- update to 4.80

- Bugzilla 949 - Documentation tweak. - Bugzilla 1093 - eximstats DATA reject detection regexps improved. - Bugzilla 1169 - primary_hostname spelling was incorrect in docs. - Implemented gsasl authenticator. - Implemented heimdal_gssapi authenticator with "server_keytab" option. - Local/Makefile support for (AUTH|LOOKUP)_*_PC=foo to use `pkg-config foo` for cflags/libs. - Swapped $auth1/$auth2 for gsasl GSSAPI mechanism, to be more consistent with rest of GSASL and with heimdal_gssapi. - Local/Makefile support for USE_(GNUTLS|OPENSSL)_PC=foo to use `pkg-config foo` for cflags/libs for the TLS implementation. - New expansion variable $tls_bits; Cyrus SASL server connection properties get this fed in as external SSF. A number of robustness and debugging improvements to the cyrus_sasl authenticator. - cyrus_sasl server now expands the server_realm option. - Bugzilla 1214 - Log authentication information in reject log. - Added dbmjz lookup type. - Let heimdal_gssapi authenticator take a SASL message without an authzid. - MAIL args handles TAB as well as SP, for better interop with non-compliant senders. - Bugzilla 1237 - fix cases where printf format usage not indicated. - tls_peerdn now print-escaped for spool files. Observed some $tls_peerdn in wild which contained \n, which resulted in spool file corruption. - TLS fixes for OpenSSL: support TLS 1.1 & 1.2; new "openssl_options" values; set SSL_MODE_AUTO_RETRY so that OpenSSL will retry a read or write after TLS renegotiation, which otherwise led to messages "Got SSL error 2". - Bugzilla 1239 - fix DKIM verification when signature was not inserted as a tracking header (ie: a signed header comes before the signature). - Bugzilla 660 - Multi-valued attributes from ldap now parseable as a comma-sep list; embedded commas doubled. - Refactored ACL "verify =" logic to table-driven dispatch. - LDAP: Check for errors of TLS initialisation, to give correct diagnostics. - Removed "dont_insert_empty_fragments" fron "openssl_options". Removed SSL_clear() after SSL_new() which led to protocol negotiation failures. We appear to now support TLS1.1+ with Exim. - OpenSSL: new expansion var $tls_sni, which if used in tls_certificate lets Exim select keys and certificates based upon TLS SNI from client. Also option tls_sni on SMTP Transports. Also clear $tls_bits correctly before an outbound SMTP session. New log_selector, +tls_sni. - Bugzilla 1122 - check localhost_number expansion for failure, avoid NULL dereference. - Revert part of NM/04, it broke log_path containing %D expansions. Left warnings. Added "eximon gdb" invocation mode. - Defaulting "accept_8bitmime" to true, not false. - Added -bw for inetd wait mode support. - Added PCRE_CONFIG=yes support to Makefile for using pcre-config to locate the relevant includes and libraries. Made this the default. - Fixed headers_only on smtp transports (was not sending trailing dot). Bugzilla 1246, report and most of solution from Tomasz Kusy. - ${eval } now uses 64-bit and supports a "g" suffix (like to "k" and "m"). This may cause build issues on older platforms. - Revamped GnuTLS support, passing tls_require_ciphers to gnutls_priority_init, ignoring Exim options gnutls_require_kx, gnutls_require_mac & gnutls_require_protocols (no longer supported). Added SNI support via GnuTLS too. Made ${randint:..} supplier available, if using not-too-old GnuTLS. - Added EXPERIMENTAL_OCSP for OpenSSL. - Applied dnsdb SPF support patch from Janne Snabb. Applied second patch from Janne, implementing suggestion to default multiple-strings-in-record handling to match SPF spec. - Added expansion variable $tod_epoch_l for a higher-precision time. - Fix DCC dcc_header content corruption (stack memory referenced, read-only, out of scope). Patch from Wolfgang Breyha, report from Stuart Northfield. - Fix three issues highlighted by clang analyser static analysis. Only crash-plausible issue would require the Cambridge-specific iplookup router and a misconfiguration. Report from Marcin Mirosław. - Another attempt to deal with PCRE_PRERELEASE, this