summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--debian/changelog4
-rw-r--r--debian/patches/30_dontoverridecflags.dpatch17
-rwxr-xr-xdebian/patches/31_eximmanpage.dpatch80
-rwxr-xr-xdebian/patches/32_exim4.dpatch66
-rwxr-xr-xdebian/patches/34_eximstatsmanpage.dpatch19
-rwxr-xr-xdebian/patches/35_install.dpatch25
-rw-r--r--debian/patches/50_localscan_dlopen.dpatch85
-rwxr-xr-xdebian/patches/60_convert4r4.dpatch17
-rwxr-xr-xdebian/patches/66_enlarge-dh-parameters-size.dpatch23
-rw-r--r--debian/patches/75_openssl_sni.diff30
-rw-r--r--debian/patches/76_tls_dh_min_bits.diff186
-rw-r--r--debian/patches/77_docsfortls_dh_min_bits.diff33
-rw-r--r--debian/patches/78_pkcs11_init.diff38
-rw-r--r--debian/patches/84_CVE-2012-5671.patch37
-rw-r--r--debian/patches/85_server_set_id_SPA.diff73
-rw-r--r--debian/patches/86_Dovecot-robustness.diff308
-rw-r--r--debian/patches/87_localinjected_mimeacl.diff32
-rw-r--r--debian/patches/series9
18 files changed, 160 insertions, 922 deletions
diff --git a/debian/changelog b/debian/changelog
index 50f01b4..0d902e6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,10 @@ exim4 (4.82~rc1-1) UNRELEASED; urgency=low
* New upstream version.
* Upload to experimental.
+ * Drop unnecessary patches (30_dontoverridecflags.dpatch
+ 75_openssl_sni.diff 76_tls_dh_min_bits.diff 77_docsfortls_dh_min_bits.diff
+ 78_pkcs11_init.diff 84_CVE-2012-5671.patch 85_server_set_id_SPA.diff
+ 86_Dovecot-robustness.diff 87_localinjected_mimeacl.diff), unfuzz patches.
-- Andreas Metzler <ametzler@debian.org> Sat, 28 Sep 2013 13:13:38 +0200
diff --git a/debian/patches/30_dontoverridecflags.dpatch b/debian/patches/30_dontoverridecflags.dpatch
deleted file mode 100644
index a2b3781..0000000
--- a/debian/patches/30_dontoverridecflags.dpatch
+++ /dev/null
@@ -1,17 +0,0 @@
-Description: Stop unconditional override of CFLAGS.
-Author: Andreas Metzler <ametzler@downhill.at.eu.org>
-Last-Update: 2011-01-23
-Forwarded: not-needed (upstream wants to keep non-GNU make compat)
-
-diff -NurBbp a/OS/Makefile-Linux b/OS/Makefile-Linux
---- a/OS/Makefile-Linux 2011-01-23 11:50:26.000000000 +0100
-+++ b/OS/Makefile-Linux 2011-01-23 13:30:41.000000000 +0100
-@@ -10,7 +10,7 @@ CHOWN_COMMAND=look_for_it
- CHGRP_COMMAND=look_for_it
- CHMOD_COMMAND=look_for_it
-
--CFLAGS=-O -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE
-+CFLAGS ?= -O -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE
- CFLAGS_DYNAMIC=-shared -rdynamic
-
- DBMLIB = -ldb
diff --git a/debian/patches/31_eximmanpage.dpatch b/debian/patches/31_eximmanpage.dpatch
index 7409aef..3396966 100755
--- a/debian/patches/31_eximmanpage.dpatch
+++ b/debian/patches/31_eximmanpage.dpatch
@@ -2,12 +2,11 @@ Description: We ship the binary as exim4 instead of exim, fix manpage
accordingly.
Author: Marc Haber <mh+debian-packages@zugschlus.de>,
Andreas Metzler <ametzler@downhill.at.eu.org>
-Last-Update: 2011-01-23
+Last-Update: 2013-09-28
Forwarded: not-needed (upstream uses the "exim" name)
-diff -NurbBp a/doc/exim.8 b/doc/exim.8
---- a/doc/exim.8 2011-01-23 12:08:08.000000000 +0100
-+++ b/doc/exim.8 2011-01-23 13:39:01.000000000 +0100
+--- exim4-4.82~rc1.orig/doc/exim.8
++++ exim4-4.82~rc1/doc/exim.8
@@ -1,9 +1,9 @@
-.TH EXIM 8
+.TH EXIM4 8
@@ -30,24 +29,18 @@ diff -NurbBp a/doc/exim.8 b/doc/exim.8
<message content, including all the header lines>
CTRL-D
.sp
-@@ -118,12 +118,10 @@ By default, Exim listens for incoming co
- all the host's running interfaces. However, it is possible to listen on other
- ports, on multiple ports, and only on specific interfaces.
+@@ -125,8 +125,8 @@ ports, on multiple ports, and only on sp
.sp
--When a listening daemon
--is started without the use of \fB\-oX\fP (that is, without overriding the normal
+ When a listening daemon
+ is started without the use of \fB\-oX\fP (that is, without overriding the normal
-configuration), it writes its process id to a file called exim\-daemon.pid
-in Exim's spool directory. This location can be overridden by setting
--PID_FILE_PATH in Local/Makefile. The file is written while Exim is still
--running as root.
-+When a listening daemon is started without the use of \fB\-oX\fP (that
-+is, without overriding the normal configuration), it writes its
-+process id to a file called /var/run/exim4/exim.pid. The file is
-+written while Exim is still running as root.
- .sp
- When \fB\-oX\fP is used on the command line to start a listening daemon, the
- process id is not written to the normal pid file path. However, \fB\-oP\fP can be
-@@ -170,7 +168,7 @@ of lookups, you will just get the same r
++configuration), it writes its process id to a file called
++/var/run/exim4/exim.pid. This location can be overridden by setting
+ PID_FILE_PATH in Local/Makefile. The file is written while Exim is still
+ running as root.
+ .sp
+@@ -175,7 +175,7 @@ of lookups, you will just get the same r
This option operates like \fB\-be\fP except that it must be followed by the name
of a file. For example:
.sp
@@ -56,7 +49,7 @@ diff -NurbBp a/doc/exim.8 b/doc/exim.8
.sp
The file is read as a message (as if receiving a locally\-submitted non\-SMTP
message) before any of the test expansions are done. Thus, message\-specific
-@@ -196,7 +194,7 @@ If you want to test a system filter file
+@@ -201,7 +201,7 @@ If you want to test a system filter file
can use both \fB\-bF\fP and \fB\-bf\fP on the same command, in order to test a system
filter and a user filter in the same run. For example:
.sp
@@ -65,7 +58,7 @@ diff -NurbBp a/doc/exim.8 b/doc/exim.8
.sp
This is helpful when the system filter adds header lines or sets filter
variables that are used by the user filter.
-@@ -248,8 +246,8 @@ This option runs a fake SMTP session as
+@@ -253,8 +253,8 @@ This option runs a fake SMTP session as
standard input and output. The IP address may include a port number at the end,
after a full stop. For example:
.sp
@@ -76,7 +69,7 @@ diff -NurbBp a/doc/exim.8 b/doc/exim.8
.sp
When an IPv6 address is given, it is converted into canonical form. In the case
of the second example above, the value of \fI$sender_host_address\fP after
-@@ -370,7 +368,7 @@ main configuration options to be written
+@@ -411,7 +411,7 @@ main configuration options to be written
of one or more specific options can be requested by giving their names as
arguments, for example:
.sp
@@ -85,7 +78,7 @@ diff -NurbBp a/doc/exim.8 b/doc/exim.8
.sp
However, any option setting that is preceded by the word "hide" in the
configuration file is not shown in full, except to an admin user. For other
-@@ -391,7 +389,7 @@ written directly into the spool director
+@@ -434,7 +434,7 @@ written directly into the spool director
.sp
If \fB\-bP\fP is followed by a name preceded by +, for example,
.sp
@@ -94,7 +87,7 @@ diff -NurbBp a/doc/exim.8 b/doc/exim.8
.sp
it searches for a matching named list of any type (domain, host, address, or
local part) and outputs what it finds.
-@@ -400,7 +398,7 @@ If one of the words \fBrouter\fP, \fBtra
+@@ -443,7 +443,7 @@ If one of the words \fBrouter\fP, \fBtra
followed by the name of an appropriate driver instance, the option settings for
that driver are output. For example:
.sp
@@ -103,7 +96,7 @@ diff -NurbBp a/doc/exim.8 b/doc/exim.8
.sp
The generic driver options are output first, followed by the driver's private
options. A list of the names of drivers of a particular type can be obtained by
-@@ -479,7 +477,7 @@ This option is for testing retry rules,
+@@ -522,7 +522,7 @@ This option is for testing retry rules,
arguments. It causes Exim to look for a retry rule that matches the values
and to write it to the standard output. For example:
.sp
@@ -112,7 +105,7 @@ diff -NurbBp a/doc/exim.8 b/doc/exim.8
Retry rule: *.comp.mus.example F,2h,15m; F,4d,30m;
.sp
The first
-@@ -492,7 +490,7 @@ rule is found that matches the host, one
+@@ -535,7 +535,7 @@ rule is found that matches the host, one
sought. Finally, an argument that is the name of a specific delivery error, as
used in setting up retry rules, can be given. For example:
.sp
@@ -121,7 +114,25 @@ diff -NurbBp a/doc/exim.8 b/doc/exim.8
Retry rule: *@haydn.comp.mus.example quota_3d F,1h,15m
.TP 10
\fB\-brw\fP
-@@ -734,14 +732,14 @@ command line item. \fB\-D\fP can be used
+@@ -638,7 +638,7 @@ doing such tests.
