summaryrefslogtreecommitdiff
path: root/mail/exim
diff options
context:
space:
mode:
authorwiedi <wiedi@pkgsrc.org>2016-12-25 11:29:54 +0000
committerwiedi <wiedi@pkgsrc.org>2016-12-25 11:29:54 +0000
commitf3df13cfaffa1a4640f4c9723f8ae68321b137ce (patch)
tree7756deaab5a822caf5e6efadea223327064cf480 /mail/exim
parent17afc0519f660e9afc64f71ec8e9e49b752acd9a (diff)
downloadpkgsrc-f3df13cfaffa1a4640f4c9723f8ae68321b137ce.tar.gz
Update exim to 4.88
Security update to address CVE-2016-9963 Exim version 4.88 ----------------- JH/01 Use SIZE on MAIL FROM in a cutthrough connection, if the destination supports it and a size is available (ie. the sending peer gave us one). JH/02 The obsolete acl condition "demime" is removed (finally, after ten years of being deprecated). The replacements are the ACLs acl_smtp_mime and acl_not_smtp_mime. JH/03 Upgrade security requirements imposed for hosts_try_dane: previously a downgraded non-dane trust-anchor for the TLS connection (CA-style) or even an in-clear connection were permitted. Now, if the host lookup was dnssec and dane was requested then the host is only used if the TLSA lookup succeeds and is dnssec. Further hosts (eg. lower priority MXs) will be tried (for hosts_try_dane though not for hosts_require_dane) if one fails this test. This means that a poorly-configured remote DNS will make it incommunicado; but it protects against a DNS-interception attack on it. JH/04 Bug 1810: make continued-use of an open smtp transport connection non-noisy when a race steals the message being considered. JH/05 If main configuration option tls_certificate is unset, generate a self-signed certificate for inbound TLS connections. JH/06 Bug 165: hide more cases of password exposure - this time in expansions in rewrites and routers. JH/07 Retire gnutls_require_mac et.al. These were nonfunctional since 4.80 and logged a warning sing 4.83; now they are a configuration file error. JH/08 Bug 1836: Fix crash in VRFY handling when handed an unqualified name (lacking @domain). Apply the same qualification processing as RCPT. JH/09 Bug 1804: Avoid writing msglog files when in -bh or -bhc mode. JH/10 Support ${sha256:} applied to a string (as well as the previous certificate). JH/11 Cutthrough: avoid using the callout hints db on a verify callout when a cutthrough deliver is pending, as we always want to make a connection. This also avoids re-routing the message when later placing the cutthrough connection after a verify cache hit. Do not update it with the verify result either. JH/12 Cutthrough: disable when verify option success_on_redirect is used, and when routing results in more than one destination address. JH/13 Cutthrough: expand transport dkim_domain option when testing for dkim signing (which inhibits the cutthrough capability). Previously only the presence of an option was tested; now an expansion evaluating as empty is permissible (obviously it should depend only on data available when the cutthrough connection is made). JH/14 Fix logging of errors under PIPELINING. Previously the log line giving the relevant preceding SMTP command did not note the pipelining mode. JH/15 Fix counting of empty lines in $body_linecount and $message_linecount. Previously they were not counted. JH/16 DANE: treat a TLSA lookup response having all non-TLSA RRs, the same as one having no matching records. Previously we deferred the message that needed the lookup. JH/17 Fakereject: previously logged as a norml message arrival "<="; now distinguished as "(=". JH/18 Bug 1867: make the fail_defer_domains option on a dnslookup router