diff options
| -rw-r--r-- | debian/changelog | 73 | ||||
| -rw-r--r-- | debian/control | 6 | ||||
| -rw-r--r-- | debian/exim4-base.postinst | 2 | ||||
| -rw-r--r-- | debian/manpages/exim4-config_files.5 | 4 | ||||
| -rwxr-xr-x | debian/patches/65_saverandomseed.dpatch | 73 | ||||
| -rw-r--r-- | debian/patches/80_fix_ftbfs_hurd.diff | 18 | ||||
| -rw-r--r-- | debian/patches/series | 1 | ||||
| -rw-r--r-- | debian/source/include-binaries | 1 | ||||
| -rw-r--r-- | debian/tests/control | 2 | ||||
| -rw-r--r-- | debian/upstream-signing-key.pgp | bin | 0 -> 8884 bytes | |||
| -rw-r--r-- | debian/watch | 3 |
11 files changed, 102 insertions, 81 deletions
diff --git a/debian/changelog b/debian/changelog index a8c6bd8..92b0780 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,76 @@ +exim4 (4.82.1-1) unstable; urgency=high + + * New upstream security release, fixing CVE-2014-2957. This is a remote + code execution flaw in Exim version 4.82 (only) when built with DMARC + support. Debian's binary packages are not built with DMARC support and + therefore not vulnerable. However we want to fix this for people building + their own binaries based on Debian's packaging. + + -- Andreas Metzler <ametzler@debian.org> Wed, 28 May 2014 19:01:43 +0200 + +exim4 (4.82-8) unstable; urgency=medium + + * Now that GMP has been relicensed to LGPLv3+/GPLv2+ build exim against + GnuTLS v3. + + -- Andreas Metzler <ametzler@debian.org> Sat, 12 Apr 2014 16:19:05 +0200 + +exim4 (4.82-7) unstable; urgency=high + + [ Martin Pitt ] + * debian/tests/control: Add missing python test dependency, as + debian/tests/security calls python. Closes: #740092 + + [ Andreas Metzler ] + * 4.82 deprecated $tls_bits, $tls_certificate_verified, $tls_cipher, + $tls_peerdn, $tls_sni and introduced tls_in_*/tls_out_* variants of these + variables which describe the respective status of the current incoming or + outgoing TLS connection. The rationale for this is that a single exim + process can now use both an incoming (message reception) and outgoing + TLS connection (callout or cutthrough delivery) concurrently. With this + change the "old" variables were mapped to tls_in_*, i.e. they expand to + empty values on outgoing connections. (This is not yet documented.) + Outgoing tls-connections can therefore not be detected by nonempty + $tls_cipher anymore. exim4-config << 4.82 used this mechanism to prevent + sending of plaintext AUTH information on unencrypted connections. Force a + lockstep upgrade of exim4-config by bumping the version of exim4-base's + dependency on exim4-config to >= 4.82. + Closes: #742901, #736081 + + -- Andreas Metzler <ametzler@debian.org> Sun, 06 Apr 2014 08:32:11 +0200 + +exim4 (4.82-6) experimental; urgency=medium + + [ Martin Pitt ] + * debian/tests/control: Add missing python test dependency, as + debian/tests/security calls python. Closes: #740092 + + [ Andreas Metzler ] + * Now that GMP has been relicensed to LGPLv3+/GPLv2+ build exim against + GnuTLS v3. + + -- Andreas Metzler <ametzler@debian.org> Sat, 05 Apr 2014 14:18:11 +0200 + +exim4 (4.82-5) unstable; urgency=medium + + * Upgrade to libdb5.3-dev. Closes: #738637 Be paranoid and bump BDBVERSION + in exim4-base.postinst from 3.0 (no idea why this did not read 5.1) to + 5.3, therefore purging hints db on upgrades. + + -- Andreas Metzler <ametzler@debian.org> Wed, 12 Feb 2014 19:31:55 +0100 + +exim4 (4.82-4) unstable; urgency=medium + + * Correct title/name of exim4-config_files(5). (Thanks, Heiko Schlittermann) + Closes: #734212 + * 80_fix_ftbfs_hurd.diff by Samuel Thibault fixes FTBFS on GNU/hurd due to + missing