From ab4526b8ebeca5eb7ba8bda562947706d436d594 Mon Sep 17 00:00:00 2001 From: bsiegert Date: Thu, 3 Mar 2016 20:22:52 +0000 Subject: Pullup ticket #4942 - requested by wiedi mail/exim: security fix Revisions pulled up: - mail/exim-html/Makefile 1.30-1.31 - mail/exim-html/PLIST 1.14 - mail/exim-html/distinfo 1.25-1.26 - mail/exim/Makefile 1.142-1.143 - mail/exim/distinfo 1.63-1.64 - mail/exim/patches/patch-aa 1.24 --- Module Name: pkgsrc Committed By: bsiegert Date: Sun Jan 10 20:55:57 UTC 2016 Modified Files: pkgsrc/mail/exim: Makefile distinfo pkgsrc/mail/exim/patches: patch-aa Log Message: Update exim to 4.86. Exim version 4.86 ----------------- JH/01 Bug 1545: The smtp transport option "retry_include_ip_address" is now expanded. JH/02 The smtp transport option "multi_domain" is now expanded. JH/03 The smtp transport now requests PRDR by default, if the server offers it. JH/04 Certificate name checking on server certificates, when exim is a client, is now done by default. The transport option tls_verify_cert_hostnames can be used to disable this per-host. The build option EXPERIMENTAL_CERTNAMES is withdrawn. JH/05 The value of the tls_verify_certificates smtp transport and main options default to the word "system" to access the system default CA bundle. For GnuTLS, only version 3.0.20 or later. JH/06 Verification of the server certificate for a TLS connection is now tried (but not required) by default. The verification status is now logged by default, for both outbound TLS and client-certificate supplying inbound TLS connections JH/07 Changed the default rfc1413 lookup settings to disable calls. Few sites use this now. JH/08 The EXPERIMENTAL_DSN compile option is no longer needed; all Delivery Status Notification (bounce) messages are now MIME format per RFC 3464. Support for RFC 3461 DSN options NOTIFY,ENVID,RET,ORCPT can be advertised under the control of the dsn_advertise_hosts option, and routers may have a dsn_lasthop option. JH/09 A timeout of 2 minutes is now applied to all malware scanner types by default, modifiable by a malware= option. The list separator for the options can now be changed in the usual way. Bug 68. JH/10 The smtp_receive_timeout main option is now expanded before use. JH/11 The incoming_interface log option now also enables logging of the local interface on delivery outgoing connections. JH/12 The cutthrough-routing facility now supports multi-recipient mails, if the interface and destination host and port all match. JH/13 Bug 344: The verify = reverse_host_lookup ACL condition now accepts a /defer_ok option. JH/14 Bug 1573: The spam= ACL condition now additionally supports Rspamd. Patch from Andrew Lewis. JH/15 Bug 670: The spamd_address main option (for the spam= ACL condition) now supports optional time-restrictions, weighting, and priority modifiers per server. Patch originally by . JH/16 The spamd_address main option now supports a mixed list of local and remote servers. Remote servers can be IPv6 addresses, and specify a port-range. JH/17 Bug 68: The spamd_address main option now supports an optional timeout value per server. JH/18 Bug 1581: Router and transport options headers_add/remove can now have the list separator specified. JH/19 Bug 392: spamd_address, and clamd av_scanner, now support retry option values. JH/20 Bug 1571: Ensure that $tls_in_peerdn is set, when verification fails under OpenSSL. JH/21 Support for the A6 type of dns record is withdrawn. JH/22 Bug 608: The result of a QUIT or not-QUIT toplevel ACL now matters rather than the verbs used. JH/23 Bug 1572: Increase limit on SMTP confirmation message copy size from 255 to 1024 chars. JH/24 Verification callouts now attempt to use TLS