Debian Bug report logs - #657046
alpine: Alpine uses DES-56 in violation of RFC 5751

version graph

Package: alpine; Maintainer for alpine is Asheesh Laroia <asheesh@asheesh.org>; Source for alpine is src:alpine.

Reported by: Robert Tomsick <robert+debianbugs@tomsick.net>

Date: Mon, 23 Jan 2012 18:42:02 UTC

Severity: serious

Tags: fixed-upstream, patch

Found in version alpine/2.02-3.1

Fixed in version alpine/2.02+dfsg-1.1

Done: Jonathan McCrohan <jmccrohan@gmail.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, robert+debianbugs@tomsick.net, Asheesh Laroia <asheesh@asheesh.org>:
Bug#657046; Package alpine. (Mon, 23 Jan 2012 18:42:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Robert Tomsick <robert+debianbugs@tomsick.net>:
New Bug report received and forwarded. Copy sent to robert+debianbugs@tomsick.net, Asheesh Laroia <asheesh@asheesh.org>. (Mon, 23 Jan 2012 18:42:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Robert Tomsick <robert+debianbugs@tomsick.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: alpine: Alpine uses DES-56 in violation of RFC 5751
Date: Mon, 23 Jan 2012 13:38:15 -0500
Package: alpine
Version: 2.02-3.1
Severity: normal


alpine (re-alpine) uses DES-56 to encrypt S/MIME messages.  This is very 
insecure by modern standards and is in violation of RFC 5751.

This issue was reported upstream and a patch produced 
(http://sourceforge.net/tracker/index.php?func=detail&aid=3428168&group_id=264924&atid=1128048), 
but has not been addressed in a release of re-alpine.  The patch on the 
linked page changes the default encryption algorithm to AES-128 (CBC 
mode), which is sufficiently strong for modern use.

Due to the security issues surrounding the use of DES-56 in 2012, I 
believe this should be patched in the alpine package even if re-alpine 
does not produce a release with the patch.

-- System Information:
Debian Release: 6.0.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.1.10-grsec (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages alpine depends on:
ii  libc6               2.11.2-10            Embedded GNU C Library: Shared lib
ii  libgssapi-krb5-2    1.8.3+dfsg-4squeeze5 MIT Kerberos runtime libraries - k
ii  libkrb5-3           1.8.3+dfsg-4squeeze5 MIT Kerberos runtime libraries
ii  libldap-2.4-2       2.4.23-7.2           OpenLDAP libraries
ii  libncurses5         5.7+20100313-5       shared libraries for terminal hand
ii  libpam0g            1.1.1-6.1+squeeze1   Pluggable Authentication Modules l
ii  libssl0.9.8         0.9.8o-4squeeze5     SSL shared libraries

Versions of packages alpine recommends:
ii  alpine-doc                    2.02-3.1   Text-based email client's document

Versions of packages alpine suggests:
ii  aspell                   0.60.6-4        GNU Aspell spell-checker
ii  exim4                    4.72-6+squeeze2 metapackage to ease Exim MTA (v4) 
ii  exim4-daemon-light [mail 4.72-6+squeeze2 lightweight Exim MTA (v4) daemon

-- no debconf information




Severity set to 'serious' from 'normal' Request was from Asheesh Laroia <asheesh@asheesh.org> to control@bugs.debian.org. (Sun, 26 Aug 2012 21:15:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#657046; Package alpine. (Sun, 26 Aug 2012 21:24:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Asheesh Laroia <asheesh@asheesh.org>:
Extra info received and forwarded to list.

Your message did not contain a Subject field. They are recommended and useful because the title of a $gBug is determined using this field. Please remember to include a Subject field in your messages in future.

(Sun, 26 Aug 2012 21:24:03 GMT) Full text and rfc822 format available.


Message #12 received at 657046@bugs.debian.org (full text, mbox):

From: Asheesh Laroia <asheesh@asheesh.org>
To: 657046@bugs.debian.org
Date: Sun, 26 Aug 2012 17:12:52 -0400 (EDT)
Thanks for this bug report!

I can confirm the issue, and I believe this is very important. Upstream 
has a patch that fixes it, but we should try to get the updated version 
into the upcoming release of Debian.

I will work on that. Thank you again for the report.



Information forwarded to debian-bugs-dist@lists.debian.org, Asheesh Laroia <asheesh@asheesh.org>:
Bug#657046; Package alpine. (Sat, 08 Sep 2012 14:54:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to gregor herrmann <gregoa@debian.org>:
Extra info received and forwarded to list. Copy sent to Asheesh Laroia <asheesh@asheesh.org>. (Sat, 08 Sep 2012 14:54:06 GMT) Full text and rfc822 format available.

