pool/exim
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- update to 4.80

Browse Source 
- Bugzilla 949 - Documentation tweak.
  - Bugzilla 1093 - eximstats DATA reject detection regexps improved.
  - Bugzilla 1169 - primary_hostname spelling was incorrect in docs.
  - Implemented gsasl authenticator.
  - Implemented heimdal_gssapi authenticator with "server_keytab" option.
  - Local/Makefile support for (AUTH|LOOKUP)_*_PC=foo to use
    `pkg-config foo` for cflags/libs.
  - Swapped $auth1/$auth2 for gsasl GSSAPI mechanism, to be more consistent
    with rest of GSASL and with heimdal_gssapi.
  - Local/Makefile support for USE_(GNUTLS|OPENSSL)_PC=foo to use
    `pkg-config foo` for cflags/libs for the TLS implementation.
  - New expansion variable $tls_bits; Cyrus SASL server connection
    properties get this fed in as external SSF.  A number of robustness
    and debugging improvements to the cyrus_sasl authenticator.
  - cyrus_sasl server now expands the server_realm option.
  - Bugzilla 1214 - Log authentication information in reject log.
  - Added dbmjz lookup type.
  - Let heimdal_gssapi authenticator take a SASL message without an authzid.
  - MAIL args handles TAB as well as SP, for better interop with
    non-compliant senders.
  - Bugzilla 1237 - fix cases where printf format usage not indicated.
  - tls_peerdn now print-escaped for spool files.
    Observed some $tls_peerdn in wild which contained \n, which resulted
    in spool file corruption.
  - TLS fixes for OpenSSL: support TLS 1.1 & 1.2; new "openssl_options"
    values; set SSL_MODE_AUTO_RETRY so that OpenSSL will retry a read
    or write after TLS renegotiation, which otherwise led to messages
    "Got SSL error 2".
  - Bugzilla 1239 - fix DKIM verification when signature was not inserted
    as a tracking header (ie: a signed header comes before the signature).
  - Bugzilla 660 - Multi-valued attributes from ldap now parseable as a
    comma-sep list; embedded commas doubled.
  - Refactored ACL "verify =" logic to table-driven dispatch.
  - LDAP: Check for errors of TLS initialisation, to give correct diagnostics.
  - Removed "dont_insert_empty_fragments" fron "openssl_options".
    Removed SSL_clear() after SSL_new() which led to protocol negotiation
    failures.  We appear to now support TLS1.1+ with Exim.
  - OpenSSL: new expansion var $tls_sni, which if used in tls_certificate
    lets Exim select keys and certificates based upon TLS SNI from client.
    Also option tls_sni on SMTP Transports.  Also clear $tls_bits correctly
    before an outbound SMTP session.  New log_selector, +tls_sni.
  - Bugzilla 1122 - check localhost_number expansion for failure, avoid
    NULL dereference.
  - Revert part of NM/04, it broke log_path containing %D expansions.
    Left warnings.  Added "eximon gdb" invocation mode.
  - Defaulting "accept_8bitmime" to true, not false.
  - Added -bw for inetd wait mode support.
  - Added PCRE_CONFIG=yes support to Makefile for using pcre-config to
    locate the relevant includes and libraries.  Made this the default.
  - Fixed headers_only on smtp transports (was not sending trailing dot).
    Bugzilla 1246, report and most of solution from Tomasz Kusy.
  - ${eval } now uses 64-bit and supports a "g" suffix (like to "k" and "m").
    This may cause build issues on older platