gnu: heimdal: Update to 7.4.0.

Done

Details

5 participants

Alex Vong
宋文武
Leo Famulari
Christopher Baines
Ricardo Wurmus

Owner: unassigned

Submitted by: Alex Vong

Severity: normal

Debbugs page

Alex Vong wrote on 18 Jul 2017 01:26

[PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].

Recipients:(address . guix-patches@gnu.org)

Message-ID:87wp76kv68.fsf@gmail.com

Tags: security

Hello,

THis patch upgrades heimdal to its latest version, fixing

CVE-2017-11103. Here are a few remarks:

1. Upstream switches to github for hosting

2. A lots of libraries are bundled

3. Many db tests fail

4. It does not build reproducibly

I decide to submit this despite many db tests fail because I think we

should fix CVE-2017-11103 asap.

Attachment: 0001-gnu-heimdal-Update-to-7.4.0-fixes-CVE-2017-11103.patch

Cheers,

Alex

Leo Famulari wrote on 18 Jul 2017 08:49

Recipients:(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 27749@debbugs.gnu.org)

Message-ID:20170718154906.GB16798@jasmine.lan

On Tue, Jul 18, 2017 at 04:26:23PM +0800, Alex Vong wrote:

Toggle quote (3 lines)

> THis patch upgrades heimdal to its latest version, fixing

> CVE-2017-11103. Here are a few remarks:

Thanks! We also need to look at our samba package, which bundles heimdal

(we should fix that).

Toggle quote (2 lines)

> 1. Upstream switches to github for hosting

Okay.

Toggle quote (2 lines)

> 2. A lots of libraries are bundled

Which directory are they in? We should take a look at them and weigh the

risk of adding new vulnerabilities through the use of (possibly old and

unmaintained) bundled libraries.

If things look complicated, maybe it's possible to apply a patch to this

older Heimdal while we figure everything out.

Maybe we can find a patch for CVE-2017-11103 from Red Hat or another

long-term-support distro. I noticed an unrelated patch for Heimdal

1.6 here:

https://anonscm.debian.org/cgit/collab-maint/heimdal.git/commit/?h=debian/jessie&id=6d27073da8b45b5c67ca4ad74696489e49c4df1a

Toggle quote (2 lines)

> 3. Many db tests fail

Do you think they are a problem in practice? Ludovic, you added Heimdal,

what do you think about this big version bump?

Toggle quote (2 lines)

> 4. It does not build reproducibly

Not great but also not a blocker.

Toggle quote (19 lines)> From c14ef8d3d957ccf965918a5190c2cac695a6da7e Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Tue, 18 Jul 2017 06:36:48 +0800
> Subject: [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
> 
> * gnu/packages/kerberos.scm (heimdal): Update to 7.4.0.
> [source]: Update source uri.
> [arguments]: Adjust #:configure-flags and build phases accordingly.
> [inputs]: Add autoconf, automake, libtool, perl, perl-json and texinfo.

>         #:phases (modify-phases %standard-phases
> +                  (add-after 'unpack 'pre-build
> +                    (lambda _
> +                      (for-each (lambda (file) ;fix sh paths
> +                                  (substitute* file
> +                                    (("/bin/sh")
> +                                     (which "sh"))))
> +                                '("appl/afsutil/pagsh.c" "tools/Makefile.am"))

Do we re-bootstrap because we edit Makefile.am? Is it possible to edit

the generated Makefile directly?

Leo Famulari wrote on 18 Jul 2017 08:51

Recipients:(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 27749@debbugs.gnu.org)

Message-ID:20170718155119.GA12939@jasmine.lan

On Tue, Jul 18, 2017 at 11:49:06AM -0400, Leo Famulari wrote:

Toggle quote (7 lines)

> On Tue, Jul 18, 2017 at 04:26:23PM +0800, Alex Vong wrote:

> > THis patch upgrades heimdal to its latest version, fixing

> > CVE-2017-11103. Here are a few remarks:

> Thanks! We also need to look at our samba package, which bundles heimdal

> (we should fix that).

This vulnerability in samba's bundled heimdal was fixed in
81dfbffc5480699f79ea23a82bf8a4a557176670. Perhaps we can find inspiration
for a patch there, if necessary.

