Bug#603450: offlineimap: fails check the remote servers ssl certificate is valid
Package: offlineimap Severity: grave Tags: security Justification: user security hole offlineimap performs absolutely no ssl certificate checking. So users could/can be the victim of a man in the middle attack. In debian the following bugs exist: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=536421 (re certificate expiration) http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=153240 (re ssl fingerprint checking) This could be considered a bug in imaplib (http://bugs.python.org/issue10274). A partial 'fix' is the following(this 'fix' isn't complete and would break connections to servers using self-signed certificates): WARNING XXX: I haven't tested this 'fix' at all and so it is most likely wrong. diff --git a/offlineimap/imaplibutil.py b/offlineimap/imaplibutil.py index a60242b..c37688c 100644 --- a/offlineimap/imaplibutil.py +++ b/offlineimap/imaplibutil.py @@ -62,7 +62,7 @@ class IMAP4_Tunnel(IMAP4): self.infd.close() self.outfd.close() self.process.wait() - + class sslwrapper: def __init__(self, sslsock): self.sslsock = sslsock @@ -171,7 +171,7 @@ def new_open_ssl(self, host = '', port = IMAP4_SSL_PORT): if last_error != 0: # FIXME raise socket.error(last_error) -self.sslobj = ssl_wrap(self.sock, self.keyfile, self.certfile) +self.sslobj = ssl_wrap(self.sock, self.keyfile, self.certfile, cert_reqs=ssl.CERT_REQUIRED, ca_certs="/etc/ssl/certs/ca-certificates.crt") self.sslobj = sslwrapper(self.sslobj) Although, this isn't complete because it will break self-signed certificate using servers and http://bugs.python.org/issue1589 means that it won't provide full protection etc. Really, what is required is that by default the certificate is checked and perhaps an option is added to bypass the check. This isn't a new discovery, see [1], but the package provides no warning about this fact. I added a warning too https://github.com/jgoerzen/offlineimap/wiki/ perhaps debian can add a warning (in the package description) until this is fixed. [0] - http://thread.gmane.org/gmane.mail.imap.offlineimap.general/760 -- System Information: Debian Release: 5.0.6 APT prefers stable APT policy: (900, 'stable'), (650, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.36 (SMP w/4 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101114085523.4894.64123.report...@linode.d1b.org
Bug#603450: Acknowledgement (offlineimap: fails check the remote servers ssl certificate is valid)
%s/[0]/[1]/ %s/too/to/ -- To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktikjvu_vqbdgiyxs_cgjpvtpxy4pvfqf6y_tx...@mail.gmail.com
Bug#603450: Acknowledgement (offlineimap: fails check the remote servers ssl certificate is valid)
I wish debian let me edit bugs like ubuntu does! (offlineimap: fails check the remote servers ssl certificate is valid) should be (offlineimap: fails *to* check the remote server's ssl certificate is valid) s/servers/server's/ -- To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktimyxogdxj=0xqzkoyrdp9gmdsnf==jnx-qvf...@mail.gmail.com
Bug#603473: zshdb: Installation fails
Package: zshdb Version: 0.05+git20101031-1 Severity: grave Tags: sid Justification: renders package unusable Package installation fails, also happens when upgrading. -8<- Setting up zshdb (0.05+git20101031-1) ... emacsen-common: Handling install of emacsen flavor emacs emacsen-common: Handling install of emacsen flavor emacs21 emacsen-common: byte-compiling for emacs21 Wrote /etc/emacs21/site-start.d/00debian-vars.elc Wrote /usr/share/emacs21/site-lisp/debian-startup.elc Done install/zshdb: Handling install for emacsen flavor emacs21 /usr/lib/emacsen-common/packages/install/zshdb: line 36: cd: /usr/share/emacs/site-lisp/zshdb: No such file or directory emacs-package-install: /usr/lib/emacsen-common/packages/install/zshdb emacs21 emacs21 failed at /usr/lib/emacsen-common/emacs-package-install line 30, line 2. dpkg: error processing zshdb (--configure): subprocess installed post-installation script returned error exit status 1 configured to not write apport reports Errors were encountered while processing: zshdb E: Sub-process /usr/bin/dpkg returned an error code (1) zsh: exit 100 apt-get install zshdb -8<- Probably because directory /usr/share/emacs/site-lisp/zshdb does not exist and zshdb is not creating one. -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.33.1-bfs315 (SMP w/4 CPU cores) Locale: LANG=C, LC_CTYPE=fi_FI (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/bash Versions of packages zshdb depends on: ii emacsen-common1.4.19 Common facilities for all emacsen ii zsh 4.3.10-16 A shell with lots of features zshdb recommends no packages. zshdb suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101114144500.21895.83689.report...@hanuri.dap
Bug#603450: Acknowledgement (offlineimap: fails check the remote servers ssl certificate is valid)
retitle 603540 offlineimap: fails to check the remote server's ssl certificate is valid thanks On Sun, Nov 14, 2010 at 08:15:18PM +1100, dave b wrote: >I wish debian let me edit bugs like ubuntu does! Done. See http://www.debian.org/Bugs/server-control for more details on the commands available. >(offlineimap: fails check the remote > servers ssl certificate is valid) > >should be >(offlineimap: fails *to* check the remote > server's ssl certificate is valid) > >s/servers/server's/ -- Steve McIntyre, Cambridge, UK.st...@einval.com "The problem with defending the purity of the English language is that English is about as pure as a cribhouse whore. We don't just borrow words; on occasion, English has pursued other languages down alleyways to beat them unconscious and rifle their pockets for new vocabulary." -- James D. Nicoll -- To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101114172529.gf13...@einval.com
