Pullup ticket #4942 - requested by wiedi

mail/exim: security fix

Revisions pulled up:
- mail/exim-html/Makefile                                       1.30-1.31
- mail/exim-html/PLIST                                          1.14
- mail/exim-html/distinfo                                       1.25-1.26
- mail/exim/Makefile                                            1.142-1.143
- mail/exim/distinfo                                            1.63-1.64
- mail/exim/patches/patch-aa                                    1.24

---
   Module Name:    pkgsrc
   Committed By:   bsiegert
   Date:           Sun Jan 10 20:55:57 UTC 2016

   Modified Files:
           pkgsrc/mail/exim: Makefile distinfo
           pkgsrc/mail/exim/patches: patch-aa

   Log Message:
   Update exim to 4.86.

   Exim version 4.86
   -----------------
   JH/01 Bug 1545: The smtp transport option "retry_include_ip_address" is now
         expanded.

   JH/02 The smtp transport option "multi_domain" is now expanded.

   JH/03 The smtp transport now requests PRDR by default, if the server offers
         it.

   JH/04 Certificate name checking on server certificates, when exim is a client,
         is now done by default.  The transport option tls_verify_cert_hostnames
         can be used to disable this per-host.  The build option
         EXPERIMENTAL_CERTNAMES is withdrawn.

   JH/05 The value of the tls_verify_certificates smtp transport and main options
         default to the word "system" to access the system default CA bundle.
         For GnuTLS, only version 3.0.20 or later.

   JH/06 Verification of the server certificate for a TLS connection is now tried
         (but not required) by default.  The verification status is now logged by
         default, for both outbound TLS and client-certificate supplying inbound
         TLS connections

   JH/07 Changed the default rfc1413 lookup settings to disable calls.  Few
         sites use this now.

   JH/08 The EXPERIMENTAL_DSN compile option is no longer needed; all Delivery
         Status Notification (bounce) messages are now MIME format per RFC 3464.
         Support for RFC 3461 DSN options NOTIFY,ENVID,RET,ORCPT can be advertised
         under the control of the dsn_advertise_hosts option, and routers may
         have a dsn_lasthop option.

   JH/09 A timeout of 2 minutes is now applied to all malware scanner types by
         default, modifiable by a malware= option.  The list separator for
         the options can now be changed in the usual way.  Bug 68.

   JH/10 The smtp_receive_timeout main option is now expanded before use.

   JH/11 The incoming_interface log option now also enables logging of the
         local interface on delivery outgoing connections.

   JH/12 The cutthrough-routing facility now supports multi-recipient mails,
         if the interface and destination host and port all match.

   JH/13 Bug 344: The verify = reverse_host_lookup ACL condition now accepts a
         /defer_ok option.

   JH/14 Bug 1573: The spam= ACL condition now additionally supports Rspamd.
         Patch from Andrew Lewis.

   JH/15 Bug 670: The spamd_address main option (for the spam= ACL condition)
         now supports optional time-restrictions, weighting, and priority
         modifiers per server.  Patch originally by <rommer%active.by@localhost>.

   JH/16 The spamd_address main option now supports a mixed list of local
         and remote servers.  Remote servers can be IPv6 addresses, and
         specify a port-range.

   JH/17 Bug 68: The spamd_address main option now supports an optional
         timeout value per server.

   JH/18 Bug 1581: Router and transport options headers_add/remove can
         now have the list separator specified.

   JH/19 Bug 392: spamd_address, and clamd av_scanner, now support retry
         option values.

   JH/20 Bug 1571: Ensure that $tls_in_peerdn is set, when verification fails
         under OpenSSL.

   JH/21 Support for the A6 type of dns record is withdrawn.

   JH/22 Bug 608: The result of a QUIT or not-QUIT toplevel ACL now matters
         rather than the verbs used.

   JH/23 Bug 1572: Increase limit on SMTP confirmation message copy size
         from 255 to 1024 chars.

   JH/24 Verification callouts now attempt to use TLS by default.

   HS/01 DNSSEC options (dnssec_require_domains, dnssec_request_domains)
         are generic router options now. The defaults didn't change.

   JH/25 Bug 466: Add RFC2322 support for MIME attachment filenames.
         Original patch from Alexander Shikoff, worked over by JH.

   HS/02 Bug 1575: exigrep falls back to autodetection of compressed
         files if ZCAT_COMMAND is not executable.

   JH/26 Bug 1539: Add timout/retry options on dnsdb lookups.

   JH/27 Bug 286: Support SOA lookup in dnsdb lookups.

