Pullup ticket #3330 - requested by gls

mail/exim: security update

Revisions pulled up:
- mail/exim/Makefile				1.104
- mail/exim/distinfo				1.47
- mail/exim/patches/patch-aa			1.21
- mail/exim/patches/patch-ba			1.1
- mail/exim/patches/patch-bb			1.1
- mail/exim/patches/patch-bc			1.1
- mail/exim/patches/patch-bd			1.1
---
Module Name:	pkgsrc
Committed By:	adam
Date:		Wed Jan 12 07:52:45 UTC 2011

Modified Files:
	pkgsrc/mail/exim: Makefile distinfo
	pkgsrc/mail/exim/patches: patch-aa
Added Files:
	pkgsrc/mail/exim/patches: patch-ba patch-bb patch-bc patch-bd

Log Message:
Changes 4.73:
* Date: & Message-Id: revert to normally being appended to a message,
  only prepend for the Resent-* case.  Fixes regression introduced in
  Exim 4.70 by NM/22 for Bugzilla 607.
* Include check_rfc2047_length in configure.default because we're seeing
  increasing numbers of administrators be bitten by this.
* Added DISABLE_DKIM and comment to src/EDITME
* Bugzilla 994: added openssl_options main configuration option.
* Bugzilla 995: provide better SSL diagnostics on failed reads.
* Bugzilla 834: provide a permit_coredump option for pipe transports.
* Adjust NTLM authentication to handle SASL Initial Response.
* If TLS negotiated an anonymous cipher, we could end up with SSL but
  without a peer certificate, leading to a segfault because of an
  assumption that peers always have certificates.  Be a little more
paranoid.
* Bugzilla 926: switch ClamAV to use the new zINSTREAM API for content
  filtering; old API available if built with WITH_OLD_CLAMAV_STREAM=yes
  NB: ClamAV planning to remove STREAM in "middle of 2010".
  CL also introduces -bmalware, various -d+acl logging additions and
  more caution in buffer sizes.
* Implemented reverse_ip expansion operator.
* Bugzilla 937: provide a "debug" ACL control.
* Bugzilla 922: Documentation dusting, patch provided by John Horne.
* Bugzilla 973: Implement --version.
* Bugzilla 752: Refuse to build/run if Exim user is root/0.
* Build without WITH_CONTENT_SCAN. Path from Andreas Metzler.
* Bugzilla 816: support multiple condition rules on Routers.
* Add bool_lax{} expansion operator and use that for combining multiple
  condition rules, instead of bool{}.  Make both bool{} and bool_lax{}
  ignore trailing whitespace.
* prevent non-panic DKIM error from being sent to paniclog
* added tcp_wrappers_daemon_name to allow host entries other than
  "exim" to be used
* Fix malware regression for cmdline scanner introduced in PP/08.
  Notification from Dr Andrew Aitchison.
* Change ClamAV response parsing to be more robust and to handle ClamAV's
  ExtendedDetectionInfo response format.
* OpenSSL 1.0.0a compatibility const-ness change, should be backwards
  compatible.

7 files changed, 158 insertions, 20 deletions

diff --git a/mail/exim/Makefile b/mail/exim/Makefile
index 765287dd683..299c4974827 100644
--- a/mail/exim/Makefile
+++ b/mail/exim/Makefile
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.103 2010/11/08 13:59:11 adam Exp $
+# $NetBSD: Makefile,v 1.103.2.1 2011/01/22 10:56:42 tron Exp $
 
-DISTNAME=	exim-4.72
+DISTNAME=	exim-4.73
 CATEGORIES=	mail net
 MASTER_SITES=	ftp://ftp.exim.org/pub/exim/exim4/ \
 		http://dl.ambiweb.de/mirrors/ftp.exim.org/exim/exim4/
diff --git a/mail/exim/distinfo b/mail/exim/distinfo
index 50dbeb1af64..6dbc1908a2d 100644
--- a/mail/exim/distinfo
+++ b/mail/exim/distinfo
@@ -1,10 +1,14 @@
-$NetBSD: distinfo,v 1.46 2010/11/08 13:59:11 adam Exp $
+$NetBSD: distinfo,v 1.46.2.1 2011/01/22 10:56:42 tron Exp $
 