by default. HS/01 DNSSEC options (dnssec_require_domains, dnssec_request_domains) are generic router options now. The defaults didn't change. JH/25 Bug 466: Add RFC2322 support for MIME attachment filenames. Original patch from Alexander Shikoff, worked over by JH. HS/02 Bug 1575: exigrep falls back to autodetection of compressed files if ZCAT_COMMAND is not executable. JH/26 Bug 1539: Add timout/retry options on dnsdb lookups. JH/27 Bug 286: Support SOA lookup in dnsdb lookups. JH/28 Bug 1588: Do not use the A lookup following an AAAA for setting the FQDN. Normally benign, it bites when the pair was led to by a CNAME; modern usage is to not canoicalize the domain to a CNAME target (and we were inconsistent anyway for A-only vs AAAA+A). JH/29 Bug 1632: Removed the word "rejected" from line logged for ACL discards. JH/30 Check the forward DNS lookup for DNSSEC, in addition to the reverse, when evaluating $sender_host_dnssec. JH/31 Check the HELO verification lookup for DNSSEC, adding new $sender_helo_dnssec variable. JH/32 Bug 1397: Enable ECDHE on OpenSSL, just the NIST P-256 curve. JH/33 Bug 1346: Note MAIL cmd seen in -bS batch, to avoid smtp_no_mail log. JH/34 Bug 1648: Fix a memory leak seen with "mailq" and large queues. JH/35 Bug 1642: Fix support of $spam_ variables at delivery time. Was documented as working, but never had. Support all but $spam_report. JH/36 Bug 1659: Guard checking of input smtp commands again pseudo-command added for tls authenticator. --- Module Name: pkgsrc Committed By: adam Date: Mon Jan 11 08:35:32 UTC 2016 Modified Files: pkgsrc/mail/exim-html: Makefile PLIST distinfo Log Message: Match mail/exim version --- Module Name: pkgsrc Committed By: wiedi Date: Wed Mar 2 20:13:18 UTC 2016 Modified Files: pkgsrc/mail/exim: Makefile distinfo pkgsrc/mail/exim-html: Makefile distinfo Log Message: Update mail/exim and mail/exim-html to 4.86.2 Exim version 4.86.2 ------------------- Portability relase of 4.86.1 Exim version 4.86.1 ------------------- HS/04 Add support for keep_environment and add_environment options. This fixes CVE-2016-1531. All installations having Exim set-uid root and using 'perl_startup' are vulnerable to a local privilege escalation. Any user who can start an instance of Exim (and this is normally *any* user) can gain root privileges. If you do not use 'perl_startup' you *should* be safe. New options ----------- We had to introduce two new configuration options: keep_environment = add_environment = Both options are empty per default. That is, Exim cleans the complete environment on startup. This affects Exim itself and any subprocesses, as transports, that may call other programs via some alias mechanisms, as routers (queryprogram), lookups, and so on. This may affect used libraries (e.g. LDAP). ** THIS MAY BREAK your existing installation ** If both options are not used in the configuration, Exim issues a warning on startup. This warning disappears if at least one of these options is used (even if set to an empty value). keep_environment should contain a list of trusted environment variables. (Do you trust PATH?). This may be a list of names and REs. keep_environment = ^LDAP_ : FOO_PATH To add (or override) variables, you can use add_environment: add_environment = <; PATH=/sbin:/usr/sbin New behaviour ------------- Now Exim changes it's working directory to / right after startup, even before reading it's configuration. (Later Exim changes it's working directory to $spool_directory, as usual.) Exim only accepts an absolute configuration file path now, when using the -C option. --- mail/exim-html/Makefile | 4 ++-- mail/exim-html/PLIST | 4 +++- mail/exim-html/distinfo | 10 +++++----- mail/exim/Makefile | 5 ++--- mail/exim/distinfo | 12 ++++++------ mail/exim/patches/patch-aa | 15 ++++++++------- 6 files changed, 26 insertions(+), 24 deletions(-) diff --git a/mail/exim-html/Makefile b/mail/exim-html/Makefile index 649e244f56f..30779cd3a09 100644 --- a/mail/exim-html/Makefile +++ b/mail/exim-html/Makefile @@ -1,6 +1,6 @@ -# $NetBSD: Makefile,v 1.29 2015/02/14 07:33:19 adam Exp $ +# $NetBSD: Makefile,v 1.29.8.1 2016/03/03 20:22:52 bsiegert Exp $ -DISTNAME= exim-html-4.85 +DISTNAME= exim-html-4.86.2 CATEGORIES= mail net MASTER_SITES= ftp://ftp.exim.org/pub/exim/exim4/ \ ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/exim4/ \ diff --git a/mail/exim-html/PLIST b/mail/exim-html/PLIST index 128ff88241e..9dadcade8c2 100644 --- a/mail/exim-html/PLIST +++ b/mail/exim-html/PLIST @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.13 2013/10/30 07:30:03 adam Exp $ +@comment $NetBSD: PLIST,v 1.13.18.1 2016/03/03 20:22:52 bsiegert Exp $ share/doc/exim/html/spec_html/ch-access_control_lists.html share/doc/exim/html/spec_html/ch-adding_a_local_scan_function_to_exim.html share/doc/exim/html/spec_html/ch-adding_new_drivers_or_lookup_types.html @@ -57,6 +57,7 @@ share/doc/exim/html/spec_html/ch-the_queryprogram_router.html share/doc/exim/html/spec_html/ch-the_redirect_router.html share/doc/exim/html/spec_html/ch-the_smtp_transport.html share/doc/exim/html/spec_html/ch-the_spa_authenticator.html +share/doc/exim/html/spec_html/ch-the_tls_authenticator.html share/doc/exim/html/spec_html/ch-using_exim_as_a_nonqueueing_client.html share/doc/exim/html/spec_html/ch-variable_index.html share/doc/exim/html/spec_html/ch01.html @@ -119,6 +120,7 @@ share/doc/exim/html/spec_html/ch57.html share/doc/exim/html/spec_html/ch58.html share/doc/exim/html/spec_html/ch59.html share/doc/exim/html/spec_html/ch60.html +share/doc/exim/html/spec_html/ch61.html share/doc/exim/html/spec_html/filter.html share/doc/exim/html/spec_html/filter_ch-exim_filter_files.html share/doc/exim/html/spec_html/filter_ch-forwarding_and_filtering_in_exim.html diff --git a/mail/exim-html/distinfo b/mail/exim-html/distinfo index 1eb9c077e5e..2695d1ae310 100644 --- a/mail/exim-html/distinfo +++ b/mail/exim-html/distinfo @@ -1,6 +1,6 @@ -$NetBSD: distinfo,v 1.24 2015/11/03 23:27:05 agc Exp $ +$NetBSD: distinfo,v 1.24.2.1 2016/03/03 20:22:52 bsiegert Exp $ -SHA1 (exim-html-4.85.tar.bz2) = f3952d9fee9b64aec0269da978a54c2c8de74833 -RMD160 (exim-html-4.85.tar.bz2) = 2901f7a96e30e445ece41fb8b3319a28f1a0f997 -SHA512 (exim-html-4.85.tar.bz2) = 8214576300827f79c0880e2d2163f71d7f1b3fe2aff714b591a011e48816965de5a773c3509137b085fec3d4d2128931f8398768c24dad6c92b7df27cbcafe74 -Size (exim-html-4.85.tar.bz2) = 467069 bytes +SHA1 (exim-html-4.86.2.tar.bz2) = 9b55e69787cf1f9ef233fd762736bb4541773bb4 +RMD160 (exim-html-4.86.2.tar.bz2) = bf077ceaed3c0763d0ef93e2a7ee455a714db195 +SHA512 (exim-html-4.86.2.tar.bz2) = 593df23914939f8fa76c15a2ab7fc197efa05fcbb984179c9dc2c7d535fe2bef1394c07bc8449f2219f54615ff2f4ee13b76409d89b846dc71e54880681c913e +Size (exim-html-4.86.2.tar.bz2) = 466139 bytes diff --git a/mail/exim/Makefile b/mail/exim/Makefile index 116a51c5735..0cdd6c5d1fe 100644 --- a/mail/exim/Makefile +++ b/mail/exim/Makefile @@ -1,7 +1,6 @@ -# $NetBSD: Makefile,v 1.141 2015/10/10 01:58:12 ryoon Exp $ +# $NetBSD: Makefile,v 1.141.2.1 2016/03/03 20:22:52 bsiegert Exp $ -DISTNAME= exim-4.85 -PKGREVISION= 3 +DISTNAME= exim-4.86.2 CATEGORIES= mail net MASTER_SITES= ftp://ftp.exim.org/pub/exim/exim4/ \ http://dl.ambiweb.de/mirrors/ftp.exim.org/exim/exim4/ diff --git a/mail/exim/distinfo b/mail/exim/distinfo index c0b8dc523ce..9f4fe499858 100644 --- a/mail/exim/distinfo +++ b/mail/exim/distinfo @@ -1,10 +1,10 @@ -$NetBSD: distinfo,v 1.62 2015/11/03 23:27:05 agc Exp $ +$NetBSD: distinfo,v 1.62.2.1 2016/03/03 20:22:52 bsiegert Exp $ -SHA1 (exim-4.85.tar.bz2) = 6b40d5a6ae59f86b4780ad50aaf0d930330d7b67 -RMD160 (exim-4.85.tar.bz2) = 334e5eeb9242b3fff49bd581b8cb22c12c0e8215 -SHA512 (exim-4.85.tar.bz2) = 2c5846528ee98e4aff5dbabe49dfa5ba6753fa64154b9671a7849db8a17773917fe13bcb9e5f732c43d7479debfadd8012b8650823eb12504a6b1b28be456161 -Size (exim-4.85.tar.bz2) = 1784150 bytes -SHA1 (patch-aa) = 24a12631b7df17930349b8a0d03adc80d27efbe2 +SHA1 (exim-4.86.2.tar.bz2) = 539cb2edc784d439cae8f95940e9eff847e2695d +RMD160 (exim-4.86.2.tar.bz2) = 06790977ad50fb19548826631df904d6bda62a83 +SHA512 (exim-4.86.2.tar.bz2) = 5869a7ae8fd66819f654f6617c7e77075a24b110074317b77135b8cc86f12632e79758d41819c6e91871e0145adaba4b91651f5c6c1d2ebd17927f0198876231 +Size (exim-4.86.2.tar.bz2) = 1799316 bytes +SHA1 (patch-aa) = 4df21c2497e9fee8dfbcd4386bb1b70d69ca2932 SHA1 (patch-ab) = 6af17f036ed02a3bc37c1f303269eea447fcb691 SHA1 (patch-ae) = 7daf63727e222bbaa7e5b8289c4fcb6a8c0272cf SHA1 (patch-ag) = dd93bb718c996f18b4e985806eb6d4ff5f25a67f diff --git a/mail/exim/patches/patch-aa b/mail/exim/patches/patch-aa index 0c65753d9e5..5956a198a1a 100644 --- a/mail/exim/patches/patch-aa +++ b/mail/exim/patches/patch-aa @@ -1,6 +1,6 @@ -$NetBSD: patch-aa,v 1.23 2012/06/11 11:41:25 adam Exp $ +$NetBSD: patch-aa,v 1.23.30.1 2016/03/03 20:22:52 bsiegert Exp $ ---- Local/Makefile.pkgsrc.orig 2012-06-11 11:27:45.000000000 +0000 +--- Local/Makefile.pkgsrc.orig 2016-01-10 20:50:29.000000000 +0000 +++ Local/Makefile.pkgsrc @@ -98,7 +98,7 @@ # /usr/local/sbin. The installation script will try to create this directory, @@ -56,7 +56,7 @@ $NetBSD: patch-aa,v 1.23 2012/06/11 11:41:25 adam Exp $ #------------------------------------------------------------------------------ -@@ -578,15 +578,15 @@ FIXED_NEVER_USERS=root +@@ -628,16 +628,16 @@ FIXED_NEVER_USERS=root # included in the Exim binary. You will then need to set up the run time # configuration to make use of the mechanism(s) selected. @@ -72,10 +72,11 @@ $NetBSD: patch-aa,v 1.23 2012/06/11 11:41:25 adam Exp $ -# AUTH_SPA=yes +AUTH_PLAINTEXT=yes +AUTH_SPA=yes + # AUTH_TLS=yes #------------------------------------------------------------------------------ -@@ -764,7 +764,7 @@ HEADERS_CHARSET="ISO-8859-1" +@@ -822,7 +822,7 @@ HEADERS_CHARSET="ISO-8859-1" # %s. This will be replaced by one of the strings "main", "panic", or "reject" # to form the final file names. Some installations may want something like this: @@ -84,7 +85,7 @@ $NetBSD: patch-aa,v 1.23 2012/06/11 11:41:25 adam Exp $ # which results in files with names /var/log/exim_mainlog, etc. The directory # in which the log files are placed must exist; Exim does not try to create -@@ -1016,13 +1016,13 @@ SYSTEM_ALIASES_FILE=/etc/aliases +@@ -1080,13 +1080,13 @@ SYSTEM_ALIASES_FILE=/etc/aliases # haven't got Perl, Exim will still build and run; you just won't be able to # use those utilities. @@ -105,7 +106,7 @@ $NetBSD: patch-aa,v 1.23 2012/06/11 11:41:25 adam Exp $ #------------------------------------------------------------------------------ -@@ -1222,7 +1222,7 @@ TMPDIR="/tmp" +@@ -1286,7 +1286,7 @@ TMPDIR="/tmp" # (process id) to a file so that it can easily be identified. The path of the # file can be specified here. Some installations may want something like this: @@ -114,7 +115,7 @@ $NetBSD: patch-aa,v 1.23 2012/06/11 11:41:25 adam Exp $ # If PID_FILE_PATH is not defined, Exim writes a file in its spool directory # using the name "exim-daemon.pid". -@@ -1294,3 +1294,10 @@ TMPDIR="/tmp" +@@ -1358,3 +1358,10 @@ TMPDIR="/tmp" # ENABLE_DISABLE_FSYNC=yes # End of EDITME for Exim 4. -- cgit v1.2.3