Pull multiple fixes from GITexperimental/4.82-2

Pull two post-release fixes from upstream git master:
+ 75_unbind-ldap-connection.diff - Only unbind ldap connection if bind
  succeeded.
+ 77_close-the-server-side-of-TLS.diff - Correctly close the server side
  of TLS when forking for delivery.

Pull 76_fix_ldap_option_setting.diff from Todd Lyons testing tree. See
<http://mid.gmane.org/20131029200309.GA277075%40zedat.fu-berlin.de>.

5 files changed, 187 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index 4515ab2..9b151f7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+exim4 (4.82-2) experimental; urgency=low
+
+  * Pull two post-release fixes from upstream git master:
+    + 75_unbind-ldap-connection.diff - Only unbind ldap connection if bind
+      succeeded.
+    + 77_close-the-server-side-of-TLS.diff - Correctly close the server side
+      of TLS when forking for delivery.
+  * Pull 76_fix_ldap_option_setting.diff from Todd Lyons testing tree. See
+    <http://mid.gmane.org/20131029200309.GA277075%40zedat.fu-berlin.de>.
+
+ -- Andreas Metzler <ametzler@debian.org>  Sat, 09 Nov 2013 17:24:59 +0100
+
 exim4 (4.82-1) experimental; urgency=low
 