Leo Famulari wrote on 18 Jul 2017 08:53

Recipients:(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 27749@debbugs.gnu.org)

Message-ID:20170718155335.GA15745@jasmine.lan

On Tue, Jul 18, 2017 at 11:49:06AM -0400, Leo Famulari wrote:

Toggle quote (5 lines)

> Maybe we can find a patch for CVE-2017-11103 from Red Hat or another

> long-term-support distro. I noticed an unrelated patch for Heimdal

> 1.6 here:

> https://anonscm.debian.org/cgit/collab-maint/heimdal.git/commit/?h=debian/jessie&id=6d27073da8b45b5c67ca4ad74696489e49c4df1a

I'm not sure what version of heimdal FreeBSD packages, but they are

offering a patch for this, linked from their advisory:

https://www.freebsd.org/security/advisories/FreeBSD-SA-17:05.heimdal.asc

Alex Vong wrote on 19 Jul 2017 02:22

Recipients:(name . Leo Famulari)(address . leo@famulari.name)(address . 27749@debbugs.gnu.org)

Message-ID:87bmogzspe.fsf@gmail.com

Leo Famulari <leo@famulari.name> writes:

[...]

Toggle quote (6 lines)>> 2. A lots of libraries are bundled
>
> Which directory are they in? We should take a look at them and weigh the
> risk of adding new vulnerabilities through the use of (possibly old and
> unmaintained) bundled libraries.
>

They live in lib/. Also the configure script provides options to use

system library instead of bundled ones.

Toggle quote (8 lines)> If things look complicated, maybe it's possible to apply a patch to this
> older Heimdal while we figure everything out.
>
> Maybe we can find a patch for CVE-2017-11103 from Red Hat or another
> long-term-support distro. I noticed an unrelated patch for Heimdal
> 1.6 here:
> https://anonscm.debian.org/cgit/collab-maint/heimdal.git/commit/?h=debian/jessie&id=6d27073da8b45b5c67ca4ad74696489e49c4df1a
>

Agree, we should patch the old version first and deal with the bundled

libraries and test failures later.

Toggle quote (5 lines)>> 3. Many db tests fail
>
> Do you think they are a problem in practice? Ludovic, you added Heimdal,
> what do you think about this big version bump?
>

I don't know. I am hoping some test failures will disappear after we

remove bundled libraries.

Toggle quote (26 lines)>> 4. It does not build reproducibly
>
> Not great but also not a blocker.
>
>> From c14ef8d3d957ccf965918a5190c2cac695a6da7e Mon Sep 17 00:00:00 2001
>> From: Alex Vong <alexvong1995@gmail.com>
>> Date: Tue, 18 Jul 2017 06:36:48 +0800
>> Subject: [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
>> 
>> * gnu/packages/kerberos.scm (heimdal): Update to 7.4.0.
>> [source]: Update source uri.
>> [arguments]: Adjust #:configure-flags and build phases accordingly.
>> [inputs]: Add autoconf, automake, libtool, perl, perl-json and texinfo.
>
>>         #:phases (modify-phases %standard-phases
>> +                  (add-after 'unpack 'pre-build
>> +                    (lambda _
>> +                      (for-each (lambda (file) ;fix sh paths
>> +                                  (substitute* file
>> +                                    (("/bin/sh")
>> +                                     (which "sh"))))
>> + '("appl/afsutil/pagsh.c" "tools/Makefile.am"))
>
> Do we re-bootstrap because we edit Makefile.am? Is it possible to edit
> the generated Makefile directly?

I will try but personally I prefer patching the source and re-generate

the generated files. Patching the generated files feel like a hack to

me. What do you think?

Thanks for the suggestions!

Here is the patch:

From fedc82524dcc8d0e8052a4837d7864fe84ca6f8e Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Wed, 19 Jul 2017 17:01:47 +0800
Subject: [PATCH] gnu: heimdal: Fix CVE-2017-11103.

* gnu/packages/patches/heimdal-CVE-2017-11103.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/kerberos.scm (heimdal)[source]: Use it.
---
 gnu/local.mk                                      |  1 +
 gnu/packages/kerberos.scm                         |  1 +
 gnu/packages/patches/heimdal-CVE-2017-11103.patch | 45 +++++++++++++++++++++++
 3 files changed, 47 insertions(+)
 create mode 100644 gnu/packages/patches/heimdal-CVE-2017-11103.patch