Processed: retitle 603243 to Manpage should reference appropriate section of Debian Policy
Processing commands for cont...@bugs.debian.org: > retitle 603243 Manpage should reference appropriate section of Debian Policy Bug #603243 [sensible-utils] (no subject) Changed Bug title to 'Manpage should reference appropriate section of Debian Policy' from '(no subject)' > thanks Stopping processing here. Please contact me if you need assistance. -- 603243: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=603243 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/handler.s.c.12897596499555.transcr...@bugs.debian.org
Processed: tagging 397050
Processing commands for cont...@bugs.debian.org: > # cantfix, really: sensible-editor runs editor, which would loop; programs > should always spawn sensible-editor unless they have their own $EDITOR > handling > tags 397050 + wontfix Bug #397050 [sensible-utils] Can debianutils offer sensible-editor as editor alternative? Added tag(s) wontfix. > thanks Stopping processing here. Please contact me if you need assistance. -- 397050: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=397050 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/handler.s.c.128975980310435.transcr...@bugs.debian.org
Processing of pekwm-themes_1.0.5-2_amd64.changes
pekwm-themes_1.0.5-2_amd64.changes uploaded successfully to localhost along with the files: pekwm-themes_1.0.5-2.dsc pekwm-themes_1.0.5-2.debian.tar.gz pekwm-themes_1.0.5-2_all.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) -- To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1phjqi-0008v2...@franck.debian.org
pekwm-themes_1.0.5-2_amd64.changes ACCEPTED into unstable
Accepted: pekwm-themes_1.0.5-2.debian.tar.gz to main/p/pekwm-themes/pekwm-themes_1.0.5-2.debian.tar.gz pekwm-themes_1.0.5-2.dsc to main/p/pekwm-themes/pekwm-themes_1.0.5-2.dsc pekwm-themes_1.0.5-2_all.deb to main/p/pekwm-themes/pekwm-themes_1.0.5-2_all.deb Override entries for your package: pekwm-themes_1.0.5-2.dsc - source x11 pekwm-themes_1.0.5-2_all.deb - optional x11 Announcing to debian-devel-chan...@lists.debian.org Thank you for your contribution to Debian. -- To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1phk76-00057s...@franck.debian.org
Processing of cpio_2.11-5_all.changes
cpio_2.11-5_all.changes uploaded successfully to localhost along with the files: cpio_2.11-5.dsc cpio_2.11-5.debian.tar.gz cpio-win32_2.11-5_all.deb cpio_2.11-5_amd64.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) -- To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1phkn5-0004id...@franck.debian.org
cpio_2.11-5_all.changes ACCEPTED into unstable
Accepted: cpio-win32_2.11-5_all.deb to main/c/cpio/cpio-win32_2.11-5_all.deb cpio_2.11-5.debian.tar.gz to main/c/cpio/cpio_2.11-5.debian.tar.gz cpio_2.11-5.dsc to main/c/cpio/cpio_2.11-5.dsc cpio_2.11-5_amd64.deb to main/c/cpio/cpio_2.11-5_amd64.deb Override entries for your package: cpio-win32_2.11-5_all.deb - extra utils cpio_2.11-5.dsc - source utils cpio_2.11-5_amd64.deb - important utils Announcing to debian-devel-chan...@lists.debian.org Thank you for your contribution to Debian. -- To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1phkt5-0004yk...@franck.debian.org
Processing of db4.6_4.6.21-17_all.changes
db4.6_4.6.21-17_all.changes uploaded successfully to localhost along with the files: db4.6_4.6.21-17.dsc db4.6_4.6.21-17.debian.tar.gz db4.6-doc_4.6.21-17_all.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) -- To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1phndr-kl...@franck.debian.org
db4.6_4.6.21-17_all.changes ACCEPTED into unstable
Accepted: db4.6-doc_4.6.21-17_all.deb to main/d/db4.6/db4.6-doc_4.6.21-17_all.deb db4.6_4.6.21-17.debian.tar.gz to main/d/db4.6/db4.6_4.6.21-17.debian.tar.gz db4.6_4.6.21-17.dsc to main/d/db4.6/db4.6_4.6.21-17.dsc Override entries for your package: db4.6-doc_4.6.21-17_all.deb - optional doc db4.6_4.6.21-17.dsc - source database Announcing to debian-devel-chan...@lists.debian.org Closing bugs: 587202 Thank you for your contribution to Debian. -- To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1phnf7-sv...@franck.debian.org
Processing of db4.7_4.7.25-10_all.changes
db4.7_4.7.25-10_all.changes uploaded successfully to localhost along with the files: db4.7_4.7.25-10.dsc db4.7_4.7.25-10.debian.tar.gz db4.7-doc_4.7.25-10_all.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) -- To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1phngv-0003fg...@franck.debian.org
db4.7_4.7.25-10_all.changes ACCEPTED into unstable
Accepted: db4.7-doc_4.7.25-10_all.deb to main/d/db4.7/db4.7-doc_4.7.25-10_all.deb db4.7_4.7.25-10.debian.tar.gz to main/d/db4.7/db4.7_4.7.25-10.debian.tar.gz db4.7_4.7.25-10.dsc to main/d/db4.7/db4.7_4.7.25-10.dsc Override entries for your package: db4.7-doc_4.7.25-10_all.deb - optional doc db4.7_4.7.25-10.dsc - source libs Announcing to debian-devel-chan...@lists.debian.org Closing bugs: 594433 Thank you for your contribution to Debian. -- To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1phnh7-0003im...@franck.debian.org