work for missing MX records. Previously it only worked for missing A records. JH/19 Bug 1850: support Radius libraries that return REJECT_RC. JH/20 Bug 1872: Ensure that acl_smtp_notquit is run when the connection drops after the data-go-ahead and data-ack. Patch from Jason Betts. JH/21 Bug 1846: Send DMARC forensic reports for reject and quaratine results, even for a "none" policy. Patch from Tony Meyer. JH/22 Fix continued use of a connection for further deliveries. If a port was specified by a router, it must also match for the delivery to be compatible. JH/23 Bug 1874: fix continued use of a connection for further deliveries. When one of the recipients of a message was unsuitable for the connection (has no matching addresses), we lost track of needing to mark it deferred. As a result mail would be lost. JH/24 Bug 1832: Log EHLO response on getting conn-close response for HELO. JH/25 Decoding ACL controls is now done using a binary search; the source code takes up less space and should be simpler to maintain. Merge the ACL condition decode tables also, with similar effect. JH/26 Fix problem with one_time used on a redirect router which returned the parent address unchanged. A retry would see the parent address marked as delivered, so not attempt the (identical) child. As a result mail would be lost. JH/27 Fix a possible security hole, wherein a process operating with the Exim UID can gain a root shell. Credit to http://www.halfdog.net/ for discovery and writeup. Ubuntu bug 1580454; no bug raised against Exim itself :( JH/28 Enable {spool,log} filesystem space and inode checks as default. Main config options check_{log,spool}_{inodes,space} are now 100 inodes, 10MB unless set otherwise in the configuration. JH/29 Fix the connection_reject log selector to apply to the connect ACL. Previously it only applied to the main-section connection policy options. JH/30 Bug 1897: fix callouts connection fallback from TLS to cleartext. PP/01 Changed default Diffie-Hellman parameters to be Exim-specific, created by me. Added RFC7919 DH primes as an alternative. PP/02 Unbreak build via pkg-config with new hash support when crypto headers are not in the system include path. JH/31 Fix longstanding bug with aborted TLS server connection handling. Under GnuTLS, when a session startup failed (eg because the client disconnected) Exim did stdio operations after fclose. This was exposed by a recent change which nulled out the file handle after the fclose. JH/32 Bug 1909: Fix OCSP proof verification for cases where the proof is signed directly by the cert-signing cert, rather than an intermediate OCSP-signing cert. This is the model used by LetsEncrypt. JH/33 Bug 1914: Ensure socket is nonblocking before draining after SMTP QUIT. HS/01 Fix leak in verify callout under GnuTLS, about 3MB per recipient on an incoming connection. HS/02 Bug 1802: Do not half-close the connection after sending a request to rspamd. HS/03 Use "auto" as the default EC curve parameter. For OpenSSL < 1.0.2 fallback to "prime256v1". JH/34 SECURITY: Use proper copy of DATA command in error message. Could leak key material. Remotely explaoitable. CVE-2016-9963. ok wiz@
Diffstat (limited to 'mail/exim')
-rw-r--r--mail/exim/Makefile5
-rw-r--r--mail/exim/distinfo12
-rw-r--r--mail/exim/patches/patch-ae17
3 files changed, 17 insertions, 17 deletions
diff --git a/mail/exim/Makefile b/mail/exim/Makefile
index 4f972e34ed6..be7a41baad3 100644
--- a/mail/exim/Makefile
+++ b/mail/exim/Makefile
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.150 2016/12/04 05:17:32 ryoon Exp $
+# $NetBSD: Makefile,v 1.151 2016/12/25 11:29:54 wiedi Exp $
-DISTNAME= exim-4.87
-PKGREVISION= 5
+DISTNAME= exim-4.88
CATEGORIES= mail net
MASTER_SITES= ftp://ftp.exim.org/pub/exim/exim4/ \
http://dl.ambiweb.de/mirrors/ftp.exim.org/exim/exim4/
diff --git a/mail/exim/distinfo b/mail/exim/distinfo
index ddd177880da..e3c6d5fcbda 100644
--- a/mail/exim/distinfo
+++ b/mail/exim/distinfo
@@ -1,10 +1,10 @@
-$NetBSD: distinfo,v 1.65 2016/04/09 10:49:39 adam Exp $
+$NetBSD: distinfo,v 1.66 2016/12/25 11:29:54 wiedi Exp $
-SHA1 (exim-4.87.tar.bz2) = ca1c1aba63be80ca70ccfdc704ba9b899b77ec22
-RMD160 (exim-4.87.tar.bz2) = 4a2cc7c35d02bff5cdd175d8dd0538f1fef5af43
-SHA512 (exim-4.87.tar.bz2) = 2b0d5c82133315c444e29abd182e0866482c904db1abe5ffe9a3008c2174f52eca850a433c069b4102874dc32bbe4af112beac94ffa154f1c06615c24deb47a4
-Size (exim-4.87.tar.bz2) = 1801422 bytes
+SHA1 (exim-4.88.tar.bz2) = f77cd027284ebf5bdf5fb7a7bd2755238722bfde
+RMD160 (exim-4.88.tar.bz2) = cbcacf3f8f45975c68a450f2fa595b802c76b345
+SHA512 (exim-4.88.tar.bz2) = ea094bf703628c201de119fc5f09539475e52158e935f8f2a9e4138c4a1bfe885017145c3cc5e22aa9087b195091955c69385ebf1ea0baec64ed5c1b8e3b1caf
+Size (exim-4.88.tar.bz2) = 1824610 bytes
SHA1 (patch-aa) = 4df21c2497e9fee8dfbcd4386bb1b70d69ca2932
SHA1 (patch-ab) = 6af17f036ed02a3bc37c1f303269eea447fcb691
-SHA1 (patch-ae) = 7daf63727e222bbaa7e5b8289c4fcb6a8c0272cf
+SHA1 (patch-ae) = aa0a31e77d5f76e33bc92140c14d39c79f710b95
SHA1 (patch-lookups_Makefile) = cfc40dba3f75ef37b9887f7767139ad50cf9d4e5
diff --git a/mail/exim/patches/patch-ae b/mail/exim/patches/patch-ae
index d70cd07bd31..f909da33e39 100644
--- a/mail/exim/patches/patch-ae
+++ b/mail/exim/patches/patch-ae
@@ -1,6 +1,6 @@
-$NetBSD: patch-ae,v 1.12 2012/06/11 11:41:25 adam Exp $
+$NetBSD: patch-ae,v 1.13 2016/12/25 11:29:55 wiedi Exp $
---- scripts/exim_install.orig 2012-05-31 00:40:15.000000000 +0000
+--- scripts/exim_install.orig 2016-12-18 14:02:28.000000000 +0000
+++ scripts/exim_install
@@ -83,6 +83,8 @@ if [ "${SYSTEM_ALIASES_FILE}" = "" ] ; t
SYSTEM_ALIASES_FILE=/etc/aliases
@@ -11,17 +11,17 @@ $NetBSD: patch-ae,v 1.12 2012/06/11 11:41:25 adam Exp $
# Allow INST_xx to over-ride xx
case "$INST_BIN_DIRECTORY" in ?*) BIN_DIRECTORY="$INST_BIN_DIRECTORY";; esac
case "$INST_CONFIGURE_FILE" in ?*) CONFIGURE_FILE="$INST_CONFIGURE_FILE";; esac
-@@ -219,6 +221,9 @@ while [ $# -gt 0 ]; do
- if [ $name = exim${EXE} ]; then
- version=exim-`./exim -bV -C /dev/null | \
+@@ -220,6 +222,9 @@ while [ $# -gt 0 ]; do
+ exim="./exim -bV -C /dev/null"
+ version=exim-`$exim 2>/dev/null | \
awk '/Exim version/ { OFS=""; print $3,"-",substr($4,2,length($4)-1) }'`${EXE}
-+ # only for pkgsrc: ./exim cannot run during install to DESTDIR because
++ # only for pkgsrc: ./exim cannot run during install to DESTDIR because
+ # EXIM_USER may not exist at this time, so we fake the version information
+ version=@PKGSRC_EXIM_VERSION@${EXE}
if [ "${version}" = "exim-${EXE}" ]; then
echo $com ""
-@@ -414,15 +419,8 @@ elif [ ! -f ${CONFIGURE_FILE} ]; then
+@@ -416,16 +421,8 @@ elif [ ! -f ${CONFIGURE_FILE} ]; then
echo $com "*** Exim installation ${ver}failed ***"
exit 1
fi
@@ -34,8 +34,9 @@ $NetBSD: patch-ae,v 1.12 2012/06/11 11:41:25 adam Exp $
- echo ${CP} ../src/aliases.default ${SYSTEM_ALIASES_FILE}
- ${real} ${CP} ../src/aliases.default ${SYSTEM_ALIASES_FILE}
- fi
+-
+ echo ${CP} ../src/aliases.default ${DESTDIR}${PREFIX}/share/examples/exim/aliases
+ ${real} ${CP} ../src/aliases.default ${DESTDIR}${PREFIX}/share/examples/exim/aliases
-
else
echo $com Configuration file ${CONFIGURE_FILE} already exists
+ fi