Toggle diff (77 lines)diff --git a/gnu/local.mk b/gnu/local.mk
index 92ad112cf..d2ae454c0 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -691,6 +691,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/hdf-eos5-remove-gctp.patch		\
   %D%/packages/patches/hdf-eos5-fix-szip.patch			\
   %D%/packages/patches/hdf-eos5-fortrantests.patch		\
+  %D%/packages/patches/heimdal-CVE-2017-11103.patch		\
   %D%/packages/patches/higan-remove-march-native-flag.patch	\
   %D%/packages/patches/hubbub-sort-entities.patch		\
   %D%/packages/patches/hurd-fix-eth-multiplexer-dependency.patch        \
diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 58f619770..3b0050fc1 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -144,6 +144,7 @@ secure manner through client-server mutual authentication via tickets.")
               (sha256
                (base32
                 "19gypf9vzfrs2bw231qljfl4cqc1riyg0ai0xmm1nd1wngnpphma"))
+              (patches (search-patches "heimdal-CVE-2017-11103.patch"))
               (modules '((guix build utils)))
               (snippet
                '(substitute* "configure"
diff --git a/gnu/packages/patches/heimdal-CVE-2017-11103.patch b/gnu/packages/patches/heimdal-CVE-2017-11103.patch
new file mode 100644
index 000000000..d76f0df36
--- /dev/null
+++ b/gnu/packages/patches/heimdal-CVE-2017-11103.patch
@@ -0,0 +1,45 @@
+Fix CVE-2017-11103:
+
+https://orpheus-lyre.info/
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11103
+https://security-tracker.debian.org/tracker/CVE-2017-11103
+
+Patch lifted from upstream source repository:
+
+https://github.com/heimdal/heimdal/commit/6dd3eb836bbb80a00ffced4ad57077a1cdf227ea
+
+From 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea Mon Sep 17 00:00:00 2001
+From: Jeffrey Altman <jaltman@secure-endpoints.com>
+Date: Wed, 12 Apr 2017 15:40:42 -0400
+Subject: [PATCH] CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
+
+In _krb5_extract_ticket() the KDC-REP service name must be obtained from
+encrypted version stored in 'enc_part' instead of the unencrypted version
+stored in 'ticket'.  Use of the unecrypted version provides an
+opportunity for successful server impersonation and other attacks.
+
+Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
+
+Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c
+---
+ lib/krb5/ticket.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/krb5/ticket.c b/lib/krb5/ticket.c
+index d95d96d1b..b8d81c6ad 100644
+--- a/lib/krb5/ticket.c
++++ b/lib/krb5/ticket.c
+@@ -705,8 +705,8 @@ _krb5_extract_ticket(krb5_context context,
+     /* check server referral and save principal */
+     ret = _krb5_principalname2krb5_principal (context,
+ 					      &tmp_principal,
+-					      rep->kdc_rep.ticket.sname,
+-					      rep->kdc_rep.ticket.realm);
++					      rep->enc_part.sname,
++					      rep->enc_part.srealm);
+     if (ret)
+ 	goto out;
+     if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
+-- 
+2.13.3
+
-- 
2.13.3

Cheers,

Alex

Alex Vong wrote on 19 Jul 2017 04:04

Recipients:(name . Leo Famulari)(address . leo@famulari.name)(address . 27749@debbugs.gnu.org)

Message-ID:877ez4znze.fsf@gmail.com

I find out that our version of heimdal is also affected by

CVE-2017-6594. So I amend the previous patch to fix it as well.

Changes to 'NEWS' and files in 'tests/' does not apply, so I remove

them. Also, I change hunk#4 of 'kdc/krb5tgs.c' so that it applies.

It used to be:

foo

foo*

+bar

+bar*

baz

baz*

Now it is:

foo

foo*

+bar

+bar*

<empty-line>

Here is the updated patch:

Attachment: 0001-gnu-heimdal-Fix-CVE-2017-6594-11103.patch

Cheers,

Alex

Alex Vong wrote on 20 Jul 2017 05:48

[PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.

Recipients:(address . control@debbugs.gnu.org)

Message-ID:87bmofjmua.fsf@gmail.com

package guix-patches
retitle 27749 [PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.
thanks

Leo Famulari wrote on 20 Jul 2017 12:51

Re: [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].

Recipients:(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 27749@debbugs.gnu.org)

Message-ID:20170720195134.GA19680@jasmine.lan

On Wed, Jul 19, 2017 at 07:04:53PM +0800, Alex Vong wrote:

Toggle quote (12 lines)> Here is the updated patch:
> 
> From 33ae64ead2031e7707639302977d31487e992660 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Wed, 19 Jul 2017 17:01:47 +0800
> Subject: [PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.
> 
> * gnu/packages/patches/heimdal-CVE-2017-6594.patch,
> gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Add them.
> * gnu/packages/kerberos.scm (heimdal)[source]: Use them.

