diff options
author | wiedi <wiedi@pkgsrc.org> | 2016-12-25 11:29:54 +0000 |
---|---|---|
committer | wiedi <wiedi@pkgsrc.org> | 2016-12-25 11:29:54 +0000 |
commit | f3df13cfaffa1a4640f4c9723f8ae68321b137ce (patch) | |
tree | 7756deaab5a822caf5e6efadea223327064cf480 /mail/exim | |
parent | 17afc0519f660e9afc64f71ec8e9e49b752acd9a (diff) | |
download | pkgsrc-f3df13cfaffa1a4640f4c9723f8ae68321b137ce.tar.gz |
Update exim to 4.88
Security update to address CVE-2016-9963
Exim version 4.88
-----------------
JH/01 Use SIZE on MAIL FROM in a cutthrough connection, if the destination
supports it and a size is available (ie. the sending peer gave us one).
JH/02 The obsolete acl condition "demime" is removed (finally, after ten
years of being deprecated). The replacements are the ACLs
acl_smtp_mime and acl_not_smtp_mime.
JH/03 Upgrade security requirements imposed for hosts_try_dane: previously
a downgraded non-dane trust-anchor for the TLS connection (CA-style)
or even an in-clear connection were permitted. Now, if the host lookup
was dnssec and dane was requested then the host is only used if the
TLSA lookup succeeds and is dnssec. Further hosts (eg. lower priority
MXs) will be tried (for hosts_try_dane though not for hosts_require_dane)
if one fails this test.
This means that a poorly-configured remote DNS will make it incommunicado;
but it protects against a DNS-interception attack on it.
JH/04 Bug 1810: make continued-use of an open smtp transport connection
non-noisy when a race steals the message being considered.
JH/05 If main configuration option tls_certificate is unset, generate a
self-signed certificate for inbound TLS connections.
JH/06 Bug 165: hide more cases of password exposure - this time in expansions
in rewrites and routers.
JH/07 Retire gnutls_require_mac et.al. These were nonfunctional since 4.80
and logged a warning sing 4.83; now they are a configuration file error.
JH/08 Bug 1836: Fix crash in VRFY handling when handed an unqualified name
(lacking @domain). Apply the same qualification processing as RCPT.
JH/09 Bug 1804: Avoid writing msglog files when in -bh or -bhc mode.
JH/10 Support ${sha256:} applied to a string (as well as the previous
certificate).
JH/11 Cutthrough: avoid using the callout hints db on a verify callout when
a cutthrough deliver is pending, as we always want to make a connection.
This also avoids re-routing the message when later placing the cutthrough
connection after a verify cache hit.
Do not update it with the verify result either.
JH/12 Cutthrough: disable when verify option success_on_redirect is used, and
when routing results in more than one destination address.
JH/13 Cutthrough: expand transport dkim_domain option when testing for dkim
signing (which inhibits the cutthrough capability). Previously only
the presence of an option was tested; now an expansion evaluating as
empty is permissible (obviously it should depend only on data available
when the cutthrough connection is made).
JH/14 Fix logging of errors under PIPELINING. Previously the log line giving
the relevant preceding SMTP command did not note the pipelining mode.
JH/15 Fix counting of empty lines in $body_linecount and $message_linecount.
Previously they were not counted.
JH/16 DANE: treat a TLSA lookup response having all non-TLSA RRs, the same
as one having no matching records. Previously we deferred the message
that needed the lookup.
JH/17 Fakereject: previously logged as a norml message arrival "<="; now
distinguished as "(=".
JH/18 Bug 1867: make the fail_defer_domains option on a dnslookup router work
for missing MX records. Previously it only worked for missing A records.
JH/19 Bug 1850: support Radius libraries that return REJECT_RC.
JH/20 Bug 1872: Ensure that acl_smtp_notquit is run when the connection drops
after the data-go-ahead and data-ack. Patch from Jason Betts.
JH/21 Bug 1846: Send DMARC forensic reports for reject and quaratine results,
even for a "none" policy. Patch from Tony Meyer.
JH/22 Fix continued use of a connection for further deliveries. If a port was
specified by a router, it must also match for the delivery to be
compatible.
JH/23 Bug 1874: fix continued use of a connection for further deliveries.
When one of the recipients of a message was unsuitable for the connection
(has no matching addresses), we lost track of needing to mark it
deferred. As a result mail would be lost.