one less buggy. - %D in printf continues to cause issues (-Wformat=security), so for now guard some of the printf checks behind WANT_DEEPER_PRINTF_CHECKS. As part of this, removing so much warning spew let me fix some minor real issues in debug logging. - GnuTLS was always using default tls_require_ciphers, due to a missing assignment on my part. Fixed. - Added tls_dh_max_bits option, defaulting to current hard-coded limit of NSS, for GnuTLS/NSS interop. - Validate tls_require_ciphers on startup, since debugging an invalid string otherwise requires a connection and a bunch more work and it's relatively easy to get wrong. Should also expose TLS library linkage problems. - Pull in <features.h> on Linux, for some portability edge-cases of 64-bit ${eval} (JH/03). - Define _GNU_SOURCE in exim.h; it's needed for some releases of protection layer was required, which is not implemented. Bugzilla 1254 - Overhaul DH prime handling, supply RFC-specified DH primes as built into Exim, default to IKE id 23 from RFC 5114 (2048 bit). Make tls_dhparam take prime identifiers. Also unbreak combination of OpenSSL+DH_params+TLSSNI. - Disable SSLv2 by default in OpenSSL support. OBS-URL: https://build.opensuse.org/package/show/server:mail/exim?expand=0&rev=122
2012-08-19 14:12:43 +00:00 · 2012-08-19 14:12:43 +00:00 · 5861db2a32
commit 5861db2a32
parent a65dd7b580
6 changed files with 102 additions and 153 deletions
--- a/exim-4.77.tar.bz2
+++ b/exim-4.77.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:0ccc13cf2f052b1163fcdf71c55a3578765050848ba413a6473d3ab5d20b1475
-size 1576148
--- a/exim-4.80.tar.bz2
+++ b/exim-4.80.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:787b6defd37fa75311737bcfc42e9e2b2cc62c5d027eed35bb7d800b2d9a0984
+size 1649827
--- a/exim-4.12-tail.patch
+++ b/exim-4.12-tail.patch
--- a/exim.changes
+++ b/exim.changes
@ -1,3 +1,100 @@
+-------------------------------------------------------------------
+Sun Aug 19 13:36:59 UTC 2012 - lars@samba.org
+
+- update to 4.80
+  - Bugzilla 949 - Documentation tweak.
+  - Bugzilla 1093 - eximstats DATA reject detection regexps improved.
+  - Bugzilla 1169 - primary_hostname spelling was incorrect in docs.
+  - Implemented gsasl authenticator.
+  - Implemented heimdal_gssapi authenticator with "server_keytab" option.
+  - Local/Makefile support for (AUTH|LOOKUP)_*_PC=foo to use
+    `pkg-config foo` for cflags/libs.
+  - Swapped $auth1/$auth2 for gsasl GSSAPI mechanism, to be more consistent
+    with rest of GSASL and with heimdal_gssapi.
+  - Local/Makefile support for USE_(GNUTLS|OPENSSL)_PC=foo to use
+    `pkg-config foo` for cflags/libs for the TLS implementation.
+  - New expansion variable $tls_bits; Cyrus SASL server connection
+    properties get this fed in as external SSF.  A number of robustness
+    and debugging improvements to the cyrus_sasl authenticator.
+  - cyrus_sasl server now expands the server_realm option.
+  - Bugzilla 1214 - Log authentication information in reject log.
+  - Added dbmjz lookup type.
+  - Let heimdal_gssapi authenticator take a SASL message without an authzid.
+  - MAIL args handles TAB as well as SP, for better interop with
+    non-compliant senders.
+  - Bugzilla 1237 - fix cases where printf format usage not indicated.
+  - tls_peerdn now print-escaped for spool files.
+    Observed some $tls_peerdn in wild which contained \n, which resulted
+    in spool file corruption.
+  - TLS fixes for OpenSSL: support TLS 1.1 & 1.2; new "openssl_options"
+    values; set SSL_MODE_AUTO_RETRY so that OpenSSL will retry a read
+    or write after TLS renegotiation, which otherwise led to messages
+    "Got SSL error 2".
+  - Bugzilla 1239 - fix DKIM verification when signature was not inserted
+    as a tracking header (ie: a signed header comes before the signature).
+  - Bugzilla 660 - Multi-valued attributes from ldap now parseable as a
+    comma-sep list; embedded commas doubled.
+  - Refactored ACL "verify =" logic to table-driven dispatch.
+  - LDAP: Check for errors of TLS initialisation, to give correct diagnostics.