   JH/28 Bug 1588: Do not use the A lookup following an AAAA for setting the FQDN.
         Normally benign, it bites when the pair was led to by a CNAME;
         modern usage is to not canoicalize the domain to a CNAME target
         (and we were inconsistent anyway for A-only vs AAAA+A).

   JH/29 Bug 1632: Removed the word "rejected" from line logged for ACL discards.

   JH/30 Check the forward DNS lookup for DNSSEC, in addition to the reverse,
         when evaluating $sender_host_dnssec.

   JH/31 Check the HELO verification lookup for DNSSEC, adding new
         $sender_helo_dnssec variable.

   JH/32 Bug 1397: Enable ECDHE on OpenSSL, just the NIST P-256 curve.

   JH/33 Bug 1346: Note MAIL cmd seen in -bS batch, to avoid smtp_no_mail log.

   JH/34 Bug 1648: Fix a memory leak seen with "mailq" and large queues.

   JH/35 Bug 1642: Fix support of $spam_ variables at delivery time.  Was
         documented as working, but never had.  Support all but $spam_report.

   JH/36 Bug 1659: Guard checking of input smtp commands again pseudo-command
         added for tls authenticator.

---
   Module Name:    pkgsrc
   Committed By:   adam
   Date:           Mon Jan 11 08:35:32 UTC 2016

   Modified Files:
           pkgsrc/mail/exim-html: Makefile PLIST distinfo

   Log Message:
   Match mail/exim version

---
   Module Name:    pkgsrc
   Committed By:   wiedi
   Date:           Wed Mar  2 20:13:18 UTC 2016

   Modified Files:
           pkgsrc/mail/exim: Makefile distinfo
           pkgsrc/mail/exim-html: Makefile distinfo

   Log Message:
   Update mail/exim and mail/exim-html to 4.86.2

   Exim version 4.86.2
   -------------------
   Portability relase of 4.86.1

   Exim version 4.86.1
   -------------------
   HS/04 Add support for keep_environment and add_environment options.
         This fixes CVE-2016-1531.

   All installations having Exim set-uid root and using 'perl_startup' are
   vulnerable to a local privilege escalation. Any user who can start an
   instance of Exim (and this is normally *any* user) can gain root
   privileges. If you do not use 'perl_startup' you *should* be safe.

   New options
   -----------

   We had to introduce two new configuration options:

      keep_environment =
      add_environment =

   Both options are empty per default. That is, Exim cleans the complete
   environment on startup. This affects Exim itself and any subprocesses,
   as transports, that may call other programs via some alias mechanisms,
   as routers (queryprogram), lookups, and so on. This may affect used
   libraries (e.g. LDAP).

   ** THIS MAY BREAK your existing installation **

   If both options are not used in the configuration, Exim issues a warning
   on startup. This warning disappears if at least one of these options is
   used (even if set to an empty value).

   keep_environment should contain a list of trusted environment variables.
   (Do you trust PATH?). This may be a list of names and REs.

      keep_environment = ^LDAP_ : FOO_PATH

   To add (or override) variables, you can use add_environment:

      add_environment = <; PATH=/sbin:/usr/sbin

   New behaviour
   -------------

   Now Exim changes it's working directory to / right after startup,
   even before reading it's configuration. (Later Exim changes it's working
   directory to $spool_directory, as usual.)

   Exim only accepts an absolute configuration file path now, when using
   the -C option.

6 files changed, 26 insertions, 24 deletions

diff --git a/mail/exim-html/Makefile b/mail/exim-html/Makefile
index 649e244f56f..30779cd3a09 100644
--- a/mail/exim-html/Makefile
+++ b/mail/exim-html/Makefile
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.29 2015/02/14 07:33:19 adam Exp $
+# $NetBSD: Makefile,v 1.29.8.1 2016/03/03 20:22:52 bsiegert Exp $
 