Message #17 received at 657046@bugs.debian.org (full text, mbox):

From: gregor herrmann <gregoa@debian.org>
To: 657046@bugs.debian.org
Subject: Re: Bug#657046: alpine: Alpine uses DES-56 in violation of RFC 5751
Date: Sat, 8 Sep 2012 16:50:02 +0200
[Message part 1 (text/plain, inline)]
Control: tag -1 + fixed-upstream patch

On Mon, 23 Jan 2012 13:38:15 -0500, Robert Tomsick wrote:

> This issue was reported upstream and a patch produced 
> (http://sourceforge.net/tracker/index.php?func=detail&aid=3428168&group_id=264924&atid=1128048), 

In the meantime committed in upstream master:
http://re-alpine.git.sourceforge.net/git/gitweb.cgi?p=re-alpine/re-alpine;a=commit;h=e2eef589799d742ea6ccaec9144dc619a516222e

Cheers,
gregor

-- 
 .''`.  Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06
 : :' : Debian GNU/Linux user, admin, and developer  -  http://www.debian.org/
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-   NP: Peter Jones: The coffee song
[signature.asc (application/pgp-signature, inline)]

Added tag(s) fixed-upstream and patch. Request was from gregor herrmann <gregoa@debian.org> to 657046-submit@bugs.debian.org. (Sat, 08 Sep 2012 14:54:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Asheesh Laroia <asheesh@asheesh.org>:
Bug#657046; Package alpine. (Sat, 08 Sep 2012 17:30:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ulrich Dangel <uli@spamt.net>:
Extra info received and forwarded to list. Copy sent to Asheesh Laroia <asheesh@asheesh.org>. (Sat, 08 Sep 2012 17:30:03 GMT) Full text and rfc822 format available.

Message #24 received at 657046@bugs.debian.org (full text, mbox):

From: Ulrich Dangel <uli@spamt.net>
To: 657046@bugs.debian.org
Cc: Jonathan McCrohan <jmccrohan@gmail.com>
Subject: alpine: diff for NMU version 2.02+dfsg-1.1
Date: Sat, 8 Sep 2012 18:20:42 +0100
[Message part 1 (text/plain, inline)]

Dear maintainer,

I've prepared an NMU for alpine (versioned as 2.02+dfsg-1.1). The diff
is attached to this message.

Regards.

[alpine-2.02+dfsg-1.1-nmu.diff (text/x-diff, attachment)]

Reply sent to Jonathan McCrohan <jmccrohan@gmail.com>:
You have taken responsibility. (Sat, 08 Sep 2012 17:36:11 GMT) Full text and rfc822 format available.

Notification sent to Robert Tomsick <robert+debianbugs@tomsick.net>:
Bug acknowledged by developer. (Sat, 08 Sep 2012 17:36:11 GMT) Full text and rfc822 format available.

Message #29 received at 657046-close@bugs.debian.org (full text, mbox):

From: Jonathan McCrohan <jmccrohan@gmail.com>
To: 657046-close@bugs.debian.org
Subject: Bug#657046: fixed in alpine 2.02+dfsg-1.1
Date: Sat, 08 Sep 2012 17:32:43 +0000
Source: alpine
Source-Version: 2.02+dfsg-1.1