support for TCLASS. Closes: #738445 + * Add debian/upstream-signing-key.pgp (listed in + debian/source/include-binaries) and update watchfile to check + upstream signature. + + -- Andreas Metzler <ametzler@debian.org> Sun, 09 Feb 2014 19:41:34 +0100 + exim4 (4.82-3+dyson1) unstable; urgency=low * Package for Dyson diff --git a/debian/control b/debian/control index cf6be0f..b9bd4b4 100644 --- a/debian/control +++ b/debian/control @@ -11,10 +11,10 @@ Vcs-Git: git://anonscm.debian.org/pkg-exim4/exim4.git Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-exim4/exim4.git Build-Depends: debhelper (>= 7.0.15), po-debconf, docbook-xsl, xsltproc, lynx-cur | lynx, docbook-xml, libpcre3-dev, libldap2-dev, libpam0g-dev, - libident-dev, libdb5.1-dev, libxmu-dev, libxt-dev, libxext-dev, libx11-dev, + libident-dev, libdb5.3-dev, libxmu-dev, libxt-dev, libxext-dev, libx11-dev, libxaw7-dev, libpq-dev, libmysqlclient-dev | libmysqlclient15-dev, libkstat-dev [illumos-any], dh-smf [illumos-any], - libsqlite3-dev, libperl-dev, libgnutls-dev, libsasl2-dev + libsqlite3-dev, libperl-dev, libgnutls28-dev, libsasl2-dev XS-Testsuite: autopkgtest Package: exim4-base @@ -24,7 +24,7 @@ Breaks: exim4-daemon-light (<<${Upstream-Version}), exim4-daemon-custom (<<${Upstream-Version}) Conflicts: exim, exim-tls Replaces: exim, exim-tls, exim4-daemon-light, exim4-daemon-heavy, exim4-daemon-custom -Depends: ${shlibs:Depends}, ${misc:Depends}, cron | fcron, exim4-config (>=4.30) | exim4-config-2, adduser, netbase, lsb-base (>= 3.0-6) +Depends: ${shlibs:Depends}, ${misc:Depends}, cron | fcron, exim4-config (>=4.82) | exim4-config-2, adduser, netbase, lsb-base (>= 3.0-6) # psmisc just for exiwhat. Recommends: psmisc, mailx, perl-modules Suggests: mail-reader, eximon4, exim4-doc-html|exim4-doc-info, diff --git a/debian/exim4-base.postinst b/debian/exim4-base.postinst index 9c5e57e..66e9a1a 100644 --- a/debian/exim4-base.postinst +++ b/debian/exim4-base.postinst @@ -10,7 +10,7 @@ fi db_version 2.0 -BDBVERSION=3.0 +BDBVERSION=5.3 case "$1" in configure) diff --git a/debian/manpages/exim4-config_files.5 b/debian/manpages/exim4-config_files.5 index dc01d01..dc4a52c 100644 --- a/debian/manpages/exim4-config_files.5 +++ b/debian/manpages/exim4-config_files.5 @@ -2,7 +2,7 @@ .\" First parameter, NAME, should be all caps .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection .\" other parameters are allowed: see man(7), man(1) -.TH EXIM4_FILES 5 "Jun 21, 2006" EXIM4 +.TH EXIM4-CONFIG_FILES 5 "Jan 5, 2014" EXIM4 .\" Please adjust this date whenever revising the manpage. .\" .\" Some roff macros, for reference: @@ -18,7 +18,7 @@ .\" \(oqthis text is enclosed in single quotes\(cq .\" \(lqthis text is enclosed in double quotes\(rq .SH NAME -exim4_files \- Files in use by the Debian exim4 packages +exim4-config_files \- Files in use by the Debian exim4 packages .SH SYNOPSIS .br /etc/aliases diff --git a/debian/patches/65_saverandomseed.dpatch b/debian/patches/65_saverandomseed.dpatch deleted file mode 100755 index d16c1d7..0000000 --- a/debian/patches/65_saverandomseed.dpatch +++ /dev/null @@ -1,73 +0,0 @@ -#! /bin/sh /usr/share/dpatch/dpatch-run -## 65_saverandomseed.dpatch by <ametzler@argenau> -## -## All lines beginning with `## DP:' are a description of the patch. -## DP: Save gcrypt RNG seed. - -diff -NurbBp exim.orig/src/tls-gnu.c exim/src/tls-gnu.c ---- exim.orig/src/tls-gnu.c 2009-11-15 12:17:32.000000000 +0100 -+++ exim/src/tls-gnu.c 2009-11-15 12:38:30.000000000 +0100 -@@ -20,6 +20,7 @@ functions from the GnuTLS library. */ - #include <gnutls/gnutls.h> - #include <gnutls/x509.h> - -+#include <gcrypt.h> - - #define UNKNOWN_NAME "unknown" - #define DH_BITS 2048 -@@ -443,10 +444,35 @@ tls_init(host_item *host, uschar *certif - uschar *crl) - { - int rc; -+uschar filename[200]; - uschar *cert_expanded, *key_expanded, *cas_expanded, *crl_expanded; -+gcry_error_t gcr_rc; - - client_host = host; - -+/* initialize gcrypt explicitely */ -+gcry_check_version (NULL); -+ -+/* Use a random_seed file for gcrypt's RNG */ -+if (host_number_string != NULL) -+ { -+ if (!string_format(filename, sizeof(filename), "%s/random.seed%s", -+ spool_directory, host_number_string)) -+ return tls_error(US"overlong filename spool_directory/random.seedlocalhost_number", host, 0); -+ } -+else -+ { -+ if (!string_format(filename, sizeof(filename), "%s/random.seed", -+ spool_directory)) -+ return tls_error(US"overlong filename spool_directory/random.seed", host, 0); -+ } -+ -+gcr_rc = gcry_control (GCRYCTL_SET_RANDOM_SEED_FILE,filename); -+if (gcr_rc) -+ return tls_error(US"Failure to set random_seed file", host, gcr_rc); -+ -+gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); -+ - rc = gnutls_global_init(); - if (rc < 0) return tls_error(US"tls-init", host, gnutls_strerror(rc)); - -@@ -1295,8 +1321,19 @@ Returns: nothing - void - tls_close(BOOL shutdown) - { -+gcry_error_t gcr_rc; -+ - if (tls_active < 0) return; /* TLS was not active */ - -+gcr_rc = gcry_control (GCRYCTL_UPDATE_RANDOM_SEED_FILE); -+ -+if (gcr_rc) -+ { -+ DEBUG(D_tls) debug_printf( -+ "GCRYCTL_UPDATE_RANDOM_SEED_FILE failed: (%d): (%s)\n", -+ gcr_rc,gcry_strerror(gcr_rc)); -+ } -+ - if (shutdown) - { - DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS\n"); diff --git a/debian/patches/80_fix_ftbfs_hurd.diff b/debian/patches/80_fix_ftbfs_hurd.diff new file mode 100644 index 0000000..8119c95 --- /dev/null +++ b/debian/patches/80_fix_ftbfs_hurd.diff @@ -0,0 +1,18 @@ +Description: Fix FTBFS on hurd due to missing IPV6_TCLASS support. +Author: Samuel Thibault <sthibault@debian.org> +Bug-Debian: http://bugs.debian.org/738445 +Origin: vendor +Forwarded: http://git.exim.org/exim.git/commitdiff/bb7b9411e1b4f95418bed7b35035186e261063a6 +Last-Update: 2014-02-09 + +--- exim4-4.82.orig/src/ip.c ++++ exim4-4.82/src/ip.c +@@ -464,7 +464,7 @@ if (af == AF_INET) + *level = IPPROTO_IP; + *optname = IP_TOS; + } +-#if HAVE_IPV6 ++#if HAVE_IPV6 && defined(IPV6_TCLASS) + else if (af == AF_INET6) + { + *level = IPPROTO_IPV6; diff --git a/debian/patches/series b/debian/patches/series index c9c7291..fd67cf0 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -11,4 +11,5 @@ 75_unbind-ldap-connection.diff 76_fix_ldap_option_setting.diff 77_close-the-server-side-of-TLS.diff +80_fix_ftbfs_hurd.diff dyson-version.patch diff --git a/debian/source/include-binaries b/debian/source/include-binaries new file mode 100644 index 0000000..95a390b --- /dev/null +++ b/debian/source/include-binaries @@ -0,0 +1 @@ +debian/upstream-signing-key.pgp diff --git a/debian/tests/control b/debian/tests/control index 21b2149..0e64126 100644 --- a/debian/tests/control +++ b/debian/tests/control @@ -1,3 +1,3 @@ Tests: daemon security -Depends: exim4 +Depends: exim4, python Restrictions: needs-root diff --git a/debian/upstream-signing-key.pgp b/debian/upstream-signing-key.pgp Binary files differnew file mode 100644 index 0000000..631e571 --- /dev/null +++ b/debian/upstream-signing-key.pgp diff --git a/debian/watch b/debian/watch index 27fb890..eac4c0a 100644 --- a/debian/watch +++ b/debian/watch @@ -1,2 +1,3 @@ -version=2 +version=3 +opts=pgpsigurlmangle=s/$/.asc/ \ http://ftp.exim.org/pub/exim/exim4/exim-(\d.*)\.(?:tgz|tar\.(?:gz|bz2|xz)) |