83797 2005-03-02 03:30 0000 net-mail/{uw-imap|vimap} ebuild disables part of security with ssl 2005-06-26 06:16:08 0000 1 1 1 Unclassified Gentoo Security Default Configs unspecified All All RESOLVED FIXED [stable] jaervosz P2 minor --- 1 tpeland@tkukoulu.fi security@gentoo.org net-mail@gentoo.org tpeland@tkukoulu.fi 2005-03-02 03:30:50 0000 When compiling uw-imap with ssl the ebuild specifically turns on support for clear text passwords in nonsecure transports. For real servers this is not a good thing. I propose using local useflag to allow compiling with relaxed security. This way I can enjoy the uw-imap updates without always first fixing the ebuild to original security level. tpeland@tkukoulu.fi 2005-03-02 03:33:06 0000 Created an attachment (id=52443) "lowsecurity" local flag jaervosz@gentoo.org 2005-03-02 14:13:19 0000 net-mail please advise. ticho@gentoo.org 2005-03-02 18:16:05 0000 I'm all for it, with disabling cleartext passwords usage by default. There's already a suitable local USE flag for this - "clearpasswd" - used by two other packages. ticho@gentoo.org 2005-03-02 18:42:15 0000 uw-imap-2004c-r3.ebuild is in CVS portage, with added "clearpasswd" USE flag and an ewarn message for users in pkg_setup(). Thanks for suggesting this, it's a good idea. security@, feel free to close this bug, as it's yours. tpeland@tkukoulu.fi 2005-03-02 23:22:38 0000 The clearpasswd notification should only be display if "use ssl" is true. That is the requirement for any sort of secure transport. Otherwise the uw-imap-2004c-r3.ebuild is excellent. ticho@gentoo.org 2005-03-03 01:58:18 0000 Ah, sorry about that omission. Fixed in CVS now. tpeland@tkukoulu.fi 2005-03-03 03:16:16 0000 The warning for USE="-ssl -clearpassword" case contains a typo. Current..: Either enable "ssl" USE flag, or disable "clearpasswd" USE flag. Should be: Either enable "ssl" or "clearpasswd" USE flag. ticho@gentoo.org 2005-03-03 04:16:15 0000 Hm, I shouldn't commit after sleep deprivation. Sorry everyone. ferdy@gentoo.org 2005-03-03 04:33:02 0000 I guess this one also affects to vimap, doesn't it? Cheers, Ferdy ticho@gentoo.org 2005-03-03 05:56:07 0000 Yup, vimap too. Fixed in 2002c-r3. jaervosz@gentoo.org 2005-03-03 06:01:01 0000 Arches please test and mark uw-imap-2004c-r3 and vimap-2002c-r3 stable. ticho@gentoo.org 2005-03-03 09:02:00 0000 Both ebuilds stable on x86. hansmi@gentoo.org 2005-03-03 14:09:53 0000 Stable on ppc. gustavoz@gentoo.org 2005-03-04 12:13:43 0000 sparc stable. cryos@gentoo.org 2005-03-05 06:39:44 0000 uw-imap-2004c-r3 stable on amd64, vimap is all ~amd64 and has not yet had much testing. kloeri@gentoo.org 2005-03-06 00:03:24 0000 Stable on alpha. jaervosz@gentoo.org 2005-03-09 12:31:35 0000 Thx everyone. Default Config issue -> closing. hppa please remember to mark stable. killerfox@gentoo.org 2005-06-26 06:16:08 0000 Already stable on hppa 52443 2005-03-02 03:33 0000 "lowsecurity" local flag 2004c-r2.diff text/plain LS0tIHV3LWltYXAtMjAwNGMtcjIuZWJ1aWxkLk9SSUcJMjAwNS0wMy0wMiAxMjoyNjo0Ni40MDIw NzgxNzIgKzAyMDAKKysrIHV3LWltYXAtMjAwNGMtcjIuZWJ1aWxkCTIwMDUtMDMtMDIgMTI6Mjg6 NTIuNDc1NTAzMzU2ICswMjAwCkBAIC0xNCw3ICsxNCw3IEBACiBMSUNFTlNFPSJhcy1pcyIKIFNM T1Q9IjAiCiBLRVlXT1JEUz0ifng4NiB+c3BhcmMgfnBwYyB+aHBwYSB+YWxwaGEgfmFtZDY0Igot SVVTRT0iaXB2NiBzc2wgcGljIGtlcmJlcm9zIgorSVVTRT0iaXB2NiBzc2wgcGljIGtlcmJlcm9z IGxvd3NlY3VyaXR5IgogCiBQUk9WSURFPSJ2aXJ0dWFsL2ltYXBkIgogUFJPVklERT0iJHtQUk9W SURFfSB2aXJ0dWFsL2ltYXAtYy1jbGllbnQiCkBAIC05MSw3ICs5MSwxMSBAQAogCWlmIHVzZSBz c2w7IHRoZW4KIAkJY2QgJHtTfQogCQllY2hvICR7bXltYWtlfQotCQl5ZXMgfCBtYWtlIGxucCAk e215bWFrZX0gJHtpcHZlcn0gU1NMVFlQRT11bml4IEVYVFJBQ0ZMQUdTPSIke0NGTEFHU30iIHx8 IGRpZQorCQlpZiB1c2UgbG93c2VjdXJpdHkgOyB0aGVuCisJCQl5ZXMgfCBtYWtlIGxucCAke215 bWFrZX0gJHtpcHZlcn0gU1NMVFlQRT11bml4IEVYVFJBQ0ZMQUdTPSIke0NGTEFHU30iIHx8IGRp ZQorCQllbHNlCisJCQltYWtlIGxucCAke215bWFrZX0gJHtpcHZlcn0gU1NMVFlQRT11bml4Lm5v cHdkIEVYVFJBQ0ZMQUdTPSIke0NGTEFHU30iIHx8IGRpZQorCQlmaQogCiAJCWxvY2FsIGkKIAkJ Zm9yIGkgaW4gaW1hcGQgaXBvcDNkOyBkbwo=