+ .TP 10
+ \fB\-bV\fP
+ This option causes Exim to write the current version number, compilation
+-number, and compilation date of the \fIexim\fP binary to the standard output.
++number, and compilation date of the \fIexim4\fP binary to the standard output.
+ It also lists the DBM library that is being used, the optional modules (such as
+ specific lookup types), the drivers that are included in the binary, and the
+ name of the run time configuration file that is in use.
+@@ -666,7 +666,7 @@ If no arguments are given, Exim runs in
+ right angle bracket for addresses to be verified.
+ .sp
+ Unlike the \fB\-be\fP test option, you cannot arrange for Exim to use the
+-readline() function, because it is running as \fIexim\fP and there are
++readline() function, because it is running as \fIexim4\fP and there are
+ security issues.
+ .sp
+ Verification differs from address testing (the \fB\-bt\fP option) in that routers
+@@ -779,14 +779,14 @@ command line item. \fB\-D\fP can be used
string, in which case the equals sign is optional. These two commands are
synonymous:
.sp
@@ -139,7 +150,7 @@ diff -NurbBp a/doc/exim.8 b/doc/exim.8
.sp
\fB\-D\fP may be repeated up to 10 times on a command line.
.TP 10
-@@ -870,8 +868,8 @@ never provoke a bounce. An empty sender
+@@ -915,8 +915,8 @@ never provoke a bounce. An empty sender
string, or as a pair of angle brackets with nothing between them, as in these
examples of shell commands:
.sp
@@ -150,7 +161,7 @@ diff -NurbBp a/doc/exim.8 b/doc/exim.8
.sp
In addition, the use of \fB\-f\fP is not restricted when testing a filter file
with \fB\-bf\fP or when testing or verifying addresses using the \fB\-bt\fP or
-@@ -1206,12 +1204,12 @@ other circumstances, they are ignored un
+@@ -1267,12 +1267,12 @@ other circumstances, they are ignored un
The \fB\-oMa\fP option sets the sender host address. This may include a port
number at the end, after a full stop (period). For example:
.sp
@@ -165,7 +176,7 @@ diff -NurbBp a/doc/exim.8 b/doc/exim.8
.sp
The IP address is placed in the \fI$sender_host_address\fP variable, and the
port, if present, in \fI$sender_host_port\fP. If both \fB\-oMa\fP and \fB\-bh\fP
-@@ -1397,13 +1395,13 @@ When scanning the queue, Exim can be mad
+@@ -1458,13 +1458,13 @@ When scanning the queue, Exim can be mad
lexically less than a given value by following the \fB\-q\fP option with a
starting message id. For example:
.sp
@@ -181,7 +192,7 @@ diff -NurbBp a/doc/exim.8 b/doc/exim.8
.sp
just one delivery process is started, for that message. This differs from
\fB\-M\fP in that retry data is respected, and it also differs from \fB\-Mc\fP in
-@@ -1419,7 +1417,7 @@ starting a queue runner process at inter
+@@ -1480,7 +1480,7 @@ starting a queue runner process at inter
single daemon process handles both functions. A common way of starting up a
combined daemon at system boot time is to use a command such as
.sp
@@ -190,7 +201,7 @@ diff -NurbBp a/doc/exim.8 b/doc/exim.8
.sp
Such a daemon listens for incoming SMTP calls, and also starts a queue runner
process every 30 minutes.
-@@ -1450,7 +1448,7 @@ regular expression; otherwise it is a li
+@@ -1511,7 +1511,7 @@ regular expression; otherwise it is a li
If you want to do periodic queue runs for messages with specific recipients,
you can combine \fB\-R\fP with \fB\-q\fP and a time value. For example:
.sp
@@ -199,8 +210,8 @@ diff -NurbBp a/doc/exim.8 b/doc/exim.8
.sp
This example does a queue run for messages with recipients in the given domain
every 25 minutes. Any additional flags that are specified with \fB\-q\fP are
-@@ -1556,6 +1554,27 @@ this option.
- .sp
+@@ -1620,6 +1620,26 @@ This option is interpreted by Sendmail t
+ to the named file. It is ignored by Exim.
.
.SH "SEE ALSO"
+.BR exicyclog (8),
@@ -226,4 +237,3 @@ diff -NurbBp a/doc/exim.8 b/doc/exim.8
+.SH AUTHOR
+This manual page was provided with the upstream Exim source package.
+It was enhanced for the Debian GNU/Linux system.
-+
diff --git a/debian/patches/32_exim4.dpatch b/debian/patches/32_exim4.dpatch
index 5870be3..84b39a1 100755
--- a/debian/patches/32_exim4.dpatch
+++ b/debian/patches/32_exim4.dpatch
@@ -1,11 +1,12 @@
-## 32_exim4.dpatch by Andreas Metzler
+Description: Accomodate source for installing exim as exim4.
+Author: Andreas Metzler <ametzler@debian.org>
+Origin: vendor
+Forwarded: not-needed
+Last-Update: 2013-09-28
-## DP: The main binary is installed as /usr/sbin/exim4
-
-diff -NurBbp exim-4.71.orig/OS/Makefile-Linux exim-4.71/OS/Makefile-Linux
---- exim-4.71.orig/OS/Makefile-Linux 2009-11-28 10:52:23.000000000 +0100
-+++ exim-4.71/OS/Makefile-Linux 2009-11-28 10:53:07.000000000 +0100
-@@ -24,9 +24,9 @@ XLFLAGS=-L$(X11)/lib
+--- exim4-4.82~rc1.orig/OS/Makefile-Linux
++++ exim4-4.82~rc1/OS/Makefile-Linux
+@@ -28,9 +28,9 @@ XLFLAGS=-L$(X11)/lib
X11_LD_LIB=$(X11)/lib
EXIWHAT_PS_ARG=ax
@@ -17,10 +18,9 @@ diff -NurBbp exim-4.71.orig/OS/Makefile-Linux exim-4.71/OS/Makefile-Linux
EXIWHAT_KILL_SIGNAL=-USR1
# End
-diff -NurBbp exim-4.71.orig/src/exicyclog.src exim-4.71/src/exicyclog.src
---- exim-4.71.orig/src/exicyclog.src 2009-11-16 20:50:36.000000000 +0100
-+++ exim-4.71/src/exicyclog.src 2009-11-28 10:53:07.000000000 +0100
-@@ -145,7 +145,7 @@ done
+--- exim4-4.82~rc1.orig/src/exicyclog.src
++++ exim4-4.82~rc1/src/exicyclog.src
+@@ -144,7 +144,7 @@ done
st=' '
exim_path=`grep "^[$st]*exim_path" $config | sed "s/.*=[$st]*//"`
@@ -29,10 +29,9 @@ diff -NurBbp exim-4.71.orig/src/exicyclog.src exim-4.71/src/exicyclog.src
spool_directory=`$exim_path -C $config -bP spool_directory | sed 's/.*=[ ]*//'`
-diff -NurBbp exim-4.71.orig/src/exim_checkaccess.src exim-4.71/src/exim_checkaccess.src