-DISTNAME=	exim-html-4.85
+DISTNAME=	exim-html-4.86.2
 CATEGORIES=	mail net
 MASTER_SITES=	ftp://ftp.exim.org/pub/exim/exim4/ \
 		ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/exim4/ \
diff --git a/mail/exim-html/PLIST b/mail/exim-html/PLIST
index 128ff88241e..9dadcade8c2 100644
--- a/mail/exim-html/PLIST
+++ b/mail/exim-html/PLIST
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.13 2013/10/30 07:30:03 adam Exp $
+@comment $NetBSD: PLIST,v 1.13.18.1 2016/03/03 20:22:52 bsiegert Exp $
 share/doc/exim/html/spec_html/ch-access_control_lists.html
 share/doc/exim/html/spec_html/ch-adding_a_local_scan_function_to_exim.html
 share/doc/exim/html/spec_html/ch-adding_new_drivers_or_lookup_types.html
@@ -57,6 +57,7 @@ share/doc/exim/html/spec_html/ch-the_queryprogram_router.html
 share/doc/exim/html/spec_html/ch-the_redirect_router.html
 share/doc/exim/html/spec_html/ch-the_smtp_transport.html
 share/doc/exim/html/spec_html/ch-the_spa_authenticator.html
+share/doc/exim/html/spec_html/ch-the_tls_authenticator.html
 share/doc/exim/html/spec_html/ch-using_exim_as_a_nonqueueing_client.html
 share/doc/exim/html/spec_html/ch-variable_index.html
 share/doc/exim/html/spec_html/ch01.html
@@ -119,6 +120,7 @@ share/doc/exim/html/spec_html/ch57.html
 share/doc/exim/html/spec_html/ch58.html
 share/doc/exim/html/spec_html/ch59.html
 share/doc/exim/html/spec_html/ch60.html
+share/doc/exim/html/spec_html/ch61.html
 share/doc/exim/html/spec_html/filter.html
 share/doc/exim/html/spec_html/filter_ch-exim_filter_files.html
 share/doc/exim/html/spec_html/filter_ch-forwarding_and_filtering_in_exim.html
diff --git a/mail/exim-html/distinfo b/mail/exim-html/distinfo
index 1eb9c077e5e..2695d1ae310 100644
--- a/mail/exim-html/distinfo
+++ b/mail/exim-html/distinfo
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.24 2015/11/03 23:27:05 agc Exp $
+$NetBSD: distinfo,v 1.24.2.1 2016/03/03 20:22:52 bsiegert Exp $
 
-SHA1 (exim-html-4.85.tar.bz2) = f3952d9fee9b64aec0269da978a54c2c8de74833
-RMD160 (exim-html-4.85.tar.bz2) = 2901f7a96e30e445ece41fb8b3319a28f1a0f997
-SHA512 (exim-html-4.85.tar.bz2) = 8214576300827f79c0880e2d2163f71d7f1b3fe2aff714b591a011e48816965de5a773c3509137b085fec3d4d2128931f8398768c24dad6c92b7df27cbcafe74
-Size (exim-html-4.85.tar.bz2) = 467069 bytes
+SHA1 (exim-html-4.86.2.tar.bz2) = 9b55e69787cf1f9ef233fd762736bb4541773bb4
+RMD160 (exim-html-4.86.2.tar.bz2) = bf077ceaed3c0763d0ef93e2a7ee455a714db195
+SHA512 (exim-html-4.86.2.tar.bz2) = 593df23914939f8fa76c15a2ab7fc197efa05fcbb984179c9dc2c7d535fe2bef1394c07bc8449f2219f54615ff2f4ee13b76409d89b846dc71e54880681c913e
+Size (exim-html-4.86.2.tar.bz2) = 466139 bytes
diff --git a/mail/exim/Makefile b/mail/exim/Makefile
index 116a51c5735..0cdd6c5d1fe 100644
--- a/mail/exim/Makefile
+++ b/mail/exim/Makefile
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.141 2015/10/10 01:58:12 ryoon Exp $
+# $NetBSD: Makefile,v 1.141.2.1 2016/03/03 20:22:52 bsiegert Exp $
 
-DISTNAME=	exim-4.85
-PKGREVISION=	3
+DISTNAME=	exim-4.86.2
 CATEGORIES=	mail net
 MASTER_SITES=	ftp://ftp.exim.org/pub/exim/exim4/ \
 		http://dl.ambiweb.de/mirrors/ftp.exim.org/exim/exim4/
diff --git a/mail/exim/distinfo b/mail/exim/distinfo
index c0b8dc523ce..9f4fe499858 100644
--- a/mail/exim/distinfo
+++ b/mail/exim/distinfo
@@ -1,10 +1,10 @@
-$NetBSD: distinfo,v 1.62 2015/11/03 23:27:05 agc Exp $
+$NetBSD: distinfo,v 1.62.2.1 2016/03/03 20:22:52 bsiegert Exp $
 