We believe that the bug you reported is fixed in the latest version of
alpine, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 657046@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonathan McCrohan <jmccrohan@gmail.com> (supplier of updated alpine package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 08 Sep 2012 16:07:59 +0100
Source: alpine
Binary: alpine alpine-doc alpine-dbg alpine-pico pilot
Architecture: source all amd64
Version: 2.02+dfsg-1.1
Distribution: unstable
Urgency: low
Maintainer: Asheesh Laroia <asheesh@asheesh.org>
Changed-By: Jonathan McCrohan <jmccrohan@gmail.com>
Description: 
 alpine     - Text-based email client, friendly for novices but powerful
 alpine-dbg - Text-based email client's debugging symbols
 alpine-doc - Text-based email client's documentation
 alpine-pico - Simple text editor from Alpine, a text-based email client
 pilot      - Simple file browser from Alpine, a text-based email client
Closes: 657046
Changes: 
 alpine (2.02+dfsg-1.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Apply upstream patch disabling DES-56 to ensure RFC 5751 compliance.
     (Closes: #657046)
     - Upstream commit e2eef589799d742ea6ccaec9144dc619a516222e added as
       70_des56_rfc5751.patch
Checksums-Sha1: 
 f6bdb86e5b8f8f1975b12b5b218a50146bf2a22a 2328 alpine_2.02+dfsg-1.1.dsc
 5860267cf2549ef674c5b959fcfc9ef26047a500 15484 alpine_2.02+dfsg-1.1.debian.tar.gz
 c7b06127319f9961f6d3087f2a75b8127bf8849a 390056 alpine-doc_2.02+dfsg-1.1_all.deb
 cbfa34c3a55682cc4a507da3556d86577e22404b 3164494 alpine_2.02+dfsg-1.1_amd64.deb
 6f5601c56c4e0c5af1031189d667cd9b0798f24b 6025964 alpine-dbg_2.02+dfsg-1.1_amd64.deb
 a617c4ed752fdf2c331bfed8fb66cf614422a33a 401664 alpine-pico_2.02+dfsg-1.1_amd64.deb
 ae7c5a5be1f8b66a8931fa22735417e3dc13ab65 397598 pilot_2.02+dfsg-1.1_amd64.deb
Checksums-Sha256: 
 7d844784afe23f4f46e2217ed81ad1cd04b75c007f585418e5f20e151509667d 2328 alpine_2.02+dfsg-1.1.dsc
 44843cf9fcb9188161c1107eea7035725a96685a7e148e5f0b1dad1b41b70e8f 15484 alpine_2.02+dfsg-1.1.debian.tar.gz
 3aa57b2eaee30cb58cb421b2a34935c65470d5de081e10ac20adf88c3e4e961d 390056 alpine-doc_2.02+dfsg-1.1_all.deb
 d135f2c651d9c2356bc38047f413d7274c7fb6ff3505f879c0a06717bfb810ec 3164494 alpine_2.02+dfsg-1.1_amd64.deb
 310f3661e98bf7b3f769c69bc14a9f078380c7afe2b9e616184b0928569fc016 6025964 alpine-dbg_2.02+dfsg-1.1_amd64.deb
 5e072052f9080e9111f5562e452fe329b2b5e6b4ce64fced174de73fedf6d522 401664 alpine-pico_2.02+dfsg-1.1_amd64.deb
 989b4258515fd9d83ca5eea76e77c0dd8863adb0c4dc5f86ed36a62ffff23c42 397598 pilot_2.02+dfsg-1.1_amd64.deb
Files: 
 ba2d9edf074c8ad3ba849f317aca64e9 2328 mail optional alpine_2.02+dfsg-1.1.dsc
 1d72ba77ba7f66737d6a44d620534525 15484 mail optional alpine_2.02+dfsg-1.1.debian.tar.gz
 5e77d2a303b00e7a5b96585478041c04 390056 doc optional alpine-doc_2.02+dfsg-1.1_all.deb
 18af9f42d89646752f88df318d027180 3164494 mail optional alpine_2.02+dfsg-1.1_amd64.deb
 284241f08240235fb09f0876f9b65654 6025964 debug extra alpine-dbg_2.02+dfsg-1.1_amd64.deb
 ea0ad0fb43bb89022b8425dbd8d13975 401664 editors extra alpine-pico_2.02+dfsg-1.1_amd64.deb
 458a73a0d0c2cf7d3a71dad02356c6be 397598 utils optional pilot_2.02+dfsg-1.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQS353AAoJEASq5bOX8aqsigMP/iNh4pr+/e5kn37479Sf9hWL
tJq7zYDH69+5AtmSO4M7ATMiCst0hzkzhDL1Z8yt3zNgklSw37liXIV1U5/78lvP
dopKwm2+xlSf+3Us77zXFbX6NDesS5Ut/pohvA0WSN+iCKsvYxDOeV4ytha0v3iz
N/t/LSUUqFbNYYyuAlFS3W06fCnHElFaLZdIbg6iXsM3JtEs17WWxU44OzVMkApA
ykLBAEzSzeTQwBzNzdUELfqPEoDs17vX0hnfLUU/aR6oawx9kI7kAKQ4jLmuA7tq
Mo8o49nhSM/cVpSlSxo/1GGnF24FIIcyx6Lq6fhYqQyYcq8Eiid+rpIDImooZuNt
lsFKB1mioyST/kXygWw5ZrXizSC7nGywzxuVopRTR6jDI4BvnZptyKWSVglMWWlR
7ET/qbSHMtp3FO+sIFuMNKPb4oqpKh4Fo9dC+BNGLsRMAk8n+0TTTegVd1avMjh7
5OQ5g7UeR1P5Cw8kmO0z9u8ta0PvIWJ8qFJ21a9jiSSQ3knVNFEQcc6dX7jALT2d
B/QsvtatUbj32kcj6FiJTriZyq4j0bRQH94JNsMVLyM3iFHEjd8BIuKYheo46bw/
kvfzx0ryIm9iBlHNTo7h/eTDnZTv5YHn/zZotstHzprWyvScwifHpCy7o8nJ/OeG
3yl26lI+3R8qXt9K42fr
=IHN1
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#657046; Package alpine. (Sun, 09 Sep 2012 01:18:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Asheesh Laroia <asheesh@asheesh.org>:
Extra info received and forwarded to list. (Sun, 09 Sep 2012 01:18:03 GMT) Full text and rfc822 format available.

Message #34 received at 657046@bugs.debian.org (full text, mbox):

From: Asheesh Laroia <asheesh@asheesh.org>
To: Ulrich Dangel <uli@spamt.net>, 657046@bugs.debian.org
Cc: Jonathan McCrohan <jmccrohan@gmail.com>
Subject: Re: Bug#657046: alpine: diff for NMU version 2.02+dfsg-1.1
Date: Sat, 8 Sep 2012 21:16:07 -0400 (EDT)
On Sat, 8 Sep 2012, Ulrich Dangel wrote:

> Dear maintainer,
>
> I've prepared an NMU for alpine (versioned as 2.02+dfsg-1.1). The diff 
> is attached to this message.

Hi Ulrich, and Jonathan,

Thank you for improving this package, and sorry I didn't do this yet! I 
will be working on requesting a freeze exception for this shortly.

I'm honored that you have improved Debian, and sorry if my own latency has 
delayed that.



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 18 Oct 2012 07:26:06 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 16:35:49 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.