---- exim-4.71.orig/src/exim_checkaccess.src 2009-11-16 20:50:36.000000000 +0100
-+++ exim-4.71/src/exim_checkaccess.src 2009-11-28 10:55:19.000000000 +0100
-@@ -53,7 +53,7 @@ done
+--- exim4-4.82~rc1.orig/src/exim_checkaccess.src
++++ exim4-4.82~rc1/src/exim_checkaccess.src
+@@ -52,7 +52,7 @@ done
# a tab to keep the tab in one place.
exim_path=`perl -ne 'chop;if (/^\s*exim_path\s*=\s*(.*)/){print "$1\n";last;}' $config`
@@ -41,10 +40,9 @@ diff -NurBbp exim-4.71.orig/src/exim_checkaccess.src exim-4.71/src/exim_checkacc
#########################################################################
-diff -NurBbp exim-4.71.orig/src/eximon.src exim-4.71/src/eximon.src
---- exim-4.71.orig/src/eximon.src 2004-10-07 12:39:01.000000000 +0200
-+++ exim-4.71/src/eximon.src 2009-11-28 10:53:07.000000000 +0100
-@@ -66,7 +66,7 @@ config=${EXIMON_EXIM_CONFIG-$config}
+--- exim4-4.82~rc1.orig/src/eximon.src
++++ exim4-4.82~rc1/src/eximon.src
+@@ -72,7 +72,7 @@ config=${EXIMON_EXIM_CONFIG-$config}
st=' '
EXIM_PATH=`grep "^[$st]*exim_path" $config | sed "s/.*=[$st]*//"`
@@ -53,10 +51,9 @@ diff -NurBbp exim-4.71.orig/src/eximon.src exim-4.71/src/eximon.src
SPOOL_DIRECTORY=`$EXIM_PATH -C $config -bP spool_directory | sed 's/.*=[ ]*//'`
LOG_FILE_PATH=`$EXIM_PATH -C $config -bP log_file_path | sed 's/.*=[ ]*//'`
-diff -NurBbp exim-4.71.orig/src/exinext.src exim-4.71/src/exinext.src
---- exim-4.71.orig/src/exinext.src 2009-11-16 20:50:36.000000000 +0100
-+++ exim-4.71/src/exinext.src 2009-11-28 10:53:07.000000000 +0100
-@@ -91,7 +91,7 @@ if [ "$exim_path" = "" ]; then
+--- exim4-4.82~rc1.orig/src/exinext.src
++++ exim4-4.82~rc1/src/exinext.src
+@@ -90,7 +90,7 @@ if [ "$exim_path" = "" ]; then
exim_path=`grep "^[$st]*exim_path" $config | sed "s/.*=[$st]*//"`
fi
@@ -65,7 +62,7 @@ diff -NurBbp exim-4.71.orig/src/exinext.src exim-4.71/src/exinext.src
spool_directory=`$exim_path $eximmacdef -C $config -bP spool_directory | sed 's/.*=[ ]*//'`
qualify_domain=`$exim_path $eximmacdef -C $config -bP qualify_domain | sed 's/.*=[ ]*//'`
-@@ -172,7 +172,7 @@ perl - $exim_path "$eximmacdef" $argone
+@@ -171,7 +171,7 @@ perl - $exim_path "$eximmacdef" $argone
# Run exim_dumpdb to get out the retry data and pick off what we want
@@ -74,10 +71,9 @@ diff -NurBbp exim-4.71.orig/src/exinext.src exim-4.71/src/exinext.src
die "can't run exim_dumpdb";
while (<DATA>)
-diff -NurBbp exim-4.71.orig/src/exiqgrep.src exim-4.71/src/exiqgrep.src
---- exim-4.71.orig/src/exiqgrep.src 2004-10-07 12:39:01.000000000 +0200
-+++ exim-4.71/src/exiqgrep.src 2009-11-28 10:53:07.000000000 +0100
-@@ -22,7 +22,7 @@ use strict;
+--- exim4-4.82~rc1.orig/src/exiqgrep.src
++++ exim4-4.82~rc1/src/exiqgrep.src
+@@ -21,7 +21,7 @@ use strict;
use Getopt::Std;
# Have this variable point to your exim binary.
@@ -86,10 +82,9 @@ diff -NurBbp exim-4.71.orig/src/exiqgrep.src exim-4.71/src/exiqgrep.src
my $eargs = '-bpu';
my %id;
my %opt;
-diff -NurBbp exim-4.71.orig/src/exiwhat.src exim-4.71/src/exiwhat.src
---- exim-4.71.orig/src/exiwhat.src 2009-11-16 20:50:36.000000000 +0100
-+++ exim-4.71/src/exiwhat.src 2009-11-28 10:53:07.000000000 +0100
-@@ -89,7 +89,7 @@ fi
+--- exim4-4.82~rc1.orig/src/exiwhat.src
++++ exim4-4.82~rc1/src/exiwhat.src
+@@ -88,7 +88,7 @@ fi
st=' '
exim_path=`grep "^[$st]*exim_path" $config | sed "s/.*=[$st]*//"`
@@ -98,10 +93,9 @@ diff -NurBbp exim-4.71.orig/src/exiwhat.src exim-4.71/src/exiwhat.src
spool_directory=`$exim_path -C $config -bP spool_directory | sed "s/.*=[ ]*//"`
process_log_path=`$exim_path -C $config -bP process_log_path | sed "s/.*=[ ]*//"`
-diff -NurBbp exim-4.71.orig/src/globals.c exim-4.71/src/globals.c
---- exim-4.71.orig/src/globals.c 2009-11-16 20:50:37.000000000 +0100
-+++ exim-4.71/src/globals.c 2009-11-28 10:53:07.000000000 +0100
-@@ -569,7 +569,7 @@ int errors_sender_rc = EXIT_FA
+--- exim4-4.82~rc1.orig/src/globals.c
++++ exim4-4.82~rc1/src/globals.c
+@@ -633,7 +633,7 @@ int errors_sender_rc = EXIT_FA
gid_t exim_gid = EXIM_GID;
BOOL exim_gid_set = TRUE; /* This gid is always set */
diff --git a/debian/patches/34_eximstatsmanpage.dpatch b/debian/patches/34_eximstatsmanpage.dpatch
index 592eb8c..3245965 100755
--- a/debian/patches/34_eximstatsmanpage.dpatch
+++ b/debian/patches/34_eximstatsmanpage.dpatch
@@ -1,14 +1,13 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## 34_eximstatsmanpage.dpatch by Andreas Metzler <ametzler@downhill.at.eu.org>
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: Add note about installing perl-modules on Debian to
-## DP: generated manpage
+Description: Add note about installing perl-modules on Debian to
+ generated manpage
+Author: Andreas Metzler <ametzler@debian.org>
+Origin: vendor
+Forwarded: not-needed
+Last-Update: 2013-09-28
-diff -NurbBp exim.orig/src/eximstats.src exim/src/eximstats.src
---- exim.orig/src/eximstats.src 2009-10-19 14:26:34.000000000 +0200
-+++ exim/src/eximstats.src 2009-11-15 12:16:19.000000000 +0100
-@@ -500,6 +500,10 @@ To install these, download and unpack th
+--- exim4-4.82~rc1.orig/src/eximstats.src
++++ exim4-4.82~rc1/src/eximstats.src
+@@ -501,6 +501,10 @@ To install these, download and unpack th
make test
make install
diff --git a/debian/patches/35_install.dpatch b/debian/patches/35_install.dpatch
index e7b7471..b926110 100755
--- a/debian/patches/35_install.dpatch
+++ b/debian/patches/35_install.dpatch
@@ -1,14 +1,13 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## 35_install.dpatch by Andreas Metzler
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: Exim's installation scripts install the binary as exim-<version>
-## DP: - disable this feature.
+Description: Exim's installation scripts install the binary as
+ exim-<version> - disable this feature.
+Author: Andreas Metzler <ametzler@debian.org>
+Origin: vendor
+Forwarded: not-needed
+Last-Update: 2013-09-28
-diff -NurbBp exim.orig/scripts/exim_install exim/scripts/exim_install
---- exim.orig/scripts/exim_install 2009-10-30 16:14:04.000000000 +0100
-+++ exim/scripts/exim_install 2009-11-15 12:16:39.000000000 +0100
-@@ -218,8 +218,9 @@ while [ $# -gt 0 ]; do
+--- exim4-4.82~rc1.orig/scripts/exim_install
++++ exim4-4.82~rc1/scripts/exim_install
+@@ -217,8 +217,9 @@ while [ $# -gt 0 ]; do
# The exim binary is handled specially
if [ $name = exim${EXE} ]; then
@@ -20,7 +19,7 @@ diff -NurbBp exim.orig/scripts/exim_install exim/scripts/exim_install
if [ "${version}" = "exim-${EXE}" ]; then
echo $com ""
-@@ -369,10 +370,8 @@ done
+@@ -368,10 +369,8 @@ done
@@ -33,7 +32,7 @@ diff -NurbBp exim.orig/scripts/exim_install exim/scripts/exim_install
# However, if CONFIGURE_FILE specifies a list of files, skip this code.
-@@ -395,7 +394,7 @@ elif [ ! -f ${CONFIGURE_FILE} ]; then
+@@ -394,7 +393,7 @@ elif [ ! -f ${CONFIGURE_FILE} ]; then
${real} ${MKDIR} -p `${DIRNAME} ${CONFIGURE_FILE}`
echo sed -e '\\'
@@ -42,7 +41,7 @@ diff -NurbBp exim.orig/scripts/exim_install exim/scripts/exim_install
echo " ../src/configure.default > \${CONFIGURE_FILE}"
# I can't find a way of writing this using the ${real} feature because
-@@ -404,7 +403,7 @@ elif [ ! -f ${CONFIGURE_FILE} ]; then
+@@ -403,7 +402,7 @@ elif [ ! -f ${CONFIGURE_FILE} ]; then
if [ "$real" = "" ] ; then
sed -e \
diff --git a/debian/patches/50_localscan_dlopen.dpatch b/debian/patches/50_localscan_dlopen.dpatch
index 65540b9..8910e7a 100644
--- a/debian/patches/50_localscan_dlopen.dpatch
+++ b/debian/patches/50_localscan_dlopen.dpatch
@@ -1,28 +1,19 @@
## 50_localscan_dlopen.dpatch by Marc MERLIN
-## DP: Allow to use and switch between different local_scan functions without
-## DP: recompiling exim.
