Your message dated Sat, 14 Mar 2020 18:48:51 +0000
with message-id <[email protected]>
and subject line Bug#950411: fixed in mew 1:6.8-4+deb10u1
has caused the Debian Bug report #950411,
regarding mew: does not validate server certificate subject
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
950411: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950411
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: mew
Version: 1:6.8-4
Severity: important
Tags: security patch fixed-upstream
Forwarded: https://github.com/kazu-yamamoto/Mew/pull/133
Control: found -1 1:6.7-4
Control: fixed -1 1:6.8-6
It was discovered that Mew, a mail reader in Emacs, performs
insufficient validation of SSL/TLS certificates, which may lead to
man-in-the-middle attacks.
cf. https://github.com/kazu-yamamoto/Mew/pull/133
> Support checkHost for stunnel 5.15 #133
>
> This patch will check the peer certificate subject when
> mew-ssl-verify-level is non-zero with stunnel >=5.15 and
> OpenSSL >=1.0.2.
>
> cf. https://www.stunnel.org/NEWS.html
>
> Version 5.21, 2015.07.27, urgency: MEDIUM
>
> More elaborate descriptions were added to the warning about
> using "verify = 2" without "checkHost" or "checkIP".
>
> Version 5.15, 2015.04.16, urgency: LOW
>
> Added new service-level options "checkHost", "checkEmail" and
> "checkIP" for additional checks of the peer certificate subject.
> These options require OpenSSL version 1.0.2 or higher.
Note that the checkHost option of stunnel can be enabled by the
user configuration.
e.g.
(setq mew-ssl-cert-directory "/etc/ssl/certs\ncheckHost=.example.net")
However, it should be automatically enabled. Patch attached.
Thanks,
--
Tatsuya Kinoshita
Subject: Enable checkHost for stunnel
Origin: upstream, https://github.com/kazu-yamamoto/Mew/commit/8de0a1398f10d0e8da29ce91ec22af17430c0004
Bug: https://github.com/kazu-yamamoto/Mew/pull/133
--- a/mew-ssl.el
+++ b/mew-ssl.el
@@ -106,6 +106,8 @@ insert no extra text.")
(insert "client=yes\n")
(insert "pid=\n")
(insert (format "verify=%d\n" (mew-ssl-verify-level case)))
+ (if (> (mew-ssl-verify-level case) 0)
+ (insert (format "checkHost=%s\n" server)))
(insert "foreground=yes\n")
(insert "debug=debug\n")
(if (and mew-ssl-libwrap (or (>= mew-ssl-ver 5) (>= mew-ssl-minor-ver 45)))
pgpo4lhhyvzhi.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: mew
Source-Version: 1:6.8-4+deb10u1
Done: Tatsuya Kinoshita <[email protected]>
We believe that the bug you reported is fixed in the latest version of
mew, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tatsuya Kinoshita <[email protected]> (supplier of updated mew package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 02 Feb 2020 18:31:28 +0900
Source: mew
Architecture: source
Version: 1:6.8-4+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Tatsuya Kinoshita <[email protected]>
Changed-By: Tatsuya Kinoshita <[email protected]>
Closes: 950411
Changes:
mew (1:6.8-4+deb10u1) buster; urgency=medium
.
* New patch 070_checkhost.patch to enable checkHost for stunnel
(closes: #950411)
Checksums-Sha1:
2fd650cfeb6e98eb5e185960cb2f754cee350f05 1850 mew_6.8-4+deb10u1.dsc
b2d01cbf597ab995208cf1dd3ce2c387f09d572a 50596 mew_6.8-4+deb10u1.debian.tar.xz
45635fb3ee87ab17ed6dd3118b8ea1a3cdbf7880 5976 mew_6.8-4+deb10u1_amd64.buildinfo
Checksums-Sha256:
00b72c42d81579fa91ddfeca89e1971af1a630888b42e58ff2b97532efe87526 1850
mew_6.8-4+deb10u1.dsc
93413d081bb6f5859969de5c3192cab6b24135af43e6d37a0d0245c09394e6fd 50596
mew_6.8-4+deb10u1.debian.tar.xz
e7f7caeaf4fec311c39ac4db30430faa7fa9121f5edcfe1fb7eb31cac11a9707 5976
mew_6.8-4+deb10u1_amd64.buildinfo
Files:
385bf94abd874ec4b75c3e800e72dacd 1850 mail optional mew_6.8-4+deb10u1.dsc
b324b7fdd566f4dcc8cfd88a1c2a9e8f 50596 mail optional
mew_6.8-4+deb10u1.debian.tar.xz
643eb810d0a1f017fe9f5d1fc8a8ddc2 5976 mail optional
mew_6.8-4+deb10u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEAxxiPZTvHz7xexyE5e+rkAgOpjwFAl42ndUACgkQ5e+rkAgO
pjzVLhAAiq/EOEcDSEJjTGbz6CnRCGXr5xNl1bL3z6G4wV58ulolcoyp7JPRzr5c
+TRreo6nJyfjeYazTxhKZqUSNqzseATA0YlTPl879w+kexZ8sgM9RlymCdwmBJ6o
UzQNp1h2oLaYAe/spTUqooMRg8ar7stIgNUF+Q1CkMhg5NZPwXxB+jW0qoUON1OL
Tzjb30gjq5EUDLjx3/JWHYJNd8q3xlkq0MKzDEOFlbhP39IuZYOyylEdt7HF89CR
6+IvI/+qd+uGpKIhBtuB5uDatFc2O/Uq+RoZ0oHmefOrGQDyxbXKRzM807AqzXif
YJPJZiGqLxUxhwEzB8QA6b8dfhqUp4a8XXxbpLuk/0nlNN2Q90Wd7u2vFqex8xhV
rQjBS/Ejg52QEEhaBxKo29N1a2/cHR3TKtdwi9VI02ksOMBDLoBMgVDpUGR1fQEu
1XdDiSCMZP2SA2JP9rwPFa5KS5v2RkGCvY+w+FHlX57GS0DWDc5U89cuXfJp+bZX
lgwbpzK0Q0mUTeiRgKqoI4e4MT1HCupypQ5IBM/6ZbUOIL6Rv9KeKQoFlObJKQtm
tHpQav6qrH/Fk3pYDa2gpXK8BgXxbLevZwSI1QO4pItYpPJ76NDr2mtFpCKMq5+N
pSve16ief6IP9vfoIIutF8PuGFNQjtYLKwGHteBjb2smILq8BPI=
=6+H4
-----END PGP SIGNATURE-----
--- End Message ---