-SHA1 (exim-4.72.tar.bz2) = 3aab453faaa076a6b5f02320d7f8ad8aba21b347
-RMD160 (exim-4.72.tar.bz2) = e3ae8dbb056890d49e21e2ba6eaf9cf789ca2c18
-Size (exim-4.72.tar.bz2) = 1559031 bytes
-SHA1 (patch-aa) = cf514f31626cde31747342a2d50edd1dbf7f195f
+SHA1 (exim-4.73.tar.bz2) = e40a6beece6642ab372be1bc25ce53275b4fbc54
+RMD160 (exim-4.73.tar.bz2) = 8862761a7a898106c2143014c24ea1526d72dbb7
+Size (exim-4.73.tar.bz2) = 1592788 bytes
+SHA1 (patch-aa) = 2ec7f3c7c6e18c7cc2388de00c1108b56c239ab8
 SHA1 (patch-ab) = ffb9fb28e4e5548777db31b3de34673a08a1c0fa
 SHA1 (patch-ac) = 9a260a07f5e8cc89c60188925f01fc5b46164a37
 SHA1 (patch-ae) = 4a9d2fde403cfd6386742b31f062e7801ef081b9
 SHA1 (patch-ag) = 8512795060ad913f4699c277867fd24e7a785519
+SHA1 (patch-ba) = 7f1fac71d1ccb42ac8d82217f8f1b3dbc4fb830b
+SHA1 (patch-bb) = b8e5e52026da5740bb2742d3054b54aab9ab2278
+SHA1 (patch-bc) = 230965aba99adceb413dbc77e8e6bb022c2173ff
+SHA1 (patch-bd) = 50c26f08ccbb6254b99c38cd704839788ffc0494
diff --git a/mail/exim/patches/patch-aa b/mail/exim/patches/patch-aa
index 390468c48b3..c09e1c5c9db 100644
--- a/mail/exim/patches/patch-aa
+++ b/mail/exim/patches/patch-aa
@@ -1,6 +1,6 @@
-$NetBSD: patch-aa,v 1.20 2009/11/17 06:39:32 adam Exp $
+$NetBSD: patch-aa,v 1.20.10.1 2011/01/22 10:56:43 tron Exp $
 
---- Local/Makefile.pkgsrc.orig	2009-11-16 07:56:01.000000000 +0100
+--- Local/Makefile.pkgsrc.orig	2011-01-12 07:35:17.000000000 +0000
 +++ Local/Makefile.pkgsrc
 @@ -100,7 +100,7 @@
  # /usr/local/sbin. The installation script will try to create this directory,
@@ -20,16 +20,16 @@ $NetBSD: patch-aa,v 1.20 2009/11/17 06:39:32 adam Exp $
  
  # It is possible to specify a colon-separated list of files for CONFIGURE_FILE.
  # In this case, Exim will use the first of them that exists when it is run.
-@@ -134,7 +134,7 @@ CONFIGURE_FILE=/usr/exim/configure
- # owner of a local mailbox.) Specifying these values as root is very strongly
- # discouraged.
+@@ -133,7 +133,7 @@ CONFIGURE_FILE=/usr/exim/configure
+ # deliveries. (Local deliveries run as various non-root users, typically as the
+ # owner of a local mailbox.) Specifying these values as root is not supported.
  
 -EXIM_USER=
 +EXIM_USER=ref:@EXIM_USER@
  
  # If you specify EXIM_USER as a name, this is looked up at build time, and the
  # uid number is built into the binary. However, you can specify that this
-@@ -155,7 +155,7 @@ EXIM_USER=
+@@ -154,7 +154,7 @@ EXIM_USER=
  # for EXIM_USER (e.g. EXIM_USER=exim), you don't need to set EXIM_GROUP unless
  # you want to use a group other than the default group for the given user.
  
@@ -38,7 +38,7 @@ $NetBSD: patch-aa,v 1.20 2009/11/17 06:39:32 adam Exp $
  
  # Many sites define a user called "exim", with an appropriate default group,
  # and use
-@@ -176,7 +176,7 @@ EXIM_USER=
+@@ -175,7 +175,7 @@ EXIM_USER=
  
  # Almost all installations choose this:
  
@@ -47,7 +47,7 @@ $NetBSD: patch-aa,v 1.20 2009/11/17 06:39:32 adam Exp $
  
  
  
-@@ -333,7 +333,7 @@ PCRE_LIBS=-lpcre
+@@ -332,7 +332,7 @@ PCRE_LIBS=-lpcre
  # files are defaulted in the OS/Makefile-Default file, but can be overridden in
  # local OS-specific make files.
  
@@ -56,7 +56,7 @@ $NetBSD: patch-aa,v 1.20 2009/11/17 06:39:32 adam Exp $
  
  
  #------------------------------------------------------------------------------
-@@ -486,11 +486,11 @@ FIXED_NEVER_USERS=root
+@@ -527,11 +527,11 @@ FIXED_NEVER_USERS=root
  # included in the Exim binary. You will then need to set up the run time
  # configuration to make use of the mechanism(s) selected.
  
