldav-1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Bug#802331: jessie-pu: package cyrus-imapd-2.4/2.4.17+nocaldav-1
  - From: Ondřej Surý <ondrej@debian.org>
- Bug#802331: jessie-pu: package cyrus-imapd-2.4/2.4.17+nocaldav-1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Bug#818615: jessie-pu: package gtk+2.0
Next by Date: Bug#802331: jessie-pu: package cyrus-imapd-2.4/2.4.17+nocaldav-1
Previous by thread: Bug#802331: jessie-pu: package cyrus-imapd-2.4/2.4.17+nocaldav-1
Next by thread: Bug#802331: jessie-pu: package cyrus-imapd-2.4/2.4.17+nocaldav-1
Index(es):
- Date
- Thread