JH/24 Bug 1832: Log EHLO response on getting conn-close response for HELO.
JH/25 Decoding ACL controls is now done using a binary search; the source code
takes up less space and should be simpler to maintain. Merge the ACL
condition decode tables also, with similar effect.
JH/26 Fix problem with one_time used on a redirect router which returned the
parent address unchanged. A retry would see the parent address marked as
delivered, so not attempt the (identical) child. As a result mail would
be lost.
JH/27 Fix a possible security hole, wherein a process operating with the Exim
UID can gain a root shell. Credit to http://www.halfdog.net/ for
discovery and writeup. Ubuntu bug 1580454; no bug raised against Exim
itself :(
JH/28 Enable {spool,log} filesystem space and inode checks as default.
Main config options check_{log,spool}_{inodes,space} are now
100 inodes, 10MB unless set otherwise in the configuration.
JH/29 Fix the connection_reject log selector to apply to the connect ACL.
Previously it only applied to the main-section connection policy
options.
JH/30 Bug 1897: fix callouts connection fallback from TLS to cleartext.
PP/01 Changed default Diffie-Hellman parameters to be Exim-specific, created
by me. Added RFC7919 DH primes as an alternative.
PP/02 Unbreak build via pkg-config with new hash support when crypto headers
are not in the system include path.
JH/31 Fix longstanding bug with aborted TLS server connection handling. Under
GnuTLS, when a session startup failed (eg because the client disconnected)
Exim did stdio operations after fclose. This was exposed by a recent
change which nulled out the file handle after the fclose.
JH/32 Bug 1909: Fix OCSP proof verification for cases where the proof is
signed directly by the cert-signing cert, rather than an intermediate
OCSP-signing cert. This is the model used by LetsEncrypt.
JH/33 Bug 1914: Ensure socket is nonblocking before draining after SMTP QUIT.
HS/01 Fix leak in verify callout under GnuTLS, about 3MB per recipient on
an incoming connection.
HS/02 Bug 1802: Do not half-close the connection after sending a request
to rspamd.
HS/03 Use "auto" as the default EC curve parameter. For OpenSSL < 1.0.2
fallback to "prime256v1".
JH/34 SECURITY: Use proper copy of DATA command in error message.
Could leak key material. Remotely explaoitable. CVE-2016-9963.
ok wiz@
Diffstat (limited to 'mail/exim')
-rw-r--r-- | mail/exim/Makefile | 5 | ||||
-rw-r--r-- | mail/exim/distinfo | 12 | ||||
-rw-r--r-- | mail/exim/patches/patch-ae | 17 |
3 files changed, 17 insertions, 17 deletions
diff --git a/mail/exim/Makefile b/mail/exim/Makefile index 4f972e34ed6..be7a41baad3 100644 --- a/mail/exim/Makefile +++ b/mail/exim/Makefile @@ -1,7 +1,6 @@ -# $NetBSD: Makefile,v 1.150 2016/12/04 05:17:32 ryoon Exp $ +# $NetBSD: Makefile,v 1.151 2016/12/25 11:29:54 wiedi Exp $ -DISTNAME= exim-4.87 -PKGREVISION= 5 +DISTNAME= exim-4.88 CATEGORIES= mail net MASTER_SITES= ftp://ftp.exim.org/pub/exim/exim4/ \ http://dl.ambiweb.de/mirrors/ftp.exim.org/exim/exim4/ diff --git a/mail/exim/distinfo b/mail/exim/distinfo index ddd177880da..e3c6d5fcbda 100644 --- a/mail/exim/distinfo +++ b/mail/exim/distinfo @@ -1,10 +1,10 @@ -$NetBSD: distinfo,v 1.65 2016/04/09 10:49:39 adam Exp $ +$NetBSD: distinfo,v 1.66 2016/12/25 11:29:54 wiedi Exp $ -SHA1 (exim-4.87.tar.bz2) = ca1c1aba63be80ca70ccfdc704ba9b899b77ec22 -RMD160 (exim-4.87.tar.bz2) = 4a2cc7c35d02bff5cdd175d8dd0538f1fef5af43 -SHA512 (exim-4.87.tar.bz2) = 2b0d5c82133315c444e29abd182e0866482c904db1abe5ffe9a3008c2174f52eca850a433c069b4102874dc32bbe4af112beac94ffa154f1c06615c24deb47a4 -Size (exim-4.87.tar.bz2) = 1801422 bytes +SHA1 (exim-4.88.tar.bz2) = f77cd027284ebf5bdf5fb7a7bd2755238722bfde +RMD160 (exim-4.88.tar.bz2) = cbcacf3f8f45975c68a450f2fa595b802c76b345 +SHA512 (exim-4.88.tar.bz2) = ea094bf703628c201de119fc5f09539475e52158e935f8f2a9e4138c4a1bfe885017145c3cc5e22aa9087b195091955c69385ebf1ea0baec64ed5c1b8e3b1caf +Size (exim-4.88.tar.bz2) = 1824610 bytes SHA1 (patch-aa) = 4df21c2497e9fee8dfbcd4386bb1b70d69ca2932 SHA1 (patch-ab) = 6af17f036ed02a3bc37c1f303269eea447fcb691 -SHA1 (patch-ae) = 7daf63727e222bbaa7e5b8289c4fcb6a8c0272cf +SHA1 (patch-ae) = aa0a31e77d5f76e33bc92140c14d39c79f710b95 SHA1 (patch-lookups_Makefile) = cfc40dba3f75ef37b9887f7767139ad50cf9d4e5 diff --git a/mail/exim/patches/patch-ae b/mail/exim/patches/patch-ae index d70cd07bd31..f909da33e39 100644 --- a/mail/exim/patches/patch-ae +++ b/mail/exim/patches/patch-ae @@ -1,6 +1,6 @@ -$NetBSD: patch-ae,v 1.12 2012/06/11 11:41:25 adam Exp $ +$NetBSD: patch-ae,v 1.13 2016/12/25 11:29:55 wiedi Exp $ ---- scripts/exim_install.orig 2012-05-31 00:40:15.000000000 +0000 +--- scripts/exim_install.orig 2016-12-18 14:02:28.000000000 +0000 +++ scripts/exim_install @@ -83,6 +83,8 @@ if [ "${SYSTEM_ALIASES_FILE}" = "" ] ; t SYSTEM_ALIASES_FILE=/etc/aliases @@ -11,17 +11,17 @@ $NetBSD: patch-ae,v 1.12 2012/06/11 11:41:25 adam Exp $ # Allow INST_xx to over-ride xx case "$INST_BIN_DIRECTORY" in ?*) BIN_DIRECTORY="$INST_BIN_DIRECTORY";; esac case "$INST_CONFIGURE_FILE" in ?*) CONFIGURE_FILE="$INST_CONFIGURE_FILE";; esac -@@ -219,6 +221,9 @@ while [ $# -gt 0 ]; do - if [ $name = exim${EXE} ]; then - version=exim-`./exim -bV -C /dev/null | \ +@@ -220,6 +222,9 @@ while [ $# -gt 0 ]; do + exim="./exim -bV -C /dev/null" + version=exim-`$exim 2>/dev/null | \ awk '/Exim version/ { OFS=""; print $3,"-",substr($4,2,length($4)-1) }'`${EXE} -+ # only for pkgsrc: ./exim cannot run during install to DESTDIR because ++ # only for pkgsrc: ./exim cannot run during install to DESTDIR because + # EXIM_USER may not exist at this time, so we fake the version information + version=@PKGSRC_EXIM_VERSION@${EXE} if [ "${version}" = "exim-${EXE}" ]; then echo $com "" -@@ -414,15 +419,8 @@ elif [ ! -f ${CONFIGURE_FILE} ]; then +@@ -416,16 +421,8 @@ elif [ ! -f ${CONFIGURE_FILE} ]; then echo $com "*** Exim installation ${ver}failed ***" exit 1 fi @@ -34,8 +34,9 @@ $NetBSD: patch-ae,v 1.12 2012/06/11 11:41:25 adam Exp $ - echo ${CP} ../src/aliases.default ${SYSTEM_ALIASES_FILE} - ${real} ${CP} ../src/aliases.default ${SYSTEM_ALIASES_FILE} - fi +- + echo ${CP} ../src/aliases.default ${DESTDIR}${PREFIX}/share/examples/exim/aliases + ${real} ${CP} ../src/aliases.default ${DESTDIR}${PREFIX}/share/examples/exim/aliases - else echo $com Configuration file ${CONFIGURE_FILE} already exists + fi |