@@ -71,7 +71,7 @@ $NetBSD: patch-aa,v 1.20 2009/11/17 06:39:32 adam Exp $
  
  
  #------------------------------------------------------------------------------
-@@ -656,7 +656,7 @@ HEADERS_CHARSET="ISO-8859-1"
+@@ -697,7 +697,7 @@ HEADERS_CHARSET="ISO-8859-1"
  # %s. This will be replaced by one of the strings "main", "panic", or "reject"
  # to form the final file names. Some installations may want something like this:
  
@@ -80,7 +80,7 @@ $NetBSD: patch-aa,v 1.20 2009/11/17 06:39:32 adam Exp $
  
  # which results in files with names /var/log/exim_mainlog, etc. The directory
  # in which the log files are placed must exist; Exim does not try to create
-@@ -897,13 +897,13 @@ SYSTEM_ALIASES_FILE=/etc/aliases
+@@ -945,13 +945,13 @@ SYSTEM_ALIASES_FILE=/etc/aliases
  # haven't got Perl, Exim will still build and run; you just won't be able to
  # use those utilities.
  
@@ -101,7 +101,7 @@ $NetBSD: patch-aa,v 1.20 2009/11/17 06:39:32 adam Exp $
  
  
  #------------------------------------------------------------------------------
-@@ -1097,7 +1097,7 @@ TMPDIR="/tmp"
+@@ -1145,7 +1145,7 @@ TMPDIR="/tmp"
  # (process id) to a file so that it can easily be identified. The path of the
  # file can be specified here. Some installations may want something like this:
  
@@ -110,7 +110,7 @@ $NetBSD: patch-aa,v 1.20 2009/11/17 06:39:32 adam Exp $
  
  # If PID_FILE_PATH is not defined, Exim writes a file in its spool directory
  # using the name "exim-daemon.pid".
-@@ -1149,3 +1149,10 @@ TMPDIR="/tmp"
+@@ -1197,3 +1197,10 @@ TMPDIR="/tmp"
  # ENABLE_DISABLE_FSYNC=yes
  