   * New upstream stable release.
diff --git a/debian/patches/75_unbind-ldap-connection.diff b/debian/patches/75_unbind-ldap-connection.diff
new file mode 100644
index 0000000..16f4cc4
--- /dev/null
+++ b/debian/patches/75_unbind-ldap-connection.diff
@@ -0,0 +1,26 @@
+From ff2c417d0b970db22a382cb692d066d8fe3c32ae Mon Sep 17 00:00:00 2001
+From: Todd Lyons <tlyons@exim.org>
+Date: Thu, 31 Oct 2013 06:04:27 -0700
+Subject: [PATCH 1/8] Only unbind ldap connection if bind succeeded
+
+---
+ src/lookups/ldap.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/lookups/ldap.c b/src/lookups/ldap.c
+index bb29b43..6129b4b 100644
+--- a/src/lookups/ldap.c
++++ b/src/lookups/ldap.c
+@@ -1367,7 +1367,8 @@ while ((lcp = ldap_connections) != NULL)
+   {
+   DEBUG(D_lookup) debug_printf("unbind LDAP connection to %s:%d\n", lcp->host,
+     lcp->port);
+-  ldap_unbind(lcp->ld);
++  if(lcp->bound == TRUE)
++    ldap_unbind(lcp->ld);
+   ldap_connections = lcp->next;
+   }
+ }
+-- 
+1.7.10.4
+
diff --git a/debian/patches/76_fix_ldap_option_setting.diff b/debian/patches/76_fix_ldap_option_setting.diff
new file mode 100644
index 0000000..c14008d
--- /dev/null
+++ b/debian/patches/76_fix_ldap_option_setting.diff
@@ -0,0 +1,106 @@
+From f535f98390710c48b0fe2bf3bbe751a3459ca72b Mon Sep 17 00:00:00 2001
+From: Todd Lyons <tlyons@exim.org>
+Date: Thu, 31 Oct 2013 09:42:15 -0700
+Subject: [PATCH] Fix ldap option setting.
+
+Some client libs set a global context, newer client libs set a global
+  default which then needs to be reloaded.
+
+diff --git a/src/lookups/ldap.c b/src/lookups/ldap.c
+index 6129b4b..a25868f 100644
+--- a/src/lookups/ldap.c
++++ b/src/lookups/ldap.c
+@@ -280,6 +280,13 @@ if (lcp == NULL)
+   {
+   LDAP *ld;
+ 
++  #ifdef LDAP_OPT_X_TLS_NEWCTX
++  int  am_server = 0;
++  LDAP *ldsetctx;
++  #else
++  LDAP *ldsetctx = NULL;
++  #endif
++
+ 
+   /* --------------------------- OpenLDAP ------------------------ */
+ 
+@@ -365,6 +372,10 @@ if (lcp == NULL)
+     goto RETURN_ERROR;
+     }
+ 
++  #ifdef LDAP_OPT_X_TLS_NEWCTX
++  ldsetctx = ld;
++  #endif
++
+   /* Set the TCP connect time limit if available. This is something that is
+   in Netscape SDK v4.1; I don't know about other libraries. */
+ 
+@@ -461,31 +472,31 @@ if (lcp == NULL)
+   #ifdef LDAP_OPT_X_TLS_CACERTFILE
+   if (eldap_ca_cert_file != NULL)
+     {
+-    ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE, eldap_ca_cert_file);
++    ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CACERTFILE, eldap_ca_cert_file);
+     }
+   #endif
+   #ifdef LDAP_OPT_X_TLS_CACERTDIR
+   if (eldap_ca_cert_dir != NULL)
+     {
+-    ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, eldap_ca_cert_dir);
++    ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CACERTDIR, eldap_ca_cert_dir);
+     }
+   #endif
+   #ifdef LDAP_OPT_X_TLS_CERTFILE
+   if (eldap_cert_file != NULL)
+     {
+-    ldap_set_option(ld, LDAP_OPT_X_TLS_CERTFILE, eldap_cert_file);
++    ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CERTFILE, eldap_cert_file);
+     }
+   #endif
+   #ifdef LDAP_OPT_X_TLS_KEYFILE
+   if (eldap_cert_key != NULL)
+     {
+-    ldap_set_option(ld, LDAP_OPT_X_TLS_KEYFILE, eldap_cert_key);
++    ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_KEYFILE, eldap_cert_key);
+     }
+   #endif
+   #ifdef LDAP_OPT_X_TLS_CIPHER_SUITE
+   if (eldap_cipher_suite != NULL)
+     {
+-    ldap_set_option(ld, LDAP_OPT_X_TLS_CIPHER_SUITE, eldap_cipher_suite);
++    ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CIPHER_SUITE, eldap_cipher_suite);
+     }
+   #endif
+   #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
+@@ -508,8 +519,26 @@ if (lcp == NULL)
+       {
+       cert_option = LDAP_OPT_X_TLS_TRY;
+       }
+-    /* Use NULL ldap handle because is a global option */
+-    ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option);
++    /* This ldap handle is set at compile time based on client libs. Older
++     * versions want it to be global and newer versions can force a reload
++     * of the TLS context (to reload these settings we are changing from the
++     * default that loaded at instantiation). */
++    rc = ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option);
++    if (rc)
++      {
++      DEBUG(D_lookup)
++        debug_printf("Unable to set TLS require cert_option(%d) globally: %s\n",
++          cert_option, ldap_err2string(rc));
++      }
++    }
++  #endif
++  #ifdef LDAP_OPT_X_TLS_NEWCTX
++  rc = ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_NEWCTX, &am_server);
++  if (rc)
++    {
++    DEBUG(D_lookup)
++      debug_printf("Unable to reload TLS context %d: %s\n",
++                   rc, ldap_err2string(rc));
+     }
+   #endif
+ 
+-- 
+1.6.3.2
+
diff --git a/debian/patches/77_close-the-server-side-of-TLS.diff b/debian/patches/77_close-the-server-side-of-TLS.diff
new file mode 100644
index 0000000..ca7c9bb
--- /dev/null
+++ b/debian/patches/77_close-the-server-side-of-TLS.diff
@@ -0,0 +1,40 @@
+From a400eccf287c55558ae7197c831828cf10b0a35c Mon Sep 17 00:00:00 2001
+From: Tony Finch <dot@dotat.at>
+Date: Tue, 5 Nov 2013 12:18:02 +0000
+Subject: [PATCH 2/8] Correctly close the server side of TLS when forking for
+ delivery.
+
+---
+ src/daemon.c |    2 +-
+ src/exim.c   |    2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/daemon.c b/src/daemon.c
+index 3467f14..8e61dcf 100644
+--- a/src/daemon.c
++++ b/src/daemon.c
+@@ -639,7 +639,7 @@ if (pid == 0)
+         the data structures if necessary. */
+ 
+         #ifdef SUPPORT_TLS
+-        tls_close(FALSE, FALSE);
++        tls_close(TRUE, FALSE);
+         #endif
+ 
+         /* Reset SIGHUP and SIGCHLD in the child in both cases. */
+diff --git a/src/exim.c b/src/exim.c
+index a715c0b..856e655 100644
+--- a/src/exim.c
++++ b/src/exim.c
+@@ -526,7 +526,7 @@ close_unwanted(void)
+ if (smtp_input)
+   {
+   #ifdef SUPPORT_TLS
+-  tls_close(FALSE, FALSE);      /* Shut down the TLS library */
++  tls_close(TRUE, FALSE);      /* Shut down the TLS library */
+   #endif
+   (void)close(fileno(smtp_in));
+   (void)close(fileno(smtp_out));
+-- 
+1.7.10.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 57dd216..7cac351 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -8,3 +8,6 @@
 66_enlarge-dh-parameters-size.dpatch
 67_unnecessaryCopt.diff
 70_remove_exim-users_references.dpatch
+75_unbind-ldap-connection.diff
+76_fix_ldap_option_setting.diff
+77_close-the-server-side-of-TLS.diff