diff options
| -rw-r--r-- | debian/changelog | 12 | ||||
| -rw-r--r-- | debian/patches/75_unbind-ldap-connection.diff | 26 | ||||
| -rw-r--r-- | debian/patches/76_fix_ldap_option_setting.diff | 106 | ||||
| -rw-r--r-- | debian/patches/77_close-the-server-side-of-TLS.diff | 40 | ||||
| -rw-r--r-- | debian/patches/series | 3 |
5 files changed, 187 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 4515ab2..9b151f7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +exim4 (4.82-2) experimental; urgency=low + + * Pull two post-release fixes from upstream git master: + + 75_unbind-ldap-connection.diff - Only unbind ldap connection if bind + succeeded. + + 77_close-the-server-side-of-TLS.diff - Correctly close the server side + of TLS when forking for delivery. + * Pull 76_fix_ldap_option_setting.diff from Todd Lyons testing tree. See + <http://mid.gmane.org/20131029200309.GA277075%40zedat.fu-berlin.de>. + + -- Andreas Metzler <ametzler@debian.org> Sat, 09 Nov 2013 17:24:59 +0100 + exim4 (4.82-1) experimental; urgency=low * New upstream stable release. diff --git a/debian/patches/75_unbind-ldap-connection.diff b/debian/patches/75_unbind-ldap-connection.diff new file mode 100644 index 0000000..16f4cc4 --- /dev/null +++ b/debian/patches/75_unbind-ldap-connection.diff @@ -0,0 +1,26 @@ +From ff2c417d0b970db22a382cb692d066d8fe3c32ae Mon Sep 17 00:00:00 2001 +From: Todd Lyons <tlyons@exim.org> +Date: Thu, 31 Oct 2013 06:04:27 -0700 +Subject: [PATCH 1/8] Only unbind ldap connection if bind succeeded + +--- + src/lookups/ldap.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/lookups/ldap.c b/src/lookups/ldap.c +index bb29b43..6129b4b 100644 +--- a/src/lookups/ldap.c ++++ b/src/lookups/ldap.c +@@ -1367,7 +1367,8 @@ while ((lcp = ldap_connections) != NULL) + { + DEBUG(D_lookup) debug_printf("unbind LDAP connection to %s:%d\n", lcp->host, + lcp->port); +- ldap_unbind(lcp->ld); ++ if(lcp->bound == TRUE) ++ ldap_unbind(lcp->ld); + ldap_connections = lcp->next; + } + } +-- +1.7.10.4 + diff --git a/debian/patches/76_fix_ldap_option_setting.diff b/debian/patches/76_fix_ldap_option_setting.diff new file mode 100644 index 0000000..c14008d --- /dev/null +++ b/debian/patches/76_fix_ldap_option_setting.diff @@ -0,0 +1,106 @@ +From f535f98390710c48b0fe2bf3bbe751a3459ca72b Mon Sep 17 00:00:00 2001 +From: Todd Lyons <tlyons@exim.org> +Date: Thu, 31 Oct 2013 09:42:15 -0700 +Subject: [PATCH] Fix ldap option setting. + +Some client libs set a global context, newer client libs set a global + default which then needs to be reloaded. + +diff --git a/src/lookups/ldap.c b/src/lookups/ldap.c +index 6129b4b..a25868f 100644 +--- a/src/lookups/ldap.c ++++ b/src/lookups/ldap.c +@@ -280,6 +280,13 @@ if (lcp == NULL) + { + LDAP *ld; + ++ #ifdef LDAP_OPT_X_TLS_NEWCTX ++ int am_server = 0; ++ LDAP *ldsetctx; ++ #else ++ LDAP *ldsetctx = NULL; ++ #endif ++ + + /* --------------------------- OpenLDAP ------------------------ */ + +@@ -365,6 +372,10 @@ if (lcp == NULL) + goto RETURN_ERROR; + } + ++ #ifdef LDAP_OPT_X_TLS_NEWCTX ++ ldsetctx = ld; ++ #endif ++ + /* Set the TCP connect time limit if available. This is something that is + in Netscape SDK v4.1; I don't know about other libraries. */ + +@@ -461,31 +472,31 @@ if (lcp == NULL) + #ifdef LDAP_OPT_X_TLS_CACERTFILE + if (eldap_ca_cert_file != NULL) + { +- ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE, eldap_ca_cert_file); ++ ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CACERTFILE, eldap_ca_cert_file); + } + #endif + #ifdef LDAP_OPT_X_TLS_CACERTDIR + if (eldap_ca_cert_dir != NULL) + { +- ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, eldap_ca_cert_dir); ++ ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CACERTDIR, eldap_ca_cert_dir); + } + #endif + #ifdef LDAP_OPT_X_TLS_CERTFILE + if (eldap_cert_file != NULL) + { +- ldap_set_option(ld, LDAP_OPT_X_TLS_CERTFILE, eldap_cert_file); ++ ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CERTFILE, eldap_cert_file); + } + #endif + #ifdef LDAP_OPT_X_TLS_KEYFILE + if (eldap_cert_key != NULL) + { +- ldap_set_option(ld, LDAP_OPT_X_TLS_KEYFILE, eldap_cert_key); ++ ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_KEYFILE, eldap_cert_key); + } + #endif + #ifdef LDAP_OPT_X_TLS_CIPHER_SUITE + if (eldap_cipher_suite != NULL) + { +- ldap_set_option(ld, LDAP_OPT_X_TLS_CIPHER_SUITE, eldap_cipher_suite); ++ ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CIPHER_SUITE, eldap_cipher_suite); + } + #endif + #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT +@@ -508,8 +519,26 @@ if (lcp == NULL) + { + cert_option = LDAP_OPT_X_TLS_TRY; + } +- /* Use NULL ldap handle because is a global option */ +- ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option); ++ /* This ldap handle is set at compile time based on client libs. Older ++ * versions want it to be global and newer versions can force a reload ++ * of the TLS context (to reload these settings we are changing from the ++ * default that loaded at instantiation). */ ++ rc = ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option); ++ if (rc) ++ { ++ DEBUG(D_lookup) ++ debug_printf("Unable to set TLS require cert_option(%d) globally: %s\n", ++ cert_option, ldap_err2string(rc)); ++ } ++ } ++ #endif ++ #ifdef LDAP_OPT_X_TLS_NEWCTX ++ rc = ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_NEWCTX, &am_server); ++ if (rc) ++ { ++ DEBUG(D_lookup) ++ debug_printf("Unable to reload TLS context %d: %s\n", ++ rc, ldap_err2string(rc)); + } + #endif + +-- +1.6.3.2 + diff --git a/debian/patches/77_close-the-server-side-of-TLS.diff b/debian/patches/77_close-the-server-side-of-TLS.diff new file mode 100644 index 0000000..ca7c9bb --- /dev/null +++ b/debian/patches/77_close-the-server-side-of-TLS.diff @@ -0,0 +1,40 @@ +From a400eccf287c55558ae7197c831828cf10b0a35c Mon Sep 17 00:00:00 2001 +From: Tony Finch <dot@dotat.at> +Date: Tue, 5 Nov 2013 12:18:02 +0000 +Subject: [PATCH 2/8] Correctly close the server side of TLS when forking for + delivery. + +--- + src/daemon.c | 2 +- + src/exim.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/daemon.c b/src/daemon.c +index 3467f14..8e61dcf 100644 +--- a/src/daemon.c ++++ b/src/daemon.c +@@ -639,7 +639,7 @@ if (pid == 0) + the data structures if necessary. */ + + #ifdef SUPPORT_TLS +- tls_close(FALSE, FALSE); ++ tls_close(TRUE, FALSE); + #endif + + /* Reset SIGHUP and SIGCHLD in the child in both cases. */ +diff --git a/src/exim.c b/src/exim.c +index a715c0b..856e655 100644 +--- a/src/exim.c ++++ b/src/exim.c +@@ -526,7 +526,7 @@ close_unwanted(void) + if (smtp_input) + { + #ifdef SUPPORT_TLS +- tls_close(FALSE, FALSE); /* Shut down the TLS library */ ++ tls_close(TRUE, FALSE); /* Shut down the TLS library */ + #endif + (void)close(fileno(smtp_in)); + (void)close(fileno(smtp_out)); +-- +1.7.10.4 + diff --git a/debian/patches/series b/debian/patches/series index 57dd216..7cac351 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -8,3 +8,6 @@ 66_enlarge-dh-parameters-size.dpatch 67_unnecessaryCopt.diff 70_remove_exim-users_references.dpatch +75_unbind-ldap-connection.diff +76_fix_ldap_option_setting.diff +77_close-the-server-side-of-TLS.diff |