Your message dated Sat, 14 Mar 2020 18:48:52 +0000
with message-id <[email protected]>
and subject line Bug#950412: fixed in mew-beta 7.0.50~6.8+0.20190228-1+deb10u1
has caused the Debian Bug report #950412,
regarding mew-beta: does not validate server certificate subject
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
950412: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950412
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: mew
Version: 1:6.8-4
Severity: important
Tags: security patch fixed-upstream
Forwarded: https://github.com/kazu-yamamoto/Mew/pull/133
Control: found -1 1:6.7-4
Control: fixed -1 1:6.8-6
It was discovered that Mew, a mail reader in Emacs, performs
insufficient validation of SSL/TLS certificates, which may lead to
man-in-the-middle attacks.
cf. https://github.com/kazu-yamamoto/Mew/pull/133
> Support checkHost for stunnel 5.15 #133
>
> This patch will check the peer certificate subject when
> mew-ssl-verify-level is non-zero with stunnel >=5.15 and
> OpenSSL >=1.0.2.
>
> cf. https://www.stunnel.org/NEWS.html
>
> Version 5.21, 2015.07.27, urgency: MEDIUM
>
> More elaborate descriptions were added to the warning about
> using "verify = 2" without "checkHost" or "checkIP".
>
> Version 5.15, 2015.04.16, urgency: LOW
>
> Added new service-level options "checkHost", "checkEmail" and
> "checkIP" for additional checks of the peer certificate subject.
> These options require OpenSSL version 1.0.2 or higher.
Note that the checkHost option of stunnel can be enabled by the
user configuration.
e.g.
(setq mew-ssl-cert-directory "/etc/ssl/certs\ncheckHost=.example.net")
However, it should be automatically enabled. Patch attached.
Thanks,
--
Tatsuya Kinoshita
Subject: Enable checkHost for stunnel
Origin: upstream, https://github.com/kazu-yamamoto/Mew/commit/8de0a1398f10d0e8da29ce91ec22af17430c0004
Bug: https://github.com/kazu-yamamoto/Mew/pull/133
--- a/mew-ssl.el
+++ b/mew-ssl.el
@@ -106,6 +106,8 @@ insert no extra text.")
(insert "client=yes\n")
(insert "pid=\n")
(insert (format "verify=%d\n" (mew-ssl-verify-level case)))
+ (if (> (mew-ssl-verify-level case) 0)
+ (insert (format "checkHost=%s\n" server)))
(insert "foreground=yes\n")
(insert "debug=debug\n")
(if (and mew-ssl-libwrap (or (>= mew-ssl-ver 5) (>= mew-ssl-minor-ver 45)))
pgpkgOPVHQLv2.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: mew-beta
Source-Version: 7.0.50~6.8+0.20190228-1+deb10u1
Done: Tatsuya Kinoshita <[email protected]>
We believe that the bug you reported is fixed in the latest version of
mew-beta, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tatsuya Kinoshita <[email protected]> (supplier of updated mew-beta package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 02 Feb 2020 18:43:08 +0900
Source: mew-beta
Architecture: source
Version: 7.0.50~6.8+0.20190228-1+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Tatsuya Kinoshita <[email protected]>
Changed-By: Tatsuya Kinoshita <[email protected]>
Closes: 950412
Changes:
mew-beta (7.0.50~6.8+0.20190228-1+deb10u1) buster; urgency=medium
.
* New patch 070_checkhost.patch to enable checkHost for stunnel
(closes: #950412)
Checksums-Sha1:
1ba8b06cd8cdf2669521ecae50c3d7e32a9804ec 2118
mew-beta_7.0.50~6.8+0.20190228-1+deb10u1.dsc
3f2c522864658b4aeab96b54131a695a61879739 53596
mew-beta_7.0.50~6.8+0.20190228-1+deb10u1.debian.tar.xz
70583cc0ad79a5ce4e250a35bddaa8b2a18935b3 6808
mew-beta_7.0.50~6.8+0.20190228-1+deb10u1_amd64.buildinfo
Checksums-Sha256:
6b56b0dc23fb050d92ebe9c2523a6b892144a58144a385c37665d0945fadb6cf 2118
mew-beta_7.0.50~6.8+0.20190228-1+deb10u1.dsc
5ab06786f96fae1495d0112cac86202debdbde19bd32b41522dad3485228046f 53596
mew-beta_7.0.50~6.8+0.20190228-1+deb10u1.debian.tar.xz
a75918376ee681e0ba2fda2e72f0e48d04376d95354d84b2f777062ccd7ffe5d 6808
mew-beta_7.0.50~6.8+0.20190228-1+deb10u1_amd64.buildinfo
Files:
648da374abc9df497529b65bd3351cdf 2118 mail optional
mew-beta_7.0.50~6.8+0.20190228-1+deb10u1.dsc
95dc807f74061c0d026746dab8bcc67c 53596 mail optional
mew-beta_7.0.50~6.8+0.20190228-1+deb10u1.debian.tar.xz
8f35fa3924e16dc7dafd9fc840a184b0 6808 mail optional
mew-beta_7.0.50~6.8+0.20190228-1+deb10u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEAxxiPZTvHz7xexyE5e+rkAgOpjwFAl42ndUACgkQ5e+rkAgO
pjwaYhAAnYf1MlOW1cJup2wfuxYNXgsR0JTix8QjQCj7gqtAgZoMeF0onnICskKf
6c0WhnaTl1kHSmtFeBgVHRiQg/JS4qayrMRiLkXw4BWQ4UKHexRhy6yyohlcyrxc
mmHICh0DRdjztgRCSMbRwLvCEMBT91vuy5FrTr9ZC548ID4EQ9dCCr0TNiNKe6ry
PNTBA9lgzH5w3ct7Nf8hCW5opy6JTXktYcbPELj8vO6CZwbkHAZsZJOaoGNC236b
IQPpD+5n1x97BSWZ48NpurUjQvsvyZkCyq0QZ62wooTNAaHfwcMeZNk2fIbDfgjR
eoLC3DujJ3lqmdIwOf43+RNowxoHFl0OS+sybXFxFWmWE3yirFJWK4TmcSK7CP9X
yPhONuYtYFIsSO2XrIZMVdAjKRuUqC2GfpHJvoBnaIVYOiDZ4sgpA324/bOHNbNt
YigSSl4VJV5SK+KZW+gytj4Ye6QsQNJaA3EapZ3h0Lt5p5BviQZ4w7Irc8J9HrUt
321CXgHHNzMSYjC2dEgdOVx//mFqd2wPvG09nEdEq/aUmny7g0sLXhE8drQbouXf
MMErwqVRvhVh9LTTe0K9nWOXBp4CQ2yzmpaZ0oOuY9OveJcK/dk+Sp877lJmsRj+
2PYFuvvjSdyqtT2Z0fEx4PWQYnvYea11YjB4dhb4ylmwoZj5QSI=
=II3I
-----END PGP SIGNATURE-----
--- End Message ---
