Bug#961472: libmail-dkim-perl: dkimproxy-sign breaks RFC with hardcoded deprecated signing algo

Christer Mjellem Strand dilldall at bjork.org
Sun May 24 21:46:30 BST 2020 

Package: libmail-dkim-perl
Version: 0.54-1
Severity: normal

Dear Maintainer,

This package ships with /usr/bin/dkimproxy-sign, from dkim-proxy, which is hardcoded to use rsa-sha1 for signing.
Beyond being generally weak, SHA-1 is now explicitly banned for DKIM use by RFC 8301:

"Due to the recognized weakness of the SHA-1 hash algorithm (see [RFC6194]) and the wide availability of the SHA-256
hash algorithm (it has been a required part of DKIM [RFC6376] since it was originally standardized in 2007), the
SHA-1 hash algorithm MUST NOT be used."

While ideally the user should be allowed to choose, if it is going to be hardcoded, at least the hardcoded value
should be SHA-256 rather than SHA-1. The supplied patch addresses this, and I would appreciate if it could be
applied.

Thanks.

-- System Information:
Debian Release: 10.4
  APT prefers stable
  APT policy: (900, 'stable'), (500, 'testing')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 4.19.0-0.bpo.5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libmail-dkim-perl depends on:
ii  libcrypt-openssl-rsa-perl         0.31-1+b1
ii  libdigest-sha-perl                6.02-1+b1
ii  liberror-perl                     0.17027-2
ii  libmailtools-perl                 2.18-1
ii  libnet-dns-perl                   1.19-1
ii  libperl5.24 [libdigest-sha-perl]  5.24.1-3+deb9u5
ii  perl [libdigest-sha-perl]         5.28.1-6

libmail-dkim-perl recommends no packages.

libmail-dkim-perl suggests no packages.

-- no debconf information
-------------- next part --------------
--- /usr/bin/dkimproxy-sign	2018-12-04 21:15:55.000000000 +0100
+++ /usr/local/bin/dkimproxy-sign	2020-05-24 22:34:35.585654976 +0200
@@ -16,7 +16,7 @@
 
 my $type = "dkim";
 my $selector = "selector1";
-my $algorithm = "rsa-sha1";
+my $algorithm = "rsa-sha256";
 my $method = "simple";
 my $domain; # undef => auto-select domain
 my $expiration;

More information about the pkg-perl-maintainers mailing list