Bug#657046: marked as done (alpine: Alpine uses DES-56 in violation of RFC 5751)

[Debian Bug Tracking System]

Your message dated Sat, 08 Sep 2012 17:32:43 +0000
with message-id <e1taotf-0002a9...@franck.debian.org>
and subject line Bug#657046: fixed in alpine 2.02+dfsg-1.1
has caused the Debian Bug report #657046,
regarding alpine: Alpine uses DES-56 in violation of RFC 5751
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
657046: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657046
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: alpine
Version: 2.02-3.1
Severity: normal


alpine (re-alpine) uses DES-56 to encrypt S/MIME messages.  This is very 
insecure by modern standards and is in violation of RFC 5751.

This issue was reported upstream and a patch produced 
(http://sourceforge.net/tracker/index.php?func=detail&aid=3428168&group_id=264924&atid=1128048),
 
but has not been addressed in a release of re-alpine.  The patch on the 
linked page changes the default encryption algorithm to AES-128 (CBC 
mode), which is sufficiently strong for modern use.

Due to the security issues surrounding the use of DES-56 in 2012, I 
believe this should be patched in the alpine package even if re-alpine 
does not produce a release with the patch.

-- System Information:
Debian Release: 6.0.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.1.10-grsec (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages alpine depends on:
ii  libc6               2.11.2-10            Embedded GNU C Library: Shared lib
ii  libgssapi-krb5-2    1.8.3+dfsg-4squeeze5 MIT Kerberos runtime libraries - k
ii  libkrb5-3           1.8.3+dfsg-4squeeze5 MIT Kerberos runtime libraries
ii  libldap-2.4-2       2.4.23-7.2           OpenLDAP libraries
ii  libncurses5         5.7+20100313-5       shared libraries for terminal hand
ii  libpam0g            1.1.1-6.1+squeeze1   Pluggable Authentication Modules l
ii  libssl0.9.8         0.9.8o-4squeeze5     SSL shared libraries

Versions of packages alpine recommends:
ii  alpine-doc                    2.02-3.1   Text-based email client's document

Versions of packages alpine suggests:
ii  aspell                   0.60.6-4        GNU Aspell spell-checker
ii  exim4                    4.72-6+squeeze2 metapackage to ease Exim MTA (v4) 
ii  exim4-daemon-light [mail 4.72-6+squeeze2 lightweight Exim MTA (v4) daemon

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: alpine
Source-Version: 2.02+dfsg-1.1