-## DP: http://marc.merlins.org/linux/exim/files/sa-exim-current/
-## DP: Original patch from David Woodhouse, modified first by Derrick 'dman'
-## DP: Hudson and then by Marc MERLIN for SA-Exim and minor/major API version
-## DP: tracking
-diff -NurBbp exim-4.80.orig/src/config.h.defaults exim-4.80/src/config.h.defaults
---- exim-4.80.orig/src/config.h.defaults 2012-05-21 06:32:11.000000000 +0200
-+++ exim-4.80/src/config.h.defaults 2012-05-21 19:31:11.000000000 +0200
-@@ -27,6 +27,8 @@ it's a default value. */
-
- #define AUTH_VARS 3
-
-+#define DLOPEN_LOCAL_SCAN
-+
- #define BIN_DIRECTORY
-
- #define CONFIGURE_FILE
-diff -NurBbp exim-4.80.orig/src/EDITME exim-4.80/src/EDITME
---- exim-4.80.orig/src/EDITME 2012-05-21 06:32:11.000000000 +0200
-+++ exim-4.80/src/EDITME 2012-05-21 19:31:11.000000000 +0200
-@@ -736,6 +736,21 @@ HEADERS_CHARSET="ISO-8859-1"
+Description: Allow to use and switch between different local_scan functions
+ without recompiling exim.
+ http://marc.merlins.org/linux/exim/files/sa-exim-current/ Original patch from
+ David Woodhouse, modified first by Derrick 'dman' Hudson and then by Marc
+ MERLIN for SA-Exim and minor/major API version tracking
+Author: David Woodhouse, Derrick 'dman' Hudson, Marc MERLIN
+Origin: other, http://marc.merlins.org/linux/exim/files/sa-exim-current/
+Forwarded: no
+Last-Update: 2013-09-28
+
+--- exim4-4.82~rc1.orig/src/EDITME
++++ exim4-4.82~rc1/src/EDITME
+@@ -752,6 +752,21 @@ HEADERS_CHARSET="ISO-8859-1"
#------------------------------------------------------------------------------
@@ -44,23 +35,32 @@ diff -NurBbp exim-4.80.orig/src/EDITME exim-4.80/src/EDITME
# The default distribution of Exim contains only the plain text form of the
# documentation. Other forms are available separately. If you want to install
# the documentation in "info" format, first fetch the Texinfo documentation
-diff -NurBbp exim-4.80.orig/src/globals.c exim-4.80/src/globals.c
---- exim-4.80.orig/src/globals.c 2012-05-21 19:29:24.000000000 +0200
-+++ exim-4.80/src/globals.c 2012-05-21 19:31:11.000000000 +0200
-@@ -129,6 +129,9 @@ uschar *tls_verify_certificates= NULL;
- uschar *tls_verify_hosts = NULL;
- #endif
+--- exim4-4.82~rc1.orig/src/config.h.defaults
++++ exim4-4.82~rc1/src/config.h.defaults
+@@ -27,6 +27,8 @@ it's a default value. */
+
+ #define AUTH_VARS 3
+
++#define DLOPEN_LOCAL_SCAN
++
+ #define BIN_DIRECTORY
+
+ #define CONFIGURE_FILE
+--- exim4-4.82~rc1.orig/src/globals.c
++++ exim4-4.82~rc1/src/globals.c
+@@ -116,6 +116,9 @@ tls_support tls_out = {
+ NULL /* tls_sni */
+ };
+#ifdef DLOPEN_LOCAL_SCAN
+uschar *local_scan_path = NULL;
+#endif
- /* Input-reading functions for messages, so we can use special ones for
- incoming TCP/IP. The defaults use stdin. We never need these for any
-diff -NurBbp exim-4.80.orig/src/globals.h exim-4.80/src/globals.h
---- exim-4.80.orig/src/globals.h 2012-05-21 06:32:11.000000000 +0200
-+++ exim-4.80/src/globals.h 2012-05-21 19:31:11.000000000 +0200
-@@ -108,6 +108,9 @@ extern uschar *tls_verify_certificates;/
+ #ifdef SUPPORT_TLS
+ BOOL gnutls_compat_mode = FALSE;
+--- exim4-4.82~rc1.orig/src/globals.h
++++ exim4-4.82~rc1/src/globals.h
+@@ -113,6 +113,9 @@ extern uschar *tls_verify_certificates;/
extern uschar *tls_verify_hosts; /* Mandatory client verification */
#endif
@@ -70,9 +70,8 @@ diff -NurBbp exim-4.80.orig/src/globals.h exim-4.80/src/globals.h
/* Input-reading functions for messages, so we can use special ones for
incoming TCP/IP. */
-diff -NurBbp exim-4.80.orig/src/local_scan.c exim-4.80/src/local_scan.c
---- exim-4.80.orig/src/local_scan.c 2012-05-21 06:32:11.000000000 +0200
-+++ exim-4.80/src/local_scan.c 2012-05-21 19:31:11.000000000 +0200
+--- exim4-4.82~rc1.orig/src/local_scan.c
++++ exim4-4.82~rc1/src/local_scan.c
@@ -5,60 +5,131 @@
/* Copyright (c) University of Cambridge 1995 - 2009 */
/* See the file NOTICE for conditions of use and distribution. */
@@ -252,9 +251,8 @@ diff -NurBbp exim-4.80.orig/src/local_scan.c exim-4.80/src/local_scan.c
+#endif /* DLOPEN_LOCAL_SCAN */
+
/* End of local_scan.c */
-diff -NurBbp exim-4.80.orig/src/local_scan.h exim-4.80/src/local_scan.h
---- exim-4.80.orig/src/local_scan.h 2012-05-21 06:32:11.000000000 +0200
-+++ exim-4.80/src/local_scan.h 2012-05-21 19:31:11.000000000 +0200
+--- exim4-4.82~rc1.orig/src/local_scan.h
++++ exim4-4.82~rc1/src/local_scan.h
@@ -17,6 +17,7 @@ settings, and the store functions. */
#include <stdarg.h>
@@ -270,10 +268,9 @@ diff -NurBbp exim-4.80.orig/src/local_scan.h exim-4.80/src/local_scan.h
+#pragma GCC visibility pop
+
/* End of local_scan.h */
-diff -NurBbp exim-4.80.orig/src/readconf.c exim-4.80/src/readconf.c
---- exim-4.80.orig/src/readconf.c 2012-05-21 06:32:11.000000000 +0200
-+++ exim-4.80/src/readconf.c 2012-05-21 19:31:11.000000000 +0200
-@@ -276,6 +276,9 @@ static optionlist optionlist_config[] =
+--- exim4-4.82~rc1.orig/src/readconf.c
++++ exim4-4.82~rc1/src/readconf.c
+@@ -286,6 +286,9 @@ static optionlist optionlist_config[] =
{ "local_from_prefix", opt_stringptr, &local_from_prefix },
{ "local_from_suffix", opt_stringptr, &local_from_suffix },
{ "local_interfaces", opt_stringptr, &local_interfaces },
diff --git a/debian/patches/60_convert4r4.dpatch b/debian/patches/60_convert4r4.dpatch
index 913cc83..cafa02d 100755
--- a/debian/patches/60_convert4r4.dpatch
+++ b/debian/patches/60_convert4r4.dpatch
@@ -1,13 +1,12 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## 60_convert4r4.dpatch by Marc Haber <mh+debian-packages@zugschlus.de>
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: No description.
+Description: Add a warning message to convert4r4
+Author: Marc Haber <mh+debian-packages@zugschlus.de>
+Origin: vendor
+Forwarded: no
+Last-Update: 2013-09-28
-diff -NurbBp exim.orig/src/convert4r4.src exim/src/convert4r4.src
---- exim.orig/src/convert4r4.src 2004-10-07 12:39:01.000000000 +0200
-+++ exim/src/convert4r4.src 2009-11-15 12:17:21.000000000 +0100
-@@ -653,6 +653,32 @@ return defined $main{$_[0]} && $main{$_[
+--- exim4-4.82~rc1.orig/src/convert4r4.src
++++ exim4-4.82~rc1/src/convert4r4.src
+@@ -652,6 +652,32 @@ return defined $main{$_[0]} && $main{$_[
print STDERR "Runtime configuration file converter for Exim release 4.\n";
diff --git a/debian/patches/66_enlarge-dh-parameters-size.dpatch b/debian/patches/66_enlarge-dh-parameters-size.dpatch
index 5735933..8ffd66a 100755
--- a/debian/patches/66_enlarge-dh-parameters-size.dpatch
+++ b/debian/patches/66_enlarge-dh-parameters-size.dpatch
@@ -1,16 +1,15 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## 66_enlarge-dh-parameters-size.dpatch by Marc Haber <mh+debian-packages@zugschlus.de>
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: Enlarge default server side size of DH parameters to 2048 from 1024.
-## DP: This patch has no effect if building against gnutls >= 2.12, because
-## DP: exim is using gnutls_sec_param_to_pk_bits() to get correct number
-## DP: of dh_bits when built against newer gnutls-versions.
+Description: Enlarge default server side size of DH parameters to 2048
+ from 1024. This patch has no effect if building against gnutls >= 2.12,
+ because exim is using gnutls_sec_param_to_pk_bits() to get correct number
+ of dh_bits when built against newer gnutls-versions.