Thanks! I recreated the commit since the patch no longer applied to

'gnu/local.mk' and pushed as 81c35029d4ee4fa7cd517998844229a514b35531.

I'm leaving this bug open for now so we can discuss the update.

By the way everyone, the vulnerability disclosure / promotion web page,

https://orpheus-lyre.info, has a nice primer on the bug (warning, the

page plays music automatically). Thanks for including that, Alex.

Ricardo Wurmus wrote on 18 Oct 2017 14:31

Recipients:(name . Alex Vong)(address . alexvong1995@gmail.com)

Message-ID:871sm03zyd.fsf@elephly.net

Hi Alex,

Toggle quote (18 lines)> On Wed, Jul 19, 2017 at 07:04:53PM +0800, Alex Vong wrote:
>> Here is the updated patch:
>>
>> From 33ae64ead2031e7707639302977d31487e992660 Mon Sep 17 00:00:00 2001
>> From: Alex Vong <alexvong1995@gmail.com>
>> Date: Wed, 19 Jul 2017 17:01:47 +0800
>> Subject: [PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.
>>
>> * gnu/packages/patches/heimdal-CVE-2017-6594.patch,
>> gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files.
>> * gnu/local.mk (dist_patch_DATA): Add them.
>> * gnu/packages/kerberos.scm (heimdal)[source]: Use them.
>
> Thanks! I recreated the commit since the patch no longer applied to
> 'gnu/local.mk' and pushed as 81c35029d4ee4fa7cd517998844229a514b35531.
>
> I'm leaving this bug open for now so we can discuss the update.

As mentioned before, the new release bundles a bunch of third party

libraries. It is not clear to me if *all* things under “lib” are

external libraries or if some of them are part of the source code of

heimdal.

Can we learn from the Debian package for heimdal here?

I think we really ought to update from the very old version we are using

currently.

Ricardo

GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC

https://elephly.net

Ricardo Wurmus wrote on 18 Oct 2017 15:44

control message for bug #27749

Recipients:(address . control@debbugs.gnu.org)

Message-ID:E1e54NT-0007TO-DR@debbugs.gnu.org

retitle 27749 gnu: heimdal: Update to 7.4.0.

Alex Vong wrote on 19 Oct 2017 07:57

Re: [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].

Recipients:(name . Ricardo Wurmus)(address . rekado@elephly.net)

Message-ID:87vajbchiv.fsf@gmail.com

Ricardo Wurmus <rekado@elephly.net> writes:

Toggle quote (25 lines)> Hi Alex,
>
>> On Wed, Jul 19, 2017 at 07:04:53PM +0800, Alex Vong wrote:
>>> Here is the updated patch:
>>>
>>> From 33ae64ead2031e7707639302977d31487e992660 Mon Sep 17 00:00:00 2001
>>> From: Alex Vong <alexvong1995@gmail.com>
>>> Date: Wed, 19 Jul 2017 17:01:47 +0800
>>> Subject: [PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.
>>>
>>> * gnu/packages/patches/heimdal-CVE-2017-6594.patch,
>>> gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files.
>>> * gnu/local.mk (dist_patch_DATA): Add them.
>>> * gnu/packages/kerberos.scm (heimdal)[source]: Use them.
>>
>> Thanks! I recreated the commit since the patch no longer applied to
>> 'gnu/local.mk' and pushed as 81c35029d4ee4fa7cd517998844229a514b35531.
>>
>> I'm leaving this bug open for now so we can discuss the update.
>
> As mentioned before, the new release bundles a bunch of third party
> libraries.  It is not clear to me if *all* things under “lib” are
> external libraries or if some of them are part of the source code of
> heimdal.
>

No, I don't think so. At least the heimdal/ subdirectory[0] should

contain non-third-party code.

Toggle quote (2 lines)

> Can we learn from the Debian package for heimdal here?

Good suggestion, I think the Build-Depends field in [1] will help. For

exmaples, we should not use the bundled sqlite.

Toggle quote (3 lines)

> I think we really ought to update from the very old version we are using

> currently.

Agree, our version is even older than the one in Debian old stable.

Toggle quote (6 lines)

> --

> Ricardo

> GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC

> https://elephly.net

[0]: https://anonscm.debian.org/cgit/collab-maint/heimdal.git/tree/lib.