+  - Removed "dont_insert_empty_fragments" fron "openssl_options".
+    Removed SSL_clear() after SSL_new() which led to protocol negotiation
+    failures.  We appear to now support TLS1.1+ with Exim.
+  - OpenSSL: new expansion var $tls_sni, which if used in tls_certificate
+    lets Exim select keys and certificates based upon TLS SNI from client.
+    Also option tls_sni on SMTP Transports.  Also clear $tls_bits correctly
+    before an outbound SMTP session.  New log_selector, +tls_sni.
+  - Bugzilla 1122 - check localhost_number expansion for failure, avoid
+    NULL dereference.
+  - Revert part of NM/04, it broke log_path containing %D expansions.
+    Left warnings.  Added "eximon gdb" invocation mode.
+  - Defaulting "accept_8bitmime" to true, not false.
+  - Added -bw for inetd wait mode support.
+  - Added PCRE_CONFIG=yes support to Makefile for using pcre-config to
+    locate the relevant includes and libraries.  Made this the default.
+  - Fixed headers_only on smtp transports (was not sending trailing dot).
+    Bugzilla 1246, report and most of solution from Tomasz Kusy.
+  - ${eval } now uses 64-bit and supports a "g" suffix (like to "k" and "m").
+    This may cause build issues on older platforms.
+  - Revamped GnuTLS support, passing tls_require_ciphers to
+    gnutls_priority_init, ignoring Exim options gnutls_require_kx,
+    gnutls_require_mac & gnutls_require_protocols (no longer supported).
+    Added SNI support via GnuTLS too.
+    Made ${randint:..} supplier available, if using not-too-old GnuTLS.
+  - Added EXPERIMENTAL_OCSP for OpenSSL.
+  - Applied dnsdb SPF support patch from Janne Snabb.
+    Applied second patch from Janne, implementing suggestion to default
+    multiple-strings-in-record handling to match SPF spec.
+  - Added expansion variable $tod_epoch_l for a higher-precision time.
+  - Fix DCC dcc_header content corruption (stack memory referenced,
+    read-only, out of scope).
+    Patch from Wolfgang Breyha, report from Stuart Northfield.
+  - Fix three issues highlighted by clang analyser static analysis.
+    Only crash-plausible issue would require the Cambridge-specific
+    iplookup router and a misconfiguration.
+    Report from Marcin Mirosław.
+  - Another attempt to deal with PCRE_PRERELEASE, this one less buggy.
+  - %D in printf continues to cause issues (-Wformat=security), so for
+    now guard some of the printf checks behind WANT_DEEPER_PRINTF_CHECKS.
+    As part of this, removing so much warning spew let me fix some minor
+    real issues in debug logging.
+  - GnuTLS was always using default tls_require_ciphers, due to a missing
+    assignment on my part.  Fixed.
+  - Added tls_dh_max_bits option, defaulting to current hard-coded limit
+    of NSS, for GnuTLS/NSS interop.
+  - Validate tls_require_ciphers on startup, since debugging an invalid
+    string otherwise requires a connection and a bunch more work and it's
+    relatively easy to get wrong.  Should also expose TLS library linkage
+    problems.
+  - Pull in <features.h> on Linux, for some portability edge-cases of
+    64-bit ${eval} (JH/03).
+  - Define _GNU_SOURCE in exim.h; it's needed for some releases of
+    protection layer was required, which is not implemented.  Bugzilla 1254
+  - Overhaul DH prime handling, supply RFC-specified DH primes as built
+    into Exim, default to IKE id 23 from RFC 5114 (2048 bit).  Make
+    tls_dhparam take prime identifiers.  Also unbreak combination of
+    OpenSSL+DH_params+TLSSNI.
+  - Disable SSLv2 by default in OpenSSL support.