+Author: Marc Haber <mh+debian-packages@zugschlus.de>
+Origin: vendor
+Forwarded: no
+Last-Update: 2013-09-28
-diff -NurBbp exim-4.80.orig/src/tls-gnu.c exim-4.80/src/tls-gnu.c
---- exim-4.80.orig/src/tls-gnu.c 2012-05-19 01:17:38.000000000 +0200
-+++ exim-4.80/src/tls-gnu.c 2012-05-20 12:01:24.000000000 +0200
-@@ -159,7 +159,7 @@ callbacks. */
+--- exim4-4.82~rc1.orig/src/tls-gnu.c
++++ exim4-4.82~rc1/src/tls-gnu.c
+@@ -164,7 +164,7 @@ callbacks. */
can ask for a bit-strength. Without that, we stick to the constant we had
before, for now. */
#ifndef EXIM_SERVER_DH_BITS_PRE2_12
diff --git a/debian/patches/75_openssl_sni.diff b/debian/patches/75_openssl_sni.diff
deleted file mode 100644
index f68cc91..0000000
--- a/debian/patches/75_openssl_sni.diff
+++ /dev/null
@@ -1,30 +0,0 @@
-From 2c9a0e86055f1e86ca5cdde421f5f8c9a48b0194 Mon Sep 17 00:00:00 2001
-From: Phil Pennock <pdp@exim.org>
-Date: Wed, 6 Jun 2012 19:46:40 -0400
-Subject: [PATCH] BUGFIX: forced-fail smtp option tls_sni would dereference
- NULL
-
----
- src/tls-openssl.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/src/tls-openssl.c b/src/tls-openssl.c
-index 22c0730..17cc721 100644
---- a/src/tls-openssl.c
-+++ b/src/tls-openssl.c
-@@ -1289,7 +1289,11 @@ if (sni)
- {
- if (!expand_check(sni, US"tls_sni", &tls_sni))
- return FAIL;
-- if (!Ustrlen(tls_sni))
-+ if (tls_sni == NULL)
-+ {
-+ DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
-+ }
-+ else if (!Ustrlen(tls_sni))
- tls_sni = NULL;
- else
- {
---
-1.7.10
-
diff --git a/debian/patches/76_tls_dh_min_bits.diff b/debian/patches/76_tls_dh_min_bits.diff
deleted file mode 100644
index 8c9b8a9..0000000
--- a/debian/patches/76_tls_dh_min_bits.diff
+++ /dev/null
@@ -1,186 +0,0 @@
-From 54c90be16587ca315041c964e251f07fc2bcf0e9 Mon Sep 17 00:00:00 2001
-From: Phil Pennock <pdp@exim.org>
-Date: Fri, 1 Jun 2012 05:52:31 -0400
-Subject: [PATCH] tls_dh_min_bits smtp transport option
-
-Could not find an API for use with OpenSSL, so GnuTLS only
----
- src/buildconfig.c | 11 ++++++-----
- src/config.h.defaults | 3 ++-
- src/functions.h | 2 +-
- src/tls-gnu.c | 15 +++++++++++++--
- src/tls-openssl.c | 4 +++-
- src/transports/smtp.c | 9 +++++++--
- src/transports/smtp.h | 3 ++-
- 11 files changed, 70 insertions(+), 13 deletions(-)
-
-diff --git a/src/buildconfig.c b/src/buildconfig.c
-index 62114fc..f3390cb 100644
---- a/src/buildconfig.c
-+++ b/src/buildconfig.c
-@@ -847,16 +847,17 @@ else if (isgroup)
- }
-
- /* how many bits Exim, as a client, demands must be in D-H */
-- /* as of GnuTLS 2.12.x, we ask for "normal" for D-H PK; before that, we
-- specify the number of bits. We've stuck with the historical value, but
-- it can be overridden. */
-- else if ((strcmp(name, "EXIM_CLIENT_DH_MIN_BITS") == 0) ||
-+ /* 1024 is a historical figure; some sites actually use lower, so we
-+ permit the value to be lowered "dangerously" low, but not "insanely"
-+ low. Though actually, 1024 is becoming "dangerous". */
-+ else if ((strcmp(name, "EXIM_CLIENT_DH_MIN_MIN_BITS") == 0) ||
-+ (strcmp(name, "EXIM_CLIENT_DH_DEFAULT_MIN_BITS") == 0) ||
- (strcmp(name, "EXIM_SERVER_DH_BITS_PRE2_12") == 0))
- {
- long nv;
- char *end;
- nv = strtol(value, &end, 10);
-- if (end != value && *end == '\0' && nv >= 1000 && nv < 50000)
-+ if (end != value && *end == '\0' && nv >= 512 && nv < 500000)
- {
- fprintf(new, "%s\n", value);
- }
-diff --git a/src/config.h.defaults b/src/config.h.defaults
-index 92a4cd3..f02aef1 100644
---- a/src/config.h.defaults
-+++ b/src/config.h.defaults
-@@ -49,7 +49,8 @@ it's a default value. */
- #define EXIMDB_LOCK_TIMEOUT 60
- #define EXIMDB_LOCKFILE_MODE 0640
- #define EXIMDB_MODE 0640
--#define EXIM_CLIENT_DH_MIN_BITS
-+#define EXIM_CLIENT_DH_MIN_MIN_BITS 512
-+#define EXIM_CLIENT_DH_DEFAULT_MIN_BITS 1024
- #define EXIM_GNUTLS_LIBRARY_LOG_LEVEL
- #define EXIM_SERVER_DH_BITS_PRE2_12
- #define EXIM_PERL
-diff --git a/src/functions.h b/src/functions.h
-index fa9d558..2758a4a 100644
---- a/src/functions.h
-+++ b/src/functions.h
-@@ -27,7 +27,7 @@ extern const char *
- std_dh_prime_named(const uschar *);
- extern int tls_client_start(int, host_item *, address_item *, uschar *,
- uschar *, uschar *, uschar *, uschar *, uschar *, uschar *,
-- int);
-+ int, int);
- extern void tls_close(BOOL);
- extern int tls_feof(void);
- extern int tls_ferror(void);
-diff --git a/src/tls-gnu.c b/src/tls-gnu.c
-index c8bf634..cf315b6 100644
---- a/src/tls-gnu.c
-+++ b/src/tls-gnu.c
-@@ -1536,6 +1536,7 @@ Arguments:
- verify_certs file for certificate verify
- verify_crl CRL for verify
- require_ciphers list of allowed ciphers or NULL
-+ dh_min_bits minimum number of bits acceptable in server's DH prime
- timeout startup timeout
-
- Returns: OK/DEFER/FAIL (because using common functions),
-@@ -1547,7 +1548,7 @@ tls_client_start(int fd, host_item *host,
- address_item *addr ARG_UNUSED, uschar *dhparam ARG_UNUSED,
- uschar *certificate, uschar *privatekey, uschar *sni,
- uschar *verify_certs, uschar *verify_crl,
-- uschar *require_ciphers, int timeout)
-+ uschar *require_ciphers, int dh_min_bits, int timeout)
- {
- int rc;
- const char *error;
-@@ -1559,7 +1560,17 @@ rc = tls_init(host, certificate, privatekey,
- sni, verify_certs, verify_crl, require_ciphers, &state);
- if (rc != OK) return rc;
-
--gnutls_dh_set_prime_bits(state->session, EXIM_CLIENT_DH_MIN_BITS);
-+if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS)
-+ {
-+ DEBUG(D_tls)
-+ debug_printf("WARNING: tls_dh_min_bits far too low, clamping %d up to %d\n",
-+ dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS);
-+ dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS;
-+ }
-+
-+DEBUG(D_tls) debug_printf("Setting D-H prime minimum acceptable bits to %d\n",
-+ dh_min_bits);
-+gnutls_dh_set_prime_bits(state->session, dh_min_bits);
-
- if (verify_certs == NULL)
- {
-diff --git a/src/tls-openssl.c b/src/tls-openssl.c
-index 22c0730..fdcb95e 100644
---- a/src/tls-openssl.c
-+++ b/src/tls-openssl.c
-@@ -1233,6 +1233,8 @@ Argument:
- verify_certs file for certificate verify
- crl file containing CRL
- require_ciphers list of allowed ciphers
-+ dh_min_bits minimum number of bits acceptable in server's DH prime
-+ (unused in OpenSSL)
- timeout startup timeout
-
- Returns: OK on success
-@@ -1244,7 +1246,7 @@ int
- tls_client_start(int fd, host_item *host, address_item *addr, uschar *dhparam,
- uschar *certificate, uschar *privatekey, uschar *sni,
- uschar *verify_certs, uschar *crl,
-- uschar *require_ciphers, int timeout)
-+ uschar *require_ciphers, int dh_min_bits ARG_UNUSED, int timeout)
- {
- static uschar txt[256];
- uschar *expciphers;
-diff --git a/src/transports/smtp.c b/src/transports/smtp.c
-index f9f225f..b3856f5 100644
---- a/src/transports/smtp.c
-+++ b/src/transports/smtp.c
-@@ -129,6 +129,8 @@ optionlist smtp_transport_options[] = {
- (void *)offsetof(smtp_transport_options_block, tls_certificate) },
- { "tls_crl", opt_stringptr,
- (void *)offsetof(smtp_transport_options_block, tls_crl) },
-+ { "tls_dh_min_bits", opt_int,
-+ (void *)offsetof(smtp_transport_options_block, tls_dh_min_bits) },
