Description of problem: ----------------------- Based on: http://www.kb.cert.org/vuls/id/268267 http://sourceforge.net/tracker/index.php?func=detail&aid=3559744&group_id=269812&atid=1147704 opendkim v2.7.0 has been released on 2012-10-24 with between others introduced also the following hardening (from RELEASE_NOTES): .. Feature request #SF3559744: Add library option DKIM_OPTS_MINKEYBITS allowing one to specify a minimum number of key bits for acceptable keys and signatures. This is exposed through new configuration file option "MinimumKeyBits". The default is 1024. .. Relevant upstream patch seem to be the following: [1] http://opendkim.git.sourceforge.net/git/gitweb.cgi?p=opendkim/opendkim;a=commitdiff;h=56f72f468dbaf924d07211aa4d460e7761ed8631 [2] http://opendkim.git.sourceforge.net/git/gitweb.cgi?p=opendkim/opendkim;a=commitdiff;h=de9a49f4b92637729be69a485d465945cf6b0155 [3] http://opendkim.git.sourceforge.net/git/gitweb.cgi?p=opendkim/opendkim;a=commitdiff;h=963bd48fb88d6c87829351e874200e744d0e3177 Though this being more of security hardening, than correcting of a real security flaw, we should introduce that option and default to 1024 bits at minimum in the versions of the opendkim package, as shipped with Fedora release of 16, 17, Fedora EPEL 5, and Fedora EPEL 6. Other references / justifications: [4] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691394 [5] http://www.wired.com/threatlevel/2012/10/dkim-vulnerability-widespread/ [6] http://cwe.mitre.org/data/definitions/326.html [7] http://cwe.mitre.org/data/definitions/347.html [8] http://eprint.iacr.org/2010/006.pdf [9] https://tools.ietf.org/html/rfc6376
Done! I've updated the spec file so that it includes "MinimumKeyBits" with a value of 1024 in the default configuration file (/etc/opendkim.conf). Because version 2.7.1 is imminent (which fixes a couple of bugs exposed by my spec file testing), I'll skip 2.7.0 and skip right to 2.7.1-1 as soon as 2.7.1 source is released (which should only be a matter of days). Current development version of spec file is here: https://github.com/stevejenkins/OpenDKIM-Fedora Thanks for the great suggestion, Jan!
opendkim-2.7.1-1.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/opendkim-2.7.1-1.fc16
opendkim-2.7.1-1.el5 has been submitted as an update for Fedora EPEL 5. https://admin.fedoraproject.org/updates/opendkim-2.7.1-1.el5
opendkim-2.7.1-1.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/opendkim-2.7.1-1.fc17
opendkim-2.7.1-1.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/opendkim-2.7.1-1.el6
Package opendkim-2.7.1-1.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing opendkim-2.7.1-1.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-17389/opendkim-2.7.1-1.fc17 then log in and leave karma (feedback).
opendkim-2.7.1-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.