On Thu, Mar 24, 2016, at 21:52, Adam D. Barratt wrote: > On Thu, 2016-03-24 at 21:33 +0100, Ondřej Surý wrote: > > On Thu, Mar 24, 2016, at 21:23, Adam D. Barratt wrote: > > > On Thu, 2016-03-24 at 21:14 +0100, Ondřej Surý wrote: > > > > On Thu, Mar 24, 2016, at 20:51, Adam D. Barratt wrote: > > > > > On Thu, 2016-03-24 at 10:16 +0100, Ondřej Surý wrote: > > > > > > And the patches... > > > > > > > > > > Thanks. > > > > > > > > > > While I'm generally more comfortable (happier's not really the right > > > > > word) with the changes, it looks like some of the changes aren't > > > > > applied > > > > > in unstable - particularly the disabling of TLS compression and the > > > > > fixes for the CVEs; is that correct, or am I missing something? > > > > > > > > Hmm, I though that 2.4.18 upstream version included both, which is true > > > > for TLS-configuration.patch, CVE-2011-3208.patch and > > > > CVE-2015-8076.patch, but it looks like CVE-2015-8077.patch and > > > > CVE-2015-8078.patch: > > > > > > In terms of the TLS changes, the 2.4.18 currently in unstable appears to > > > include the compression disabling in imtest/imtest.c but not the changes > > > in imap/tls.c afaict. > > > > $ patch -p1 --dry-run -i /tmp/TLS-configuration.patch > > checking file imap/tls.c > > Reversed (or previously applied) patch detected! Assume -R? [n] > > Apply anyway? [n] > > Skipping patch. > > 6 out of 6 hunks ignored > > checking file lib/imapoptions > > Reversed (or previously applied) patch detected! Assume -R? [n] > > Apply anyway? [n] > > Skipping patch. > > 2 out of 2 hunks ignored > > > > Or do you have anything else on mind and I just can't see it? > > I was looking at cyrus-tls-1.2.patch, which includes some compression > changes. Unstable has > > lib/imclient.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > whereas the equivalently named patch in your jessie upload touches > imclient.c, imtest.c and tls.c. Similarly: > > adsb@franck:~/cyrus-imapd-2.4-2.4.18$ grep -ir NO_COMPRESSION . > ./debian/patches/0032-cyrus-tls-1.2.patch:+ off |= > SSL_OP_NO_COMPRESSION; /* Disable TLS compression */ > ./lib/prot.c: zlevel = Z_NO_COMPRESSION; > ./lib/imclient.c: off |= SSL_OP_NO_COMPRESSION; /* Disable TLS > compression */ > > against: > > $ zgrep NO_COMPRESSION > /srv/release.debian.org/www/proposed-updates/jessie_diffs/cyrus-imapd-2.4_2.4.17+nocaldav-0~deb8u1.debdiff.gz > > + off |= SSL_OP_NO_COMPRESSION; /* Disable TLS compression */ > ++ off |= SSL_OP_NO_COMPRESSION; /* Disable TLS compression */ > ++ off |= SSL_OP_NO_COMPRESSION; /* Disable TLS compression */ > ++ off |= SSL_OP_NO_COMPRESSION; /* Disable TLS compression */ > ++ off |= SSL_OP_NO_COMPRESSION; /* Disable TLS compression */
This should not be strictly needed as 2.4.18 has new option 'tls_compression' that's disabled by default, but I have restored that part of the patch anyway. (Also I am not that sure that BEAST/CRIME/BREACH attacks apply to IMAP as well, but better be safe then sorry...) Cheers, -- Ondřej Surý <ond...@sury.org> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