- { "tls_privatekey", opt_stringptr,
- (void *)offsetof(smtp_transport_options_block, tls_privatekey) },
- { "tls_require_ciphers", opt_stringptr,
-@@ -195,9 +197,11 @@ smtp_transport_options_block smtp_transport_option_defaults = {
- NULL, /* gnutls_require_kx */
- NULL, /* gnutls_require_mac */
- NULL, /* gnutls_require_proto */
-+ NULL, /* tls_sni */
- NULL, /* tls_verify_certificates */
-- TRUE, /* tls_tempfail_tryclear */
-- NULL /* tls_sni */
-+ EXIM_CLIENT_DH_DEFAULT_MIN_BITS,
-+ /* tls_dh_min_bits */
-+ TRUE /* tls_tempfail_tryclear */
- #endif
- #ifndef DISABLE_DKIM
- ,NULL, /* dkim_canon */
-@@ -1136,6 +1140,7 @@ if (tls_offered && !suppress_tls &&
- ob->tls_verify_certificates,
- ob->tls_crl,
- ob->tls_require_ciphers,
-+ ob->tls_dh_min_bits,
- ob->command_timeout);
-
- /* TLS negotiation failed; give an error. From outside, this function may
-diff --git a/src/transports/smtp.h b/src/transports/smtp.h
-index 621cb6b..17b75cf 100644
---- a/src/transports/smtp.h
-+++ b/src/transports/smtp.h
-@@ -52,9 +52,10 @@ typedef struct {
- uschar *gnutls_require_kx;
- uschar *gnutls_require_mac;
- uschar *gnutls_require_proto;
-+ uschar *tls_sni;
- uschar *tls_verify_certificates;
-+ int tls_dh_min_bits;
- BOOL tls_tempfail_tryclear;
-- uschar *tls_sni;
- #endif
- #ifndef DISABLE_DKIM
- uschar *dkim_domain;
---
-1.7.10
-
diff --git a/debian/patches/77_docsfortls_dh_min_bits.diff b/debian/patches/77_docsfortls_dh_min_bits.diff
deleted file mode 100644
index 41cb967..0000000
--- a/debian/patches/77_docsfortls_dh_min_bits.diff
+++ /dev/null
@@ -1,33 +0,0 @@
-diff -NurBbp a/doc/spec.txt exim-4.80/doc/spec.txt
---- a/doc/spec.txt 2012-05-31 11:35:23.000000000 +0200
-+++ exim-4.80/doc/spec.txt 2012-06-08 13:08:19.000000000 +0200
-@@ -21221,6 +21221,17 @@ This option specifies a certificate revo
- the name of a file that contains a CRL in PEM format.
-
- +--------------+---------+-------------+--------------+
-+|tls_dh_min_bits|Use: smtp|Type: integer|Default: 1024|
-++-----------------------------------------------------+
-+
-+When establishing a TLS session, if a ciphersuite which uses Diffie-Hellman key
-+agreement is negotiated, the server will provide a large prime number for use.
-+This option establishes the minimum acceptable size of that number. If the
-+parameter offered by the server is too small, then the TLS handshake will fail.
-+
-+Only supported when using GnuTLS.
-+
-++--------------+---------+-------------+--------------+
- |tls_privatekey|Use: smtp|Type: string*|Default: unset|
- +--------------+---------+-------------+--------------+
-
-@@ -23630,6 +23641,11 @@ There are some differences in usage when
- * The tls_require_ciphers options operate differently, as described in the
- sections 41.4 and 41.5.
-
-+ * The tls_dh_min_bits SMTP transport option is only honoured by GnuTLS. When
-+ using OpenSSL, this option is ignored. (If an API is found to let OpenSSL
-+ be configured in this way, let the Exim Maintainers know and we'll likely
-+ use it).
-+
- * Some other recently added features may only be available in one or the
- other. This should be documented with the feature. If the documentation
- does not explicitly state that the feature is infeasible in the other TLS
diff --git a/debian/patches/78_pkcs11_init.diff b/debian/patches/78_pkcs11_init.diff
deleted file mode 100644
index 0ac2604..0000000
--- a/debian/patches/78_pkcs11_init.diff
+++ /dev/null
@@ -1,38 +0,0 @@
-Description: Disable autoloading of PKCS#11 modules.
-Author: Phil Pennock <pdp@exim.org>
-Origin: upstream
-Bug-Debian: http://bugs.debian.org/678238
-Forwarded: http://article.gmane.org/gmane.mail.exim.devel/5732
-Last-Update: 2012-06-23
-
-Index: b/src/tls-gnu.c
-===================================================================
---- a/src/tls-gnu.c 2012-06-23 18:17:41.000000000 +0200
-+++ b/src/tls-gnu.c 2012-06-23 18:18:31.000000000 +0200
-@@ -39,6 +39,8 @@ require current GnuTLS, then we'll drop
- #include <gnutls/x509.h>
- /* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
- #include <gnutls/crypto.h>
-+/* needed for gnutls_pkcs11_init */
-+#include <gnutls/pkcs11.h>
-
- /* GnuTLS 2 vs 3
-
-@@ -910,6 +912,8 @@ if (!exim_gnutls_base_init_done)
- {
- DEBUG(D_tls) debug_printf("GnuTLS global init required.\n");
-
-+ rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
-+ exim_gnutls_err_check(US"gnutls_pkcs11_init");
- rc = gnutls_global_init();
- exim_gnutls_err_check(US"gnutls_global_init");
-
-@@ -1942,6 +1946,8 @@ if (exim_gnutls_base_init_done)
- log_write(0, LOG_MAIN|LOG_PANIC,
- "already initialised GnuTLS, Exim developer bug");
-
-+rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
-+validate_check_rc(US"gnutls_pkcs11_init");
- rc = gnutls_global_init();
- validate_check_rc(US"gnutls_global_init()");
- exim_gnutls_base_init_done = TRUE;
diff --git a/debian/patches/84_CVE-2012-5671.patch b/debian/patches/84_CVE-2012-5671.patch
deleted file mode 100644
index b522203..0000000
--- a/debian/patches/84_CVE-2012-5671.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 4263f395efd136dece52d765dfcff3c96f17506e Mon Sep 17 00:00:00 2001
-From: Phil Pennock <pdp@exim.org>
-Date: Wed, 24 Oct 2012 23:26:29 -0400
-Subject: [PATCH 1/3] SECURITY: DKIM DNS buffer overflow protection
-
-CVE-2012-5671
-
-malloc/heap overflow, with a 60kB window of overwrite.
-Requires DNS under control of person sending email, leaves plenty of
-evidence, but is very likely exploitable on OSes that have not been
-well hardened.
-
---- exim4-4.72.orig/src/dkim.c
-+++ exim4-4.72/src/dkim.c
-@@ -44,6 +44,9 @@ int dkim_exim_query_dns_txt(char *name,
- "%.*s", (int)len, (char *)((rr->data)+rr_offset));
- rr_offset+=len;
- answer_offset+=len;
-+ if (answer_offset >= PDKIM_DNS_TXT_MAX_RECLEN) {
-+ return PDKIM_FAIL;
-+ }
- }
- }
- else return PDKIM_FAIL;
---- exim4-4.72.orig/src/pdkim/pdkim.h
-+++ exim4-4.72/src/pdkim/pdkim.h
-@@ -29,8 +29,8 @@
-
- /* -------------------------------------------------------------------------- */
- /* Length of the preallocated buffer for the "answer" from the dns/txt
-- callback function. */
--#define PDKIM_DNS_TXT_MAX_RECLEN 4096
-+ callback function. This should match the maximum RDLENGTH from DNS. */
-+#define PDKIM_DNS_TXT_MAX_RECLEN (1 << 16)
-
- /* -------------------------------------------------------------------------- */
- /* Function success / error codes */
diff --git a/debian/patches/85_server_set_id_SPA.diff b/debian/patches/85_server_set_id_SPA.diff
deleted file mode 100644
index 9648185..0000000
--- a/debian/patches/85_server_set_id_SPA.diff
+++ /dev/null
@@ -1,73 +0,0 @@
-From f68fe5f62128effcce35efca90d74bc6df066765 Mon Sep 17 00:00:00 2001
-From: Phil Pennock <pdp@exim.org>
-Date: Wed, 7 Nov 2012 01:53:37 -0500
-Subject: [PATCH] Fix server_set_id for SPA/NTLM auth.
-
-Broken in 4.80 release, commit 08488c86.
-
-We need to leave $auth1 available after the authenticator returns, so
-that server_set_id can be evaluated by the caller. We need to do this
-whether we succeed or fail, because server_set_id only makes it into
-$authenticated_id if we return OK, but is logged regardless.