We believe that the bug you reported is fixed in the latest version of
alpine, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 657...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonathan McCrohan <jmccro...@gmail.com> (supplier of updated alpine package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 08 Sep 2012 16:07:59 +0100
Source: alpine
Binary: alpine alpine-doc alpine-dbg alpine-pico pilot
Architecture: source all amd64
Version: 2.02+dfsg-1.1
Distribution: unstable
Urgency: low
Maintainer: Asheesh Laroia <ashe...@asheesh.org>
Changed-By: Jonathan McCrohan <jmccro...@gmail.com>
Description: 
 alpine     - Text-based email client, friendly for novices but powerful
 alpine-dbg - Text-based email client's debugging symbols
 alpine-doc - Text-based email client's documentation
 alpine-pico - Simple text editor from Alpine, a text-based email client
 pilot      - Simple file browser from Alpine, a text-based email client
Closes: 657046
Changes: 
 alpine (2.02+dfsg-1.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Apply upstream patch disabling DES-56 to ensure RFC 5751 compliance.
     (Closes: #657046)
     - Upstream commit e2eef589799d742ea6ccaec9144dc619a516222e added as
       70_des56_rfc5751.patch
Checksums-Sha1: 
 f6bdb86e5b8f8f1975b12b5b218a50146bf2a22a 2328 alpine_2.02+dfsg-1.1.dsc
 5860267cf2549ef674c5b959fcfc9ef26047a500 15484 
alpine_2.02+dfsg-1.1.debian.tar.gz
 c7b06127319f9961f6d3087f2a75b8127bf8849a 390056 
alpine-doc_2.02+dfsg-1.1_all.deb
 cbfa34c3a55682cc4a507da3556d86577e22404b 3164494 alpine_2.02+dfsg-1.1_amd64.deb
 6f5601c56c4e0c5af1031189d667cd9b0798f24b 6025964 
alpine-dbg_2.02+dfsg-1.1_amd64.deb
 a617c4ed752fdf2c331bfed8fb66cf614422a33a 401664 
alpine-pico_2.02+dfsg-1.1_amd64.deb
 ae7c5a5be1f8b66a8931fa22735417e3dc13ab65 397598 pilot_2.02+dfsg-1.1_amd64.deb
Checksums-Sha256: 
 7d844784afe23f4f46e2217ed81ad1cd04b75c007f585418e5f20e151509667d 2328 
alpine_2.02+dfsg-1.1.dsc
 44843cf9fcb9188161c1107eea7035725a96685a7e148e5f0b1dad1b41b70e8f 15484 
alpine_2.02+dfsg-1.1.debian.tar.gz
 3aa57b2eaee30cb58cb421b2a34935c65470d5de081e10ac20adf88c3e4e961d 390056 
alpine-doc_2.02+dfsg-1.1_all.deb
 d135f2c651d9c2356bc38047f413d7274c7fb6ff3505f879c0a06717bfb810ec 3164494 
alpine_2.02+dfsg-1.1_amd64.deb
 310f3661e98bf7b3f769c69bc14a9f078380c7afe2b9e616184b0928569fc016 6025964 
alpine-dbg_2.02+dfsg-1.1_amd64.deb
 5e072052f9080e9111f5562e452fe329b2b5e6b4ce64fced174de73fedf6d522 401664 
alpine-pico_2.02+dfsg-1.1_amd64.deb
 989b4258515fd9d83ca5eea76e77c0dd8863adb0c4dc5f86ed36a62ffff23c42 397598 
pilot_2.02+dfsg-1.1_amd64.deb
Files: 
 ba2d9edf074c8ad3ba849f317aca64e9 2328 mail optional alpine_2.02+dfsg-1.1.dsc
 1d72ba77ba7f66737d6a44d620534525 15484 mail optional 
alpine_2.02+dfsg-1.1.debian.tar.gz
 5e77d2a303b00e7a5b96585478041c04 390056 doc optional 
alpine-doc_2.02+dfsg-1.1_all.deb
 18af9f42d89646752f88df318d027180 3164494 mail optional 
alpine_2.02+dfsg-1.1_amd64.deb
 284241f08240235fb09f0876f9b65654 6025964 debug extra 
alpine-dbg_2.02+dfsg-1.1_amd64.deb
 ea0ad0fb43bb89022b8425dbd8d13975 401664 editors extra 
alpine-pico_2.02+dfsg-1.1_amd64.deb
 458a73a0d0c2cf7d3a71dad02356c6be 397598 utils optional 
pilot_2.02+dfsg-1.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQS353AAoJEASq5bOX8aqsigMP/iNh4pr+/e5kn37479Sf9hWL
tJq7zYDH69+5AtmSO4M7ATMiCst0hzkzhDL1Z8yt3zNgklSw37liXIV1U5/78lvP
dopKwm2+xlSf+3Us77zXFbX6NDesS5Ut/pohvA0WSN+iCKsvYxDOeV4ytha0v3iz
N/t/LSUUqFbNYYyuAlFS3W06fCnHElFaLZdIbg6iXsM3JtEs17WWxU44OzVMkApA
ykLBAEzSzeTQwBzNzdUELfqPEoDs17vX0hnfLUU/aR6oawx9kI7kAKQ4jLmuA7tq
Mo8o49nhSM/cVpSlSxo/1GGnF24FIIcyx6Lq6fhYqQyYcq8Eiid+rpIDImooZuNt
lsFKB1mioyST/kXygWw5ZrXizSC7nGywzxuVopRTR6jDI4BvnZptyKWSVglMWWlR
7ET/qbSHMtp3FO+sIFuMNKPb4oqpKh4Fo9dC+BNGLsRMAk8n+0TTTegVd1avMjh7
5OQ5g7UeR1P5Cw8kmO0z9u8ta0PvIWJ8qFJ21a9jiSSQ3knVNFEQcc6dX7jALT2d
B/QsvtatUbj32kcj6FiJTriZyq4j0bRQH94JNsMVLyM3iFHEjd8BIuKYheo46bw/
kvfzx0ryIm9iBlHNTo7h/eTDnZTv5YHn/zZotstHzprWyvScwifHpCy7o8nJ/OeG
3yl26lI+3R8qXt9K42fr
=IHN1
-----END PGP SIGNATURE-----

--- End Message ---