You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2011/05/19 19:41:57 UTC

[Bug 6595] New: "Disable SSLv2 support due to its removal from OpenSSL" - Debian patch

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6595

             Bug #: 6595
           Summary: "Disable SSLv2 support due to its removal from
                    OpenSSL" - Debian patch
           Product: Spamassassin
           Version: SVN Trunk (Latest Devel Version)
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: spamc/spamd
        AssignedTo: dev@spamassassin.apache.org
        ReportedBy: Darxus@ChaosReigns.com
    Classification: Unclassified


Created attachment 4898
  --> https://issues.apache.org/SpamAssassin/attachment.cgi?id=4898
Disable SSLv2 support due to its removal from OpenSSL

Patch attached.  I'm not sure what version it should be applied to.  I think it
fixes a build breakage with the latest version of SSL.  Description of change
from Debian:

>From debian/changelog:

spamassassin (3.3.1-2) unstable; urgency=low

  * Disable SSLv2 support due to its removal from OpenSSL (Closes: 622053)
...

 -- Noah Meyerhans <no...@debian.org>  Sun, 10 Apr 2011 20:58:34 -0700


>From debian/NEWS:

spamassassin (3.3.1-2) unstable; urgency=low

  This version of spamassassin introduces a change in behavior when
  using SSL to encrypt communication between spamc and spamd.  This
  change only affects usage of spamc or spamd with the --ssl option.
  Due to protocol insecurity, OpenSSL has removed support for SSL
  version 2.  Consequently, the "sslv2" and "sslv23" options have been
  removed from spamc and spamd.  The default option is sslv3.

  This change should be transparent unless you are using spamc or spamd
  with a peer that is explicitly configured to use only sslv2

 -- Noah Meyerhans <no...@debian.org>  Sun, 10 Apr 2011 18:27:36 -0700

-- 
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

[Bug 6595] "Disable SSLv2 support due to its removal from OpenSSL" - Debian patch

Posted by bu...@bugzilla.spamassassin.org.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6595

--- Comment #1 from Mark Martinec <Ma...@ijs.si> 2011-05-20 00:21:51 UTC ---
Thank you for the information and the patch, makes sense.
For starters we can apply it to trunk and let people try it.
Possibly too much of a change just before the 3.3.2 wrapup
(but don't take my word for it, we are not using spamc/spamd
here, so my voice doesn't count much on this topic).

-- 
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

[Bug 6595] [review] "Disable SSLv2 support due to its removal from OpenSSL" - Debian patch

Posted by bu...@bugzilla.spamassassin.org.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6595

--- Comment #7 from Darxus <Da...@ChaosReigns.com> 2011-05-26 19:52:20 UTC ---
(In reply to comment #6)
> Already marked as resolved/fixed as well.

That was an explanation, not a request, for a status change :)

-- 
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

[Bug 6595] [review] "Disable SSLv2 support due to its removal from OpenSSL" - Debian patch

Posted by bu...@bugzilla.spamassassin.org.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6595

--- Comment #6 from Kevin A. McGrail <km...@pccc.com> 2011-05-26 19:12:44 UTC ---
(In reply to comment #5)
> Already committed to target (3.4.0 / trunk).

Already marked as resolved/fixed as well.

-- 
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

[Bug 6595] [review] "Disable SSLv2 support due to its removal from OpenSSL" - Debian patch

Posted by bu...@bugzilla.spamassassin.org.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6595

Darxus <Da...@ChaosReigns.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |Darxus@ChaosReigns.com
            Summary|"Disable SSLv2 support due  |[review] "Disable SSLv2
                   |to its removal from         |support due to its removal
                   |OpenSSL" - Debian patch     |from OpenSSL" - Debian
                   |                            |patch

-- 
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

[Bug 6595] [review] "Disable SSLv2 support due to its removal from OpenSSL" - Debian patch

Posted by bu...@bugzilla.spamassassin.org.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6595

Kevin A. McGrail <km...@pccc.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kmcgrail@pccc.com
  Status Whiteboard|                            |needs 2 votes for 3.3.2

--- Comment #2 from Kevin A. McGrail <km...@pccc.com> 2011-05-24 21:41:05 UTC ---
I am running this on devel and production servers running RH and it's a
long-standing downstream patch from debian.  +1 for 3.3.2.

Committed to trunk and will notify Debian package maintainer so they can be
prepared for this issue.

Sending        spamc/libspamc.c
Sending        spamc/libspamc.h
Sending        spamc/spamc.c
Sending        spamc/spamc.pod
Sending        spamd/spamd.raw
Transmitting file data .....
Committed revision 1127260.

-- 
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

[Bug 6595] [review] "Disable SSLv2 support due to its removal from OpenSSL" - Debian patch

Posted by bu...@bugzilla.spamassassin.org.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6595

--- Comment #3 from Darxus <Da...@ChaosReigns.com> 2011-05-24 21:53:18 UTC ---
It's not a "long-standing downstream patch from debian".  They only created it
44 days ago.  It's currently in their unstable and testing releases, and Ubuntu
Oneric (scheduled to be released in October).  So it probably hasn't seen a lot
of use on production mail servers.

Not saying there's anything wrong with it, just that it hasn't actually seen
extensive end user testing in stable releases.

-- 
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

[Bug 6595] [review] "Disable SSLv2 support due to its removal from OpenSSL" - Debian patch

Posted by bu...@bugzilla.spamassassin.org.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6595

Kevin A. McGrail <km...@pccc.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|3.3.2                       |3.4.0
  Status Whiteboard|needs 2 votes for 3.3.2     |

--- Comment #4 from Kevin A. McGrail <km...@pccc.com> 2011-05-24 22:06:17 UTC ---
(In reply to comment #3)
> It's not a "long-standing downstream patch from debian".  They only created it
> 44 days ago.  It's currently in their unstable and testing releases, and Ubuntu
> Oneric (scheduled to be released in October).  So it probably hasn't seen a lot
> of use on production mail servers.
> 
> Not saying there's anything wrong with it, just that it hasn't actually seen
> extensive end user testing in stable releases.

Thanks for the catch.  I mixed it up in the debian changelog with a 2003 patch.
 Retargeting to 3.4.0.

-- 
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

[Bug 6595] [review] "Disable SSLv2 support due to its removal from OpenSSL" - Debian patch

Posted by bu...@bugzilla.spamassassin.org.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6595

Darxus <Da...@ChaosReigns.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED

--- Comment #5 from Darxus <Da...@ChaosReigns.com> 2011-05-26 19:06:25 UTC ---
Already committed to target (3.4.0 / trunk).

-- 
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.