-
-Updated test config to set server_set_id; updated logs.
----
-
-diff --git a/src/auths/spa.c b/src/auths/spa.c
-index 1abd657..0bf7b04 100644
---- a/src/auths/spa.c
-+++ b/src/auths/spa.c
-@@ -196,17 +196,14 @@ that causes failure if the size of msgbuf is exceeded. ****/
- /***************************************************************/
-
- /* Put the username in $auth1 and $1. The former is now the preferred variable;
--the latter is the original variable. */
-+the latter is the original variable. These have to be out of stack memory, and
-+need to be available once known even if not authenticated, for error messages
-+(server_set_id, which only makes it to authenticated_id if we return OK) */
-
--auth_vars[0] = expand_nstring[1] = msgbuf;
-+auth_vars[0] = expand_nstring[1] = string_copy(msgbuf);
- expand_nlength[1] = Ustrlen(msgbuf);
- expand_nmax = 1;
-
--/* clean up globals which aren't referenced, but still shouldn't be left
--pointing to stack memory */
--#define CLEANUP_RETURN(Code) do { auth_vars[0] = expand_nstring[1] = NULL; \
-- expand_nlength[1] = expand_nmax = 0; return (Code); } while (0);
--
- debug_print_string(ablock->server_debug_string); /* customized debug */
-
- /* look up password */
-@@ -218,13 +215,13 @@ if (clearpass == NULL)
- {
- DEBUG(D_auth) debug_printf("auth_spa_server(): forced failure while "
- "expanding spa_serverpassword\n");
-- CLEANUP_RETURN(FAIL);
-+ return FAIL;
- }
- else
- {
- DEBUG(D_auth) debug_printf("auth_spa_server(): error while expanding "
- "spa_serverpassword: %s\n", expand_string_message);
-- CLEANUP_RETURN(DEFER);
-+ return DEFER;
- }
- }
-
-@@ -240,13 +237,12 @@ if (memcmp(ntRespData,
- 24) == 0)
- /* success. we have a winner. */
- {
-- int rc = auth_check_serv_cond(ablock);
-- CLEANUP_RETURN(rc);
-+ return auth_check_serv_cond(ablock);
- }
-
- /* Expand server_condition as an authorization check (PH) */
-
--CLEANUP_RETURN(FAIL);
-+return FAIL;
- }
-
-
diff --git a/debian/patches/86_Dovecot-robustness.diff b/debian/patches/86_Dovecot-robustness.diff
deleted file mode 100644
index 9f4c610..0000000
--- a/debian/patches/86_Dovecot-robustness.diff
+++ /dev/null
@@ -1,308 +0,0 @@
-From 3f1df0e341c4ddc4add38fa97d9d34972655a6c7 Mon Sep 17 00:00:00 2001
-From: Phil Pennock <pdp@exim.org>
-Date: Mon, 19 Nov 2012 23:44:33 -0500
-Subject: [PATCH] Dovecot: robustness; better msg on missing mech.
-
-If the dovecot protocol response doesn't include the MECH message for
-the SMTP AUTH protocol the client has requested, that's not a protocol
-failure, don't log it as such. Instead, explicitly log that it didn't
-advertise the mechanism we're looking for. This lets administrators fix
-either their Exim or their Dovecot configurations.
-
-Also: make the Dovecot handling more resistant to bad data from the auth
-server; handle too many fields with debug-log message to explain what's
-going on, permit lines of 8192 length per spec and detect if the line is
-too long, so that we can fail auth instead of becoming unsynchronised.
-
-Stop using the CUID from the server as the AUTH id counter. They're
-different, by my reading of the spec.
-
-TESTED: works against Dovecot 2.1.10.
-
-Thanks to Brady Catherman for reporting the problem with diagnosis.
----
-
-diff --git a/src/auths/dovecot.c b/src/auths/dovecot.c
-index 0824240..032a089 100644
---- a/src/auths/dovecot.c
-+++ b/src/auths/dovecot.c
-@@ -12,12 +12,42 @@ commented them specially, but now they are getting quite extensive, so I have
- ceased doing that. The biggest change is to use unbuffered I/O on the socket
- because using C buffered I/O gives problems on some operating systems. PH */
-
-+/* Protocol specifications:
-+ * Dovecot 1, protocol version 1.1
-+ * http://wiki.dovecot.org/Authentication%20Protocol
-+ *
-+ * Dovecot 2, protocol version 1.1
-+ * http://wiki2.dovecot.org/Design/AuthProtocol
-+ */
-+
- #include "../exim.h"
- #include "dovecot.h"
-
- #define VERSION_MAJOR 1
- #define VERSION_MINOR 0
-
-+/* http://wiki.dovecot.org/Authentication%20Protocol
-+"The maximum line length isn't defined,
-+ but it's currently expected to fit into 8192 bytes"
-+*/
-+#define DOVECOT_AUTH_MAXLINELEN 8192
-+
-+/* This was hard-coded as 8.
-+AUTH req C->S sends {"AUTH", id, mechanism, service } + params, 5 defined for
-+Dovecot 1; Dovecot 2 (same protocol version) defines 9.
-+
-+Master->Server sends {"USER", id, userid} + params, 6 defined.
-+Server->Client only gives {"OK", id} + params, unspecified, only 1 guaranteed.
-+
-+We only define here to accept S->C; max seen is 3+<unspecified>, plus the two
-+for the command and id, where unspecified might include _at least_ user=...
-+
-+So: allow for more fields than we ever expect to see, while aware that count
-+can go up without changing protocol version.
-+The cost is the length of an array of pointers on the stack.
-+*/
-+#define DOVECOT_AUTH_MAXFIELDCOUNT 16
-+
- /* Options specific to the authentication mechanism. */
- optionlist auth_dovecot_options[] = {
- {
-@@ -43,7 +73,7 @@ auth_dovecot_options_block auth_dovecot_option_defaults = {
- /* Static variables for reading from the socket */
-
- static uschar sbuffer[256];
--static int sbp;
-+static int socket_buffer_left;
-
-
-
-@@ -67,9 +97,28 @@ void auth_dovecot_init(auth_instance *ablock)
- ablock->client = FALSE;
- }
-
--static int strcut(uschar *str, uschar **ptrs, int nptrs)
-+/*************************************************
-+ * "strcut" to split apart server lines *
-+ *************************************************/
-+
-+/* Dovecot auth protocol uses TAB \t as delimiter; a line consists
-+of a command-name, TAB, and then any parameters, each separated by a TAB.
-+A parameter can be param=value or a bool, just param.
-+
-+This function modifies the original str in-place, inserting NUL characters.
-+It initialises ptrs entries, setting all to NULL and only setting
-+non-NULL N entries, where N is the return value, the number of fields seen
-+(one more than the number of tabs).
-+
-+Note that the return value will always be at least 1, is the count of
-+actual fields (so last valid offset into ptrs is one less).