  # End of EDITME for Exim 4.
diff --git a/mail/exim/patches/patch-ba b/mail/exim/patches/patch-ba
new file mode 100644
index 00000000000..6f953516c0b
--- /dev/null
+++ b/mail/exim/patches/patch-ba
@@ -0,0 +1,76 @@
+$NetBSD: patch-ba,v 1.1.2.2 2011/01/22 10:56:43 tron Exp $
+
+--- src/lookups/ldap.c.orig	2009-11-16 19:50:38.000000000 +0000
++++ src/lookups/ldap.c
+@@ -445,6 +445,60 @@ if (lcp == NULL)
+     }
+   #endif  /* LDAP_OPT_X_TLS */
+ 
++  #ifdef LDAP_OPT_X_TLS_CACERTFILE
++  if (eldap_ca_cert_file != NULL)
++    {
++    ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE, eldap_ca_cert_file);
++    }
++  #endif
++  #ifdef LDAP_OPT_X_TLS_CACERTDIR
++  if (eldap_ca_cert_dir != NULL)
++    {
++    ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, eldap_ca_cert_dir);
++    }
++  #endif
++  #ifdef LDAP_OPT_X_TLS_CERTFILE
++  if (eldap_cert_file != NULL)
++    {
++    ldap_set_option(ld, LDAP_OPT_X_TLS_CERTFILE, eldap_cert_file);
++    }
++  #endif
++  #ifdef LDAP_OPT_X_TLS_KEYFILE
++  if (eldap_cert_key != NULL)
++    {
++    ldap_set_option(ld, LDAP_OPT_X_TLS_KEYFILE, eldap_cert_key);
++    }
++  #endif
++  #ifdef LDAP_OPT_X_TLS_CIPHER_SUITE
++  if (eldap_cipher_suite != NULL)
++    {
++    ldap_set_option(ld, LDAP_OPT_X_TLS_CIPHER_SUITE, eldap_cipher_suite);
++    }
++  #endif
++  #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
++  if (eldap_require_cert != NULL)
++    {
++    int cert_option = LDAP_OPT_X_TLS_NEVER;
++    if (Ustrcmp(eldap_require_cert, "hard") == 0)
++      {
++      cert_option = LDAP_OPT_X_TLS_HARD;
++      }
++    else if (Ustrcmp(eldap_require_cert, "demand") == 0)
++      {
++      cert_option = LDAP_OPT_X_TLS_DEMAND;
++      }
++    else if (Ustrcmp(eldap_require_cert, "allow") == 0)
++      {
++      cert_option = LDAP_OPT_X_TLS_ALLOW;
++      }
++    else if (Ustrcmp(eldap_require_cert, "try") == 0)
++      {
++      cert_option = LDAP_OPT_X_TLS_TRY;
++      }
++    ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, cert_option);
++    }
++  #endif
++
+   /* Now add this connection to the chain of cached connections */
+ 
+   lcp = store_get(sizeof(LDAP_CONNECTION));
+@@ -481,6 +535,10 @@ if (!lcp->bound ||
+   {
+   DEBUG(D_lookup) debug_printf("%sbinding with user=%s password=%s\n",
+     (lcp->bound)? "re-" : "", user, password);
++  if (eldap_start_tls)
++    {
++    ldap_start_tls_s(lcp->ld, NULL, NULL);
++    }
+   if ((msgid = ldap_bind(lcp->ld, CS user, CS password, LDAP_AUTH_SIMPLE))
+        == -1)
+     {
diff --git a/mail/exim/patches/patch-bb b/mail/exim/patches/patch-bb
new file mode 100644
index 00000000000..325389c8bc9
--- /dev/null
+++ b/mail/exim/patches/patch-bb
@@ -0,0 +1,19 @@
+$NetBSD: patch-bb,v 1.1.2.2 2011/01/22 10:56:43 tron Exp $
+
+--- src/globals.h.orig	2009-11-16 19:50:37.000000000 +0000
++++ src/globals.h
+@@ -35,7 +35,14 @@ extern uschar *ibase_servers;
+ #endif
+ 
+ #ifdef LOOKUP_LDAP
++extern uschar *eldap_ca_cert_dir;      /* Directory with CA certificates */
++extern uschar *eldap_ca_cert_file;     /* CA certificate file */
++extern uschar *eldap_cert_file;        /* Certificate file */
++extern uschar *eldap_cert_key;         /* Certificate key file */
++extern uschar *eldap_cipher_suite;     /* Allowed cipher suite */
+ extern uschar *eldap_default_servers;  /* List of default servers */
++extern uschar *eldap_require_cert;     /* Peer certificate checking strategy */
++extern BOOL    eldap_start_tls;        /* Use STARTTLS */
+ extern int     eldap_version;          /* LDAP version */
+ #endif
+ 
diff --git a/mail/exim/patches/patch-bc b/mail/exim/patches/patch-bc
new file mode 100644
index 00000000000..f22d36fccb2
--- /dev/null
+++ b/mail/exim/patches/patch-bc
@@ -0,0 +1,19 @@
+$NetBSD: patch-bc,v 1.1.2.2 2011/01/22 10:56:43 tron Exp $
+
+--- src/readconf.c.orig	2009-11-16 19:50:37.000000000 +0000
++++ src/readconf.c
+@@ -262,7 +262,14 @@ static optionlist optionlist_config[] = 
+   { "ignore_fromline_local",    opt_bool,        &ignore_fromline_local },
+   { "keep_malformed",           opt_time,        &keep_malformed },
+ #ifdef LOOKUP_LDAP
++  { "ldap_ca_cert_dir",         opt_stringptr,   &eldap_ca_cert_dir },
++  { "ldap_ca_cert_file",        opt_stringptr,   &eldap_ca_cert_file },
++  { "ldap_cert_file",           opt_stringptr,   &eldap_cert_file },
++  { "ldap_cert_key",            opt_stringptr,   &eldap_cert_key },
++  { "ldap_cipher_suite",        opt_stringptr,   &eldap_cipher_suite },
+   { "ldap_default_servers",     opt_stringptr,   &eldap_default_servers },
++  { "ldap_require_cert",        opt_stringptr,   &eldap_require_cert },
++  { "ldap_start_tls",           opt_bool,        &eldap_start_tls },
+   { "ldap_version",             opt_int,         &eldap_version },
+ #endif
+   { "local_from_check",         opt_bool,        &local_from_check },
diff --git a/mail/exim/patches/patch-bd b/mail/exim/patches/patch-bd
new file mode 100644
index 00000000000..1002daaefc3
--- /dev/null
+++ b/mail/exim/patches/patch-bd
@@ -0,0 +1,20 @@
+$NetBSD: patch-bd,v 1.1.2.2 2011/01/22 10:56:43 tron Exp $
+
+--- src/globals.c.orig	2009-11-16 19:50:37.000000000 +0000
++++ src/globals.c
+@@ -75,8 +75,15 @@ uschar *ibase_servers          = NULL;
+ #endif
+ 
+ #ifdef LOOKUP_LDAP
++uschar *eldap_ca_cert_dir      = NULL;
++uschar *eldap_ca_cert_file     = NULL;
++uschar *eldap_cert_file        = NULL;
++uschar *eldap_cert_key         = NULL;
++uschar *eldap_cipher_suite     = NULL;
+ uschar *eldap_default_servers  = NULL;
++uschar *eldap_require_cert     = NULL;
+ int     eldap_version          = -1;
++BOOL    eldap_start_tls        = FALSE;
+ #endif
+ 
+ #ifdef LOOKUP_MYSQL