+
 -------------------------------------------------------------------
 Sat Mar 17 19:42:30 UTC 2012 - lars@samba.org

--- a/exim.spec
+++ b/exim.spec
@ -43,7 +43,7 @@ Provides:       smtp_daemon
 Requires:       logrotate
 PreReq:         %insserv_prereq %fillup_prereq /usr/sbin/useradd fileutils textutils
 %endif
-Version:        4.77
+Version:        4.80
 Release:        0
 %if %{?build_with_mysql:1}0
 BuildRequires:  mysql-devel
@ -66,8 +66,7 @@ Source13:       apparmor.usr.sbin.exim
 Source20:       http://www.logic.univie.ac.at/~ametzler/debian/exim4manpages/exim4-manpages.tar.bz2
 Source30:       eximstats-html-update.py
 Source31:       eximstats.conf
-Patch:          exim-4.12-tail.patch
-Patch2:         format-security.diff
+Patch:          exim-tail.patch
 %if !%{?build_with_mysql:1}0 && !%{?build_with_pgsql:1}0

 %package -n eximon
@ -119,7 +118,6 @@ once, if at all. The rest is done by logrotate / cron.)
 %prep
 %setup -q -n exim-%{version}
 %patch
-%patch2
 # build with fPIE/pie on SUSE 10.0 or newer, or on any other platform
 %if %{?suse_version:%suse_version}%{?!suse_version:99999} > 930
 fPIE="-fPIE"
--- a/format-security.diff
+++ b/format-security.diff
@ -1,146 +0,0 @@
-From: Dirk Mueller <dmueller@suse.com>
-Subject: check format strings
-Reported-Upstream: Yes
-Bugtracker: http://bugs.exim.org/show_bug.cgi?id=1237
-
-Index: exim_monitor/em_log.c
-===================================================================
--- exim_monitor/em_log.c.orig
-+++ exim_monitor/em_log.c
-@@ -56,6 +56,8 @@ static int scrolled = FALSE;
- static int size = 0;
- static int top = 0;
- 
-+static void show_log(char *s, ...) PRINTF_FUNCTION(1,2);
-+
- static void show_log(char *s, ...)
- {
- int length, newtop;
-@@ -362,7 +364,7 @@ link count of zero on the currently open
- if (log_datestamping)
-   {
-   uschar log_file_wanted[256];
-  string_format(log_file_wanted, sizeof(log_file_wanted), CS log_file);
-+  string_format(log_file_wanted, sizeof(log_file_wanted), "%s", CS log_file);
-   if (Ustrcmp(log_file_wanted, log_file_open) != 0)
-     {
-     if (LOG != NULL)
-Index: exim_monitor/em_main.c
-===================================================================
--- exim_monitor/em_main.c.orig
-+++ exim_monitor/em_main.c
-@@ -654,7 +654,7 @@ today.) */
- 
- if (log_file[0] != 0)
-   {
-  (void)string_format(log_file_open, sizeof(log_file_open), CS log_file);
-+  (void)string_format(log_file_open, sizeof(log_file_open), "%s", CS log_file);
-   log_datestamping = string_datestamp_offset >= 0;
- 
-   LOG = fopen(CS log_file_open, "r");
-Index: exim_monitor/em_text.c
-===================================================================
--- exim_monitor/em_text.c.orig
-+++ exim_monitor/em_text.c
-@@ -58,6 +58,8 @@ XawTextSetInsertionPoint(w, text_count);
- *           Display text from format             *
- *************************************************/
- 
-+void text_showf(Widget w, char *s, ...) PRINTF_FUNCTION(2,3);
-+
- void text_showf(Widget w, char *s, ...)