-+*/
-+
-+static int
-+strcut(uschar *str, uschar **ptrs, int nptrs)
- {
-- uschar *tmp = str;
-+ uschar *last_sub_start = str;
-+ uschar *lastvalid = str + Ustrlen(str);
- int n;
-
- for (n = 0; n < nptrs; n++)
-@@ -79,19 +128,44 @@ static int strcut(uschar *str, uschar **ptrs, int nptrs)
- while (*str) {
- if (*str == '\t') {
- if (n <= nptrs) {
-- *ptrs++ = tmp;
-- tmp = str + 1;
-- *str = 0;
-+ *ptrs++ = last_sub_start;
-+ last_sub_start = str + 1;
-+ *str = '\0';
- }
- n++;
- }
- str++;
- }
-
-- if (n < nptrs)
-- *ptrs = tmp;
-+ if (last_sub_start < lastvalid) {
-+ if (n <= nptrs) {
-+ *ptrs = last_sub_start;
-+ } else {
-+ HDEBUG(D_auth) debug_printf("dovecot: warning: too many results from tab-splitting; saw %d fields, room for %d\n", n, nptrs);
-+ n = nptrs;
-+ }
-+ } else {
-+ n--;
-+ HDEBUG(D_auth) debug_printf("dovecot: warning: ignoring trailing tab\n");
-+ }
-+
-+ return n <= nptrs ? n : nptrs;
-+}
-
-- return n;
-+static void debug_strcut(uschar **ptrs, int nlen, int alen) ARG_UNUSED;
-+static void
-+debug_strcut(uschar **ptrs, int nlen, int alen)
-+{
-+ int i;
-+ debug_printf("%d read but unreturned bytes; strcut() gave %d results: ",
-+ socket_buffer_left, nlen);
-+ for (i = 0; i < nlen; i++) {
-+ debug_printf(" {%s}", ptrs[i]);
-+ }
-+ if (nlen < alen)
-+ debug_printf(" last is %s\n", ptrs[i] ? ptrs[i] : US"<null>");
-+ else
-+ debug_printf(" (max for capacity)\n");
- }
-
- #define CHECK_COMMAND(str, arg_min, arg_max) do { \
-@@ -125,27 +199,27 @@ int count = 0;
-
- for (;;)
- {
-- if (sbp == 0)
-+ if (socket_buffer_left == 0)
- {
-- sbp = read(fd, sbuffer, sizeof(sbuffer));
-- if (sbp == 0) { if (count == 0) return NULL; else break; }
-+ socket_buffer_left = read(fd, sbuffer, sizeof(sbuffer));
-+ if (socket_buffer_left == 0) { if (count == 0) return NULL; else break; }
- p = 0;
- }
-
-- while (p < sbp)
-+ while (p < socket_buffer_left)
- {
- if (count >= n - 1) break;
- s[count++] = sbuffer[p];
- if (sbuffer[p++] == '\n') break;
- }
-
-- memmove(sbuffer, sbuffer + p, sbp - p);
-- sbp -= p;
-+ memmove(sbuffer, sbuffer + p, socket_buffer_left - p);
-+ socket_buffer_left -= p;
-
- if (s[count-1] == '\n' || count >= n - 1) break;
- }
-
--s[count] = 0;
-+s[count] = '\0';
- return s;
- }
-
-@@ -161,12 +235,14 @@ int auth_dovecot_server(auth_instance *ablock, uschar *data)
- auth_dovecot_options_block *ob =
- (auth_dovecot_options_block *)(ablock->options_block);
- struct sockaddr_un sa;
-- uschar buffer[4096];
-- uschar *args[8];
-+ uschar buffer[DOVECOT_AUTH_MAXLINELEN];
-+ uschar *args[DOVECOT_AUTH_MAXFIELDCOUNT];
- uschar *auth_command;
- uschar *auth_extra_data = US"";
-+ uschar *p;
- int nargs, tmp;
-- int cuid = 0, cont = 1, found = 0, fd, ret = DEFER;
-+ int crequid = 1, cont = 1, fd, ret = DEFER;
-+ BOOL found = FALSE;
-
- HDEBUG(D_auth) debug_printf("dovecot authentication\n");
-
-@@ -198,37 +274,46 @@ int auth_dovecot_server(auth_instance *ablock, uschar *data)
-
- auth_defer_msg = US"authentication socket protocol error";
-
-- sbp = 0; /* Socket buffer pointer */
-+ socket_buffer_left = 0; /* Global, used to read more than a line but return by line */
- while (cont) {
- if (dc_gets(buffer, sizeof(buffer), fd) == NULL)
- OUT("authentication socket read error or premature eof");
--
-- buffer[Ustrlen(buffer) - 1] = 0;
-+ p = buffer + Ustrlen(buffer) - 1;
-+ if (*p != '\n') {
-+ OUT("authentication socket protocol line too long");
-+ }
-+ *p = '\0';
- HDEBUG(D_auth) debug_printf("received: %s\n", buffer);
- nargs = strcut(buffer, args, sizeof(args) / sizeof(args[0]));
-+ /* HDEBUG(D_auth) debug_strcut(args, nargs, sizeof(args) / sizeof(args[0])); */
-
- /* Code below rewritten by Kirill Miazine (km@krot.org). Only check commands that
- Exim will need. Original code also failed if Dovecot server sent unknown
- command. E.g. COOKIE in version 1.1 of the protocol would cause troubles. */
-- if (Ustrcmp(args[0], US"CUID") == 0) {
-- CHECK_COMMAND("CUID", 1, 1);
-- cuid = Uatoi(args[1]);
-- } else if (Ustrcmp(args[0], US"VERSION") == 0) {
-+ /* pdp: note that CUID is a per-connection identifier sent by the server,
-+ which increments at server discretion.
-+ By contrast, the "id" field of the protocol is a connection-specific request
-+ identifier, which needs to be unique per request from the client and is not
-+ connected to the CUID value, so we ignore CUID from server. It's purely for
-+ diagnostics. */
-+ if (Ustrcmp(args[0], US"VERSION") == 0) {
- CHECK_COMMAND("VERSION", 2, 2);
- if (Uatoi(args[1]) != VERSION_MAJOR)
- OUT("authentication socket protocol version mismatch");
- } else if (Ustrcmp(args[0], US"MECH") == 0) {
- CHECK_COMMAND("MECH", 1, INT_MAX);
- if (strcmpic(US args[1], ablock->public_name) == 0)
-- found = 1;
-+ found = TRUE;
- } else if (Ustrcmp(args[0], US"DONE") == 0) {
- CHECK_COMMAND("DONE", 0, 0);
- cont = 0;
- }
- }
-
-- if (!found)
-+ if (!found) {
-+ auth_defer_msg = string_sprintf("Dovecot did not advertise mechanism \"%s\" to us", ablock->public_name);
- goto out;
-+ }
-
- /* Added by PH: data must not contain tab (as it is
- b64 it shouldn't, but check for safety). */
-@@ -264,14 +349,11 @@ int auth_dovecot_server(auth_instance *ablock, uschar *data)
-
- Subsequently, the command was modified to add "secured" and "valid-client-
- cert" when relevant.
--
-- The auth protocol is documented here:
-- http://wiki.dovecot.org/Authentication_Protocol
- ****************************************************************************/
-
- auth_command = string_sprintf("VERSION\t%d\t%d\nCPID\t%d\n"
- "AUTH\t%d\t%s\tservice=smtp\t%srip=%s\tlip=%s\tnologin\tresp=%s\n",
-- VERSION_MAJOR, VERSION_MINOR, getpid(), cuid,
-+ VERSION_MAJOR, VERSION_MINOR, getpid(), crequid,
- ablock->public_name, auth_extra_data, sender_host_address,
- interface_address, data ? (char *) data : "");
-
-@@ -295,7 +377,7 @@ int auth_dovecot_server(auth_instance *ablock, uschar *data)
- HDEBUG(D_auth) debug_printf("received: %s\n", buffer);
- nargs = strcut(buffer, args, sizeof(args) / sizeof(args[0]));
-
-- if (Uatoi(args[1]) != cuid)
-+ if (Uatoi(args[1]) != crequid)
- OUT("authentication socket connection id mismatch");
-
- switch (toupper(*args[0])) {
-@@ -316,7 +398,7 @@ int auth_dovecot_server(auth_instance *ablock, uschar *data)
- goto out;
- }
-
-- temp = string_sprintf("CONT\t%d\t%s\n", cuid, data);
-+ temp = string_sprintf("CONT\t%d\t%s\n", crequid, data);
- if (write(fd, temp, Ustrlen(temp)) < 0)
- OUT("authentication socket write error");
- break;
---
-1.7.10.4
-
diff --git a/debian/patches/87_localinjected_mimeacl.diff b/debian/patches/87_localinjected_mimeacl.diff
deleted file mode 100644
index 7de61b3..0000000
--- a/debian/patches/87_localinjected_mimeacl.diff
+++ /dev/null
@@ -1,32 +0,0 @@
-From f4c1088bb7af23e4b613672230868056d46239a5 Mon Sep 17 00:00:00 2001
-From: Phil Pennock <pdp@exim.org>
-Date: Wed, 31 Jul 2013 18:50:04 -0400
-Subject: [PATCH] Fix segfault in stdio with non-SMTP MIME ACL.
-
-When injecting a message locally in non-SMTP mode, and with MIME ACLs
-configured, if the ACL rejected the message, Exim would try to
-`fprintf(NULL, "%s", the_message)`. This fixes that.
-
-Most ACLs are plumbed in SMTP-only and looking through the others in
-receive.c, they all appear to be safely guarded, so it was just this one
-that slipped through.
-
-Crash report and assistance tracking down the root cause from Warren
-Baker.
-
-
---- exim4-4.80.orig/src/receive.c
-+++ exim4-4.80/src/receive.c
-@@ -1184,9 +1184,10 @@ else if (rc != OK)
- #ifdef EXPERIMENTAL_DCC
- dcc_ok = 0;
- #endif
-- if (smtp_handle_acl_fail(ACL_WHERE_MIME, rc, user_msg, log_msg) != 0)
-+ if (smtp_input && smtp_handle_acl_fail(ACL_WHERE_MIME, rc, user_msg, log_msg) != 0) {
- *smtp_yield_ptr = FALSE; /* No more messsages after dropped connection */
-- *smtp_reply_ptr = US""; /* Indicate reply already sent */
-+ *smtp_reply_ptr = US""; /* Indicate reply already sent */
-+ }
- message_id[0] = 0; /* Indicate no message accepted */
- return FALSE; /* Cause skip to end of receive function */
- }
diff --git a/debian/patches/series b/debian/patches/series
index 8617c1b..57dd216 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,4 +1,3 @@
-30_dontoverridecflags.dpatch
31_eximmanpage.dpatch
32_exim4.dpatch
33_eximon.binary.dpatch
@@ -9,11 +8,3 @@
66_enlarge-dh-parameters-size.dpatch
67_unnecessaryCopt.diff
70_remove_exim-users_references.dpatch
-75_openssl_sni.diff
-76_tls_dh_min_bits.diff
-77_docsfortls_dh_min_bits.diff
-78_pkcs11_init.diff
-84_CVE-2012-5671.patch
-85_server_set_id_SPA.diff
-86_Dovecot-robustness.diff
-87_localinjected_mimeacl.diff