-SHA1 (exim-4.85.tar.bz2) = 6b40d5a6ae59f86b4780ad50aaf0d930330d7b67
-RMD160 (exim-4.85.tar.bz2) = 334e5eeb9242b3fff49bd581b8cb22c12c0e8215
-SHA512 (exim-4.85.tar.bz2) = 2c5846528ee98e4aff5dbabe49dfa5ba6753fa64154b9671a7849db8a17773917fe13bcb9e5f732c43d7479debfadd8012b8650823eb12504a6b1b28be456161
-Size (exim-4.85.tar.bz2) = 1784150 bytes
-SHA1 (patch-aa) = 24a12631b7df17930349b8a0d03adc80d27efbe2
+SHA1 (exim-4.86.2.tar.bz2) = 539cb2edc784d439cae8f95940e9eff847e2695d
+RMD160 (exim-4.86.2.tar.bz2) = 06790977ad50fb19548826631df904d6bda62a83
+SHA512 (exim-4.86.2.tar.bz2) = 5869a7ae8fd66819f654f6617c7e77075a24b110074317b77135b8cc86f12632e79758d41819c6e91871e0145adaba4b91651f5c6c1d2ebd17927f0198876231
+Size (exim-4.86.2.tar.bz2) = 1799316 bytes
+SHA1 (patch-aa) = 4df21c2497e9fee8dfbcd4386bb1b70d69ca2932
 SHA1 (patch-ab) = 6af17f036ed02a3bc37c1f303269eea447fcb691
 SHA1 (patch-ae) = 7daf63727e222bbaa7e5b8289c4fcb6a8c0272cf
 SHA1 (patch-ag) = dd93bb718c996f18b4e985806eb6d4ff5f25a67f
diff --git a/mail/exim/patches/patch-aa b/mail/exim/patches/patch-aa
index 0c65753d9e5..5956a198a1a 100644
--- a/mail/exim/patches/patch-aa
+++ b/mail/exim/patches/patch-aa
@@ -1,6 +1,6 @@
-$NetBSD: patch-aa,v 1.23 2012/06/11 11:41:25 adam Exp $
+$NetBSD: patch-aa,v 1.23.30.1 2016/03/03 20:22:52 bsiegert Exp $
 
---- Local/Makefile.pkgsrc.orig	2012-06-11 11:27:45.000000000 +0000
+--- Local/Makefile.pkgsrc.orig	2016-01-10 20:50:29.000000000 +0000
 +++ Local/Makefile.pkgsrc
 @@ -98,7 +98,7 @@
  # /usr/local/sbin. The installation script will try to create this directory,
@@ -56,7 +56,7 @@ $NetBSD: patch-aa,v 1.23 2012/06/11 11:41:25 adam Exp $
  
  
  #------------------------------------------------------------------------------
-@@ -578,15 +578,15 @@ FIXED_NEVER_USERS=root
+@@ -628,16 +628,16 @@ FIXED_NEVER_USERS=root
  # included in the Exim binary. You will then need to set up the run time
  # configuration to make use of the mechanism(s) selected.
  
@@ -72,10 +72,11 @@ $NetBSD: patch-aa,v 1.23 2012/06/11 11:41:25 adam Exp $
 -# AUTH_SPA=yes
 +AUTH_PLAINTEXT=yes
 +AUTH_SPA=yes
+ # AUTH_TLS=yes
  
  
  #------------------------------------------------------------------------------
-@@ -764,7 +764,7 @@ HEADERS_CHARSET="ISO-8859-1"
+@@ -822,7 +822,7 @@ HEADERS_CHARSET="ISO-8859-1"
  # %s. This will be replaced by one of the strings "main", "panic", or "reject"
  # to form the final file names. Some installations may want something like this:
  
@@ -84,7 +85,7 @@ $NetBSD: patch-aa,v 1.23 2012/06/11 11:41:25 adam Exp $
  
  # which results in files with names /var/log/exim_mainlog, etc. The directory
  # in which the log files are placed must exist; Exim does not try to create
-@@ -1016,13 +1016,13 @@ SYSTEM_ALIASES_FILE=/etc/aliases
+@@ -1080,13 +1080,13 @@ SYSTEM_ALIASES_FILE=/etc/aliases
  # haven't got Perl, Exim will still build and run; you just won't be able to
  # use those utilities.
  
@@ -105,7 +106,7 @@ $NetBSD: patch-aa,v 1.23 2012/06/11 11:41:25 adam Exp $
  
  
  #------------------------------------------------------------------------------
-@@ -1222,7 +1222,7 @@ TMPDIR="/tmp"
+@@ -1286,7 +1286,7 @@ TMPDIR="/tmp"
  # (process id) to a file so that it can easily be identified. The path of the
  # file can be specified here. Some installations may want something like this:
  
@@ -114,7 +115,7 @@ $NetBSD: patch-aa,v 1.23 2012/06/11 11:41:25 adam Exp $
  
  # If PID_FILE_PATH is not defined, Exim writes a file in its spool directory
  # using the name "exim-daemon.pid".
-@@ -1294,3 +1294,10 @@ TMPDIR="/tmp"
+@@ -1358,3 +1358,10 @@ TMPDIR="/tmp"
  # ENABLE_DISABLE_FSYNC=yes
  
  # End of EDITME for Exim 4.