- {
- va_list ap;
-Index: src/demime.c
-===================================================================
--- src/demime.c.orig
-+++ src/demime.c
-@@ -821,7 +821,7 @@ void mime_trigger_error(int level, uscha
-     (void)string_vformat(US f, 16383,(char *)format, ap);
-     va_end(ap);
-     f-=22;
-    log_write(0, LOG_MAIN, f);
-+    log_write(0, LOG_MAIN, "%s", f);
-     /* then copy to demime_reason_buffer if new
-     level is greater than old level */
-     if (level > demime_errorlevel) {
-Index: src/functions.h
-===================================================================
--- src/functions.h.orig
-+++ src/functions.h
-@@ -80,7 +80,7 @@ extern void    decode_bits(unsigned int
-                   int, int, uschar *, bit_table *, int, uschar *, int);
- extern address_item *deliver_make_addr(uschar *, BOOL);
- extern int     deliver_message(uschar *, BOOL, BOOL);
-extern void    deliver_msglog(const char *, ...);
-+extern void    deliver_msglog(const char *, ...) PRINTF_FUNCTION(1,2);
- extern void    deliver_set_expansions(address_item *);
- extern int     deliver_split_address(address_item *);
- extern void    deliver_succeeded(address_item *);
-@@ -180,9 +180,9 @@ extern int     mime_regex(uschar **);
- extern uschar *moan_check_errorcopy(uschar *);
- extern BOOL    moan_skipped_syntax_errors(uschar *, error_block *, uschar *,
-                  BOOL, uschar *);
-extern void    moan_smtp_batch(uschar *, const char *, ...);
-+extern void    moan_smtp_batch(uschar *, const char *, ...) PRINTF_FUNCTION(2,3);
- extern void    moan_tell_someone(uschar *, address_item *,
-                 const uschar *, const char *, ...);
-+                 const uschar *, const char *, ...) PRINTF_FUNCTION(4,5);
- extern BOOL    moan_to_sender(int, error_block *, header_line *, FILE *, BOOL);
- extern void    moan_write_from(FILE *);
- extern FILE   *modefopen(const uschar *, const char *, mode_t);
-@@ -270,7 +270,7 @@ extern int     search_findtype_partial(u
-                  int *);
- extern void   *search_open(uschar *, int, int, uid_t *, gid_t *);
- extern void    search_tidyup(void);
-extern void    set_process_info(const char *, ...);
-+extern void    set_process_info(const char *, ...) PRINTF_FUNCTION(1,2);
- extern void    sha1_end(sha1 *, const uschar *, int, uschar *);
- extern void    sha1_mid(sha1 *, const uschar *);
- extern void    sha1_start(sha1 *);
-@@ -298,7 +298,7 @@ extern int     smtp_setup_msg(void);
- extern BOOL    smtp_start_session(void);
- extern int     smtp_ungetc(int);
- extern BOOL    smtp_verify_helo(void);
-extern int     smtp_write_command(smtp_outblock *, BOOL, const char *, ...);
-+extern int     smtp_write_command(smtp_outblock *, BOOL, const char *, ...) PRINTF_FUNCTION(3,4);
- #ifdef WITH_CONTENT_SCAN
- extern int     spam(uschar **);
- extern FILE   *spool_mbox(unsigned long *, uschar *);
-@@ -320,13 +320,13 @@ extern uschar *string_copy_malloc(uschar
- extern uschar *string_copylc(uschar *);
- extern uschar *string_copynlc(uschar *, int);
- extern uschar *string_dequote(uschar **);
-extern BOOL    string_format(uschar *, int, const char *, ...);
-+extern BOOL    string_format(uschar *, int, const char *, ...) PRINTF_FUNCTION(3,4);
- extern uschar *string_format_size(int, uschar *);
- extern int     string_interpret_escape(uschar **);
- extern int     string_is_ip_address(uschar *, int *);
- extern uschar *string_log_address(address_item *, BOOL, BOOL);
- extern uschar *string_nextinlist(uschar **, int *, uschar *, int);
-extern uschar *string_open_failed(int, const char *, ...);
-+extern uschar *string_open_failed(int, const char *, ...) PRINTF_FUNCTION(2,3);
- extern uschar *string_printing2(uschar *, BOOL);
- extern uschar *string_split_message(uschar *);
- extern BOOL    string_vformat(uschar *, int, const char *, va_list);
-Index: src/local_scan.h
-===================================================================
--- src/local_scan.h.orig
-+++ src/local_scan.h
-@@ -173,7 +173,7 @@ extern void    header_add_at_position(BO
- extern void    header_remove(int, const uschar *);
- extern BOOL    header_testname(header_line *, const uschar *, int, BOOL);
- extern BOOL    header_testname_incomplete(header_line *, const uschar *, int, BOOL);
-extern void    log_write(unsigned int, int, const char *format, ...);
-+extern void    log_write(unsigned int, int, const char *format, ...) PRINTF_FUNCTION(3,4);
- extern int     lss_b64decode(uschar *, uschar **);
- extern uschar *lss_b64encode(uschar *, int);
- extern int     lss_match_domain(uschar *, uschar *);
-@@ -188,6 +188,6 @@ extern void    smtp_printf(const char *,
- extern void    smtp_vprintf(const char *, va_list);
- extern uschar *string_copy(uschar *);
- extern uschar *string_copyn(uschar *, int);
-extern uschar *string_sprintf(const char *, ...);
-+extern uschar *string_sprintf(const char *, ...) PRINTF_FUNCTION(1,2);
- 
- /* End of local_scan.h */