[1]: https://anonscm.debian.org/cgit/collab-maint/heimdal.git/tree/debian/control

Alex Vong wrote on 21 Oct 2017 02:52

Recipients:(name . Ricardo Wurmus)(address . rekado@elephly.net)

Message-ID:87k1zon7yd.fsf@gmail.com

Hello,

This is the new patch. It is basically the first patch but with the

sqlite and libedit bundled dependecies removed. I don't know if there

are any other bundled dependencies so I am asking this on the heimdal

mailing list.

Also, since I am not a user of heimdal, we need someone to check if the

new version does work properly (as some test failures occur).

Attachment: 0001-gnu-heimdal-Update-to-7.4.0.patch

Cheers,

Alex

Leo Famulari wrote on 26 Nov 2017 14:59

Recipients:(name . Alex Vong)(address . alexvong1995@gmail.com)

Message-ID:20171126225942.GB10571@jasmine.lan

On Sat, Oct 21, 2017 at 05:52:58PM +0800, Alex Vong wrote:

Toggle quote (22 lines)> Hello,
> 
> This is the new patch. It is basically the first patch but with the
> sqlite and libedit bundled dependecies removed. I don't know if there
> are any other bundled dependencies so I am asking this on the heimdal
> mailing list.
> 
> Also, since I am not a user of heimdal, we need someone to check if the
> new version does work properly (as some test failures occur).
> 

> From 4b2fcc8998da79aea5b09d5646569906bb447638 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Tue, 18 Jul 2017 06:36:48 +0800
> Subject: [PATCH] gnu: heimdal: Update to 7.4.0.
> 
> * gnu/packages/kerberos.scm (heimdal): Update to 7.4.0.
> [source]: Update source uri.
> [arguments]: Adjust #:configure-flags and build phases accordingly.
> [inputs]: Add autoconf, automake, libtool, perl, perl-json, texinfo, unzip
> and sqlite.

What's the status of this patch? Did anyone test it?

Christopher Baines wrote on 19 Mar 2018 01:21

control message for bug #27749

Recipients:(address . control@debbugs.gnu.org)

Message-ID:87in9s5vd2.fsf@cbaines.net

tags 27749 patch

宋

宋文武 wrote on 10 Jun 2018 01:04

Re: [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].

Recipients:(name . Alex Vong)(address . alexvong1995@gmail.com)

Message-ID:87fu1vgj9i.fsf@member.fsf.org

Alex Vong <alexvong1995@gmail.com> writes:

Toggle quote (16 lines)> Hello,
>
> This is the new patch. It is basically the first patch but with the
> sqlite and libedit bundled dependecies removed. I don't know if there
> are any other bundled dependencies so I am asking this on the heimdal
> mailing list.
>
> Also, since I am not a user of heimdal, we need someone to check if the
> new version does work properly (as some test failures occur).
>
> From 4b2fcc8998da79aea5b09d5646569906bb447638 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Tue, 18 Jul 2017 06:36:48 +0800
> Subject: [PATCH] gnu: heimdal: Update to 7.4.0.
>

Hello, I adjust this patch to version '7.5.0', and pushed, thank you!

Closing now :-)

Closed

Alex Vong wrote on 24 Jun 2018 20:16

Recipients:(name . 宋文武)(address . iyzsong@member.fsf.org)

Message-ID:CADrxHD_kcNYV2tK_7+bd80W37uHpSjMfXK47ZPrNevGnZpn=Og@mail.gmail.com

Thanks for taking care of it!

On 10 June 2018 at 16:04, 宋文武 <iyzsong@member.fsf.org> wrote:

Toggle quote (22 lines)> Alex Vong <alexvong1995@gmail.com> writes:
>
> > Hello,
> >
> > This is the new patch. It is basically the first patch but with the
> > sqlite and libedit bundled dependecies removed. I don't know if there
> > are any other bundled dependencies so I am asking this on the heimdal
> > mailing list.
> >
> > Also, since I am not a user of heimdal, we need someone to check if the
> > new version does work properly (as some test failures occur).
> >
> > From 4b2fcc8998da79aea5b09d5646569906bb447638 Mon Sep 17 00:00:00 2001
> > From: Alex Vong <alexvong1995@gmail.com>
> > Date: Tue, 18 Jul 2017 06:36:48 +0800
> > Subject: [PATCH] gnu: heimdal: Update to 7.4.0.
> >
>
> Hello, I adjust this patch to version '7.5.0', and pushed, thank you!
>
> Closing now :-)
>

Attachment: file

Closed

Your comment

This issue is archived.

To comment on this conversation send an email to 27749@patchwise.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 27749

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date