Bug 83797 - net-mail/{uw-imap|vimap} ebuild disables part of security with ssl
Bug#: 83797 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: All Status: RESOLVED Severity: minor Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: tpeland@tkukoulu.fi
Component: Default Configs
URL: 
Summary: net-mail/{uw-imap|vimap} ebuild disables part of security with ssl
Keywords:  
Status Whiteboard: [stable] jaervosz
Opened: 2005-03-02 03:30 0000
Description:   Opened: 2005-03-02 03:30 0000 
When compiling uw-imap with ssl the ebuild specifically turns on support for
clear text passwords in nonsecure transports. For real servers this is not a
good thing.

I propose using local useflag to allow compiling with relaxed security. This
way I can enjoy the uw-imap updates without always first fixing the ebuild to
original security level.

------- Comment #1 From Tero Pelander 2005-03-02 03:33:06 0000 ------- 
Created an attachment (id=52443) [details]
"lowsecurity" local flag

------- Comment #2 From Sune Kloppenborg Jeppesen 2005-03-02 14:13:19 0000 ------- 
net-mail please advise.

------- Comment #3 From Andrej Kacian (RETIRED) 2005-03-02 18:16:05 0000 ------- 
I'm all for it, with disabling cleartext passwords usage by default.

There's already a suitable local USE flag for this - "clearpasswd" - used by two other packages.

------- Comment #4 From Andrej Kacian (RETIRED) 2005-03-02 18:42:15 0000 ------- 
uw-imap-2004c-r3.ebuild is in CVS portage, with added "clearpasswd" USE flag
and an ewarn message for users in pkg_setup(). Thanks for suggesting this, it's
a good idea.

security@, feel free to close this bug, as it's yours.

------- Comment #5 From Tero Pelander 2005-03-02 23:22:38 0000 ------- 
The clearpasswd notification should only be display if "use ssl" is true. That
is the requirement for any sort of secure transport. Otherwise the
uw-imap-2004c-r3.ebuild is excellent.

------- Comment #6 From Andrej Kacian (RETIRED) 2005-03-03 01:58:18 0000 ------- 
Ah, sorry about that omission. Fixed in CVS now.

------- Comment #7 From Tero Pelander 2005-03-03 03:16:16 0000 ------- 
The warning for USE="-ssl -clearpassword" case contains a typo.

Current..: Either enable "ssl" USE flag, or disable "clearpasswd" USE flag.
Should be: Either enable "ssl" or "clearpasswd" USE flag.

------- Comment #8 From Andrej Kacian (RETIRED) 2005-03-03 04:16:15 0000 ------- 
Hm, I shouldn't commit after sleep deprivation. Sorry everyone.

------- Comment #9 From Fernando J. Pereda (RETIRED) 2005-03-03 04:33:02 0000 ------- 
I guess this one also affects to vimap, doesn't it?

Cheers,
Ferdy

------- Comment #10 From Andrej Kacian (RETIRED) 2005-03-03 05:56:07 0000 ------- 
Yup, vimap too. Fixed in 2002c-r3.

------- Comment #11 From Sune Kloppenborg Jeppesen 2005-03-03 06:01:01 0000 ------- 
Arches please test and mark uw-imap-2004c-r3 and vimap-2002c-r3 stable.

------- Comment #12 From Andrej Kacian (RETIRED) 2005-03-03 09:02:00 0000 ------- 
Both ebuilds stable on x86.

------- Comment #13 From Michael Hanselmann (hansmi) (RETIRED) 2005-03-03 14:09:53 0000 ------- 
Stable on ppc.

------- Comment #14 From Gustavo Zacarias (RETIRED) 2005-03-04 12:13:43 0000 ------- 
sparc stable.

------- Comment #15 From Marcus D. Hanwell 2005-03-05 06:39:44 0000 ------- 
uw-imap-2004c-r3 stable on amd64, vimap is all ~amd64 and has not yet had much
testing.

------- Comment #16 From Bryan Østergaard (RETIRED) 2005-03-06 00:03:24 0000 ------- 
Stable on alpha.

------- Comment #17 From Sune Kloppenborg Jeppesen 2005-03-09 12:31:35 0000 ------- 
Thx everyone. Default Config issue -> closing.

hppa please remember to mark stable.

------- Comment #18 From René Nussbaumer 2005-06-26 06:16:08 0000 ------- 
Already stable on hppa