From 2463384e3cf8da62bca2f97c8b98d331842f7f97 Mon Sep 17 00:00:00 2001 From: tron Date: Sat, 22 Jan 2011 10:56:42 +0000 Subject: Pullup ticket #3330 - requested by gls mail/exim: security update Revisions pulled up: - mail/exim/Makefile 1.104 - mail/exim/distinfo 1.47 - mail/exim/patches/patch-aa 1.21 - mail/exim/patches/patch-ba 1.1 - mail/exim/patches/patch-bb 1.1 - mail/exim/patches/patch-bc 1.1 - mail/exim/patches/patch-bd 1.1 --- Module Name: pkgsrc Committed By: adam Date: Wed Jan 12 07:52:45 UTC 2011 Modified Files: pkgsrc/mail/exim: Makefile distinfo pkgsrc/mail/exim/patches: patch-aa Added Files: pkgsrc/mail/exim/patches: patch-ba patch-bb patch-bc patch-bd Log Message: Changes 4.73: * Date: & Message-Id: revert to normally being appended to a message, only prepend for the Resent-* case. Fixes regression introduced in Exim 4.70 by NM/22 for Bugzilla 607. * Include check_rfc2047_length in configure.default because we're seeing increasing numbers of administrators be bitten by this. * Added DISABLE_DKIM and comment to src/EDITME * Bugzilla 994: added openssl_options main configuration option. * Bugzilla 995: provide better SSL diagnostics on failed reads. * Bugzilla 834: provide a permit_coredump option for pipe transports. * Adjust NTLM authentication to handle SASL Initial Response. * If TLS negotiated an anonymous cipher, we could end up with SSL but without a peer certificate, leading to a segfault because of an assumption that peers always have certificates. Be a little more paranoid. * Bugzilla 926: switch ClamAV to use the new zINSTREAM API for content filtering; old API available if built with WITH_OLD_CLAMAV_STREAM=yes NB: ClamAV planning to remove STREAM in "middle of 2010". CL also introduces -bmalware, various -d+acl logging additions and more caution in buffer sizes. * Implemented reverse_ip expansion operator. * Bugzilla 937: provide a "debug" ACL control. * Bugzilla 922: Documentation dusting, patch provided by John Horne. * Bugzilla 973: Implement --version. * Bugzilla 752: Refuse to build/run if Exim user is root/0. * Build without WITH_CONTENT_SCAN. Path from Andreas Metzler. * Bugzilla 816: support multiple condition rules on Routers. * Add bool_lax{} expansion operator and use that for combining multiple condition rules, instead of bool{}. Make both bool{} and bool_lax{} ignore trailing whitespace. * prevent non-panic DKIM error from being sent to paniclog * added tcp_wrappers_daemon_name to allow host entries other than "exim" to be used * Fix malware regression for cmdline scanner introduced in PP/08. Notification from Dr Andrew Aitchison. * Change ClamAV response parsing to be more robust and to handle ClamAV's ExtendedDetectionInfo response format. * OpenSSL 1.0.0a compatibility const-ness change, should be backwards compatible. --- mail/exim/Makefile | 4 +-- mail/exim/distinfo | 14 ++++++--- mail/exim/patches/patch-aa | 26 ++++++++-------- mail/exim/patches/patch-ba | 76 ++++++++++++++++++++++++++++++++++++++++++++++ mail/exim/patches/patch-bb | 19 ++++++++++++ mail/exim/patches/patch-bc | 19 ++++++++++++ mail/exim/patches/patch-bd | 20 ++++++++++++ 7 files changed, 158 insertions(+), 20 deletions(-) create mode 100644 mail/exim/patches/patch-ba create mode 100644 mail/exim/patches/patch-bb create mode 100644 mail/exim/patches/patch-bc create mode 100644 mail/exim/patches/patch-bd diff --git a/mail/exim/Makefile b/mail/exim/Makefile index 765287dd683..299c4974827 100644 --- a/mail/exim/Makefile +++ b/mail/exim/Makefile @@ -1,6 +1,6 @@ -# $NetBSD: Makefile,v 1.103 2010/11/08 13:59:11 adam Exp $ +# $NetBSD: Makefile,v 1.103.2.1 2011/01/22 10:56:42 tron Exp $ -DISTNAME= exim-4.72 +DISTNAME= exim-4.73 CATEGORIES= mail net MASTER_SITES= ftp://ftp.exim.org/pub/exim/exim4/ \ http://dl.ambiweb.de/mirrors/ftp.exim.org/exim/exim4/ diff --git a/mail/exim/distinfo b/mail/exim/distinfo index 50dbeb1af64..6dbc1908a2d 100644 --- a/mail/exim/distinfo +++ b/mail/exim/distinfo @@ -1,10 +1,14 @@ -$NetBSD: distinfo,v 1.46 2010/11/08 13:59:11 adam Exp $ +$NetBSD: distinfo,v 1.46.2.1 2011/01/22 10:56:42 tron Exp $ -SHA1 (exim-4.72.tar.bz2) = 3aab453faaa076a6b5f02320d7f8ad8aba21b347 -RMD160 (exim-4.72.tar.bz2) = e3ae8dbb056890d49e21e2ba6eaf9cf789ca2c18 -Size (exim-4.72.tar.bz2) = 1559031 bytes -SHA1 (patch-aa) = cf514f31626cde31747342a2d50edd1dbf7f195f +SHA1 (exim-4.73.tar.bz2) = e40a6beece6642ab372be1bc25ce53275b4fbc54 +RMD160 (exim-4.73.tar.bz2) = 8862761a7a898106c2143014c24ea1526d72dbb7 +Size (exim-4.73.tar.bz2) = 1592788 bytes +SHA1 (patch-aa) = 2ec7f3c7c6e18c7cc2388de00c1108b56c239ab8 SHA1 (patch-ab) = ffb9fb28e4e5548777db31b3de34673a08a1c0fa SHA1 (patch-ac) = 9a260a07f5e8cc89c60188925f01fc5b46164a37 SHA1 (patch-ae) = 4a9d2fde403cfd6386742b31f062e7801ef081b9 SHA1 (patch-ag) = 8512795060ad913f4699c277867fd24e7a785519 +SHA1 (patch-ba) = 7f1fac71d1ccb42ac8d82217f8f1b3dbc4fb830b +SHA1 (patch-bb) = b8e5e52026da5740bb2742d3054b54aab9ab2278 +SHA1 (patch-bc) = 230965aba99adceb413dbc77e8e6bb022c2173ff +SHA1 (patch-bd) = 50c26f08ccbb6254b99c38cd704839788ffc0494 diff --git a/mail/exim/patches/patch-aa b/mail/exim/patches/patch-aa index 390468c48b3..c09e1c5c9db 100644 --- a/mail/exim/patches/patch-aa +++ b/mail/exim/patches/patch-aa @@ -1,6 +1,6 @@ -$NetBSD: patch-aa,v 1.20 2009/11/17 06:39:32 adam Exp $ +$NetBSD: patch-aa,v 1.20.10.1 2011/01/22 10:56:43 tron Exp $ ---- Local/Makefile.pkgsrc.orig 2009-11-16 07:56:01.000000000 +0100 +--- Local/Makefile.pkgsrc.orig 2011-01-12 07:35:17.000000000 +0000 +++ Local/Makefile.pkgsrc @@ -100,7 +100,7 @@ # /usr/local/sbin. The installation script will try to create this directory, @@ -20,16 +20,16 @@ $NetBSD: patch-aa,v 1.20 2009/11/17 06:39:32 adam Exp $ # It is possible to specify a colon-separated list of files for CONFIGURE_FILE. # In this case, Exim will use the first of them that exists when it is run. -@@ -134,7 +134,7 @@ CONFIGURE_FILE=/usr/exim/configure - # owner of a local mailbox.) Specifying these values as root is very strongly - # discouraged. +@@ -133,7 +133,7 @@ CONFIGURE_FILE=/usr/exim/configure + # deliveries. (Local deliveries run as various non-root users, typically as the + # owner of a local mailbox.) Specifying these values as root is not supported. -EXIM_USER= +EXIM_USER=ref:@EXIM_USER@ # If you specify EXIM_USER as a name, this is looked up at build time, and the # uid number is built into the binary. However, you can specify that this -@@ -155,7 +155,7 @@ EXIM_USER= +@@ -154,7 +154,7 @@ EXIM_USER= # for EXIM_USER (e.g. EXIM_USER=exim), you don't need to set EXIM_GROUP unless # you want to use a group other than the default group for the given user. @@ -38,7 +38,7 @@ $NetBSD: patch-aa,v 1.20 2009/11/17 06:39:32 adam Exp $ # Many sites define a user called "exim", with an appropriate default group, # and use -@@ -176,7 +176,7 @@ EXIM_USER= +@@ -175,7 +175,7 @@ EXIM_USER= # Almost all installations choose this: @@ -47,7 +47,7 @@ $NetBSD: patch-aa,v 1.20 2009/11/17 06:39:32 adam Exp $ -@@ -333,7 +333,7 @@ PCRE_LIBS=-lpcre +@@ -332,7 +332,7 @@ PCRE_LIBS=-lpcre # files are defaulted in the OS/Makefile-Default file, but can be overridden in # local OS-specific make files. @@ -56,7 +56,7 @@ $NetBSD: patch-aa,v 1.20 2009/11/17 06:39:32 adam Exp $ #------------------------------------------------------------------------------ -@@ -486,11 +486,11 @@ FIXED_NEVER_USERS=root +@@ -527,11 +527,11 @@ FIXED_NEVER_USERS=root # included in the Exim binary. You will then need to set up the run time # configuration to make use of the mechanism(s) selected. @@ -71,7 +71,7 @@ $NetBSD: patch-aa,v 1.20 2009/11/17 06:39:32 adam Exp $ #------------------------------------------------------------------------------ -@@ -656,7 +656,7 @@ HEADERS_CHARSET="ISO-8859-1" +@@ -697,7 +697,7 @@ HEADERS_CHARSET="ISO-8859-1" # %s. This will be replaced by one of the strings "main", "panic", or "reject" # to form the final file names. Some installations may want something like this: @@ -80,7 +80,7 @@ $NetBSD: patch-aa,v 1.20 2009/11/17 06:39:32 adam Exp $ # which results in files with names /var/log/exim_mainlog, etc. The directory # in which the log files are placed must exist; Exim does not try to create -@@ -897,13 +897,13 @@ SYSTEM_ALIASES_FILE=/etc/aliases +@@ -945,13 +945,13 @@ SYSTEM_ALIASES_FILE=/etc/aliases # haven't got Perl, Exim will still build and run; you just won't be able to # use those utilities. @@ -101,7 +101,7 @@ $NetBSD: patch-aa,v 1.20 2009/11/17 06:39:32 adam Exp $ #------------------------------------------------------------------------------ -@@ -1097,7 +1097,7 @@ TMPDIR="/tmp" +@@ -1145,7 +1145,7 @@ TMPDIR="/tmp" # (process id) to a file so that it can easily be identified. The path of the # file can be specified here. Some installations may want something like this: @@ -110,7 +110,7 @@ $NetBSD: patch-aa,v 1.20 2009/11/17 06:39:32 adam Exp $ # If PID_FILE_PATH is not defined, Exim writes a file in its spool directory # using the name "exim-daemon.pid". -@@ -1149,3 +1149,10 @@ TMPDIR="/tmp" +@@ -1197,3 +1197,10 @@ TMPDIR="/tmp" # ENABLE_DISABLE_FSYNC=yes # End of EDITME for Exim 4. diff --git a/mail/exim/patches/patch-ba b/mail/exim/patches/patch-ba new file mode 100644 index 00000000000..6f953516c0b --- /dev/null +++ b/mail/exim/patches/patch-ba @@ -0,0 +1,76 @@ +$NetBSD: patch-ba,v 1.1.2.2 2011/01/22 10:56:43 tron Exp $ + +--- src/lookups/ldap.c.orig 2009-11-16 19:50:38.000000000 +0000 ++++ src/lookups/ldap.c +@@ -445,6 +445,60 @@ if (lcp == NULL) + } + #endif /* LDAP_OPT_X_TLS */ + ++ #ifdef LDAP_OPT_X_TLS_CACERTFILE ++ if (eldap_ca_cert_file != NULL) ++ { ++ ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE, eldap_ca_cert_file); ++ } ++ #endif ++ #ifdef LDAP_OPT_X_TLS_CACERTDIR ++ if (eldap_ca_cert_dir != NULL) ++ { ++ ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, eldap_ca_cert_dir); ++ } ++ #endif ++ #ifdef LDAP_OPT_X_TLS_CERTFILE ++ if (eldap_cert_file != NULL) ++ { ++ ldap_set_option(ld, LDAP_OPT_X_TLS_CERTFILE, eldap_cert_file); ++ } ++ #endif ++ #ifdef LDAP_OPT_X_TLS_KEYFILE ++ if (eldap_cert_key != NULL) ++ { ++ ldap_set_option(ld, LDAP_OPT_X_TLS_KEYFILE, eldap_cert_key); ++ } ++ #endif ++ #ifdef LDAP_OPT_X_TLS_CIPHER_SUITE ++ if (eldap_cipher_suite != NULL) ++ { ++ ldap_set_option(ld, LDAP_OPT_X_TLS_CIPHER_SUITE, eldap_cipher_suite); ++ } ++ #endif ++ #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT ++ if (eldap_require_cert != NULL) ++ { ++ int cert_option = LDAP_OPT_X_TLS_NEVER; ++ if (Ustrcmp(eldap_require_cert, "hard") == 0) ++ { ++ cert_option = LDAP_OPT_X_TLS_HARD; ++ } ++ else if (Ustrcmp(eldap_require_cert, "demand") == 0) ++ { ++ cert_option = LDAP_OPT_X_TLS_DEMAND; ++ } ++ else if (Ustrcmp(eldap_require_cert, "allow") == 0) ++ { ++ cert_option = LDAP_OPT_X_TLS_ALLOW; ++ } ++ else if (Ustrcmp(eldap_require_cert, "try") == 0) ++ { ++ cert_option = LDAP_OPT_X_TLS_TRY; ++ } ++ ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, cert_option); ++ } ++ #endif ++ + /* Now add this connection to the chain of cached connections */ + + lcp = store_get(sizeof(LDAP_CONNECTION)); +@@ -481,6 +535,10 @@ if (!lcp->bound || + { + DEBUG(D_lookup) debug_printf("%sbinding with user=%s password=%s\n", + (lcp->bound)? "re-" : "", user, password); ++ if (eldap_start_tls) ++ { ++ ldap_start_tls_s(lcp->ld, NULL, NULL); ++ } + if ((msgid = ldap_bind(lcp->ld, CS user, CS password, LDAP_AUTH_SIMPLE)) + == -1) + { diff --git a/mail/exim/patches/patch-bb b/mail/exim/patches/patch-bb new file mode 100644 index 00000000000..325389c8bc9 --- /dev/null +++ b/mail/exim/patches/patch-bb @@ -0,0 +1,19 @@ +$NetBSD: patch-bb,v 1.1.2.2 2011/01/22 10:56:43 tron Exp $ + +--- src/globals.h.orig 2009-11-16 19:50:37.000000000 +0000 ++++ src/globals.h +@@ -35,7 +35,14 @@ extern uschar *ibase_servers; + #endif + + #ifdef LOOKUP_LDAP ++extern uschar *eldap_ca_cert_dir; /* Directory with CA certificates */ ++extern uschar *eldap_ca_cert_file; /* CA certificate file */ ++extern uschar *eldap_cert_file; /* Certificate file */ ++extern uschar *eldap_cert_key; /* Certificate key file */ ++extern uschar *eldap_cipher_suite; /* Allowed cipher suite */ + extern uschar *eldap_default_servers; /* List of default servers */ ++extern uschar *eldap_require_cert; /* Peer certificate checking strategy */ ++extern BOOL eldap_start_tls; /* Use STARTTLS */ + extern int eldap_version; /* LDAP version */ + #endif + diff --git a/mail/exim/patches/patch-bc b/mail/exim/patches/patch-bc new file mode 100644 index 00000000000..f22d36fccb2 --- /dev/null +++ b/mail/exim/patches/patch-bc @@ -0,0 +1,19 @@ +$NetBSD: patch-bc,v 1.1.2.2 2011/01/22 10:56:43 tron Exp $ + +--- src/readconf.c.orig 2009-11-16 19:50:37.000000000 +0000 ++++ src/readconf.c +@@ -262,7 +262,14 @@ static optionlist optionlist_config[] = + { "ignore_fromline_local", opt_bool, &ignore_fromline_local }, + { "keep_malformed", opt_time, &keep_malformed }, + #ifdef LOOKUP_LDAP ++ { "ldap_ca_cert_dir", opt_stringptr, &eldap_ca_cert_dir }, ++ { "ldap_ca_cert_file", opt_stringptr, &eldap_ca_cert_file }, ++ { "ldap_cert_file", opt_stringptr, &eldap_cert_file }, ++ { "ldap_cert_key", opt_stringptr, &eldap_cert_key }, ++ { "ldap_cipher_suite", opt_stringptr, &eldap_cipher_suite }, + { "ldap_default_servers", opt_stringptr, &eldap_default_servers }, ++ { "ldap_require_cert", opt_stringptr, &eldap_require_cert }, ++ { "ldap_start_tls", opt_bool, &eldap_start_tls }, + { "ldap_version", opt_int, &eldap_version }, + #endif + { "local_from_check", opt_bool, &local_from_check }, diff --git a/mail/exim/patches/patch-bd b/mail/exim/patches/patch-bd new file mode 100644 index 00000000000..1002daaefc3 --- /dev/null +++ b/mail/exim/patches/patch-bd @@ -0,0 +1,20 @@ +$NetBSD: patch-bd,v 1.1.2.2 2011/01/22 10:56:43 tron Exp $ + +--- src/globals.c.orig 2009-11-16 19:50:37.000000000 +0000 ++++ src/globals.c +@@ -75,8 +75,15 @@ uschar *ibase_servers = NULL; + #endif + + #ifdef LOOKUP_LDAP ++uschar *eldap_ca_cert_dir = NULL; ++uschar *eldap_ca_cert_file = NULL; ++uschar *eldap_cert_file = NULL; ++uschar *eldap_cert_key = NULL; ++uschar *eldap_cipher_suite = NULL; + uschar *eldap_default_servers = NULL; ++uschar *eldap_require_cert = NULL; + int eldap_version = -1; ++BOOL eldap_start_tls = FALSE; + #endif + + #ifdef LOOKUP_MYSQL -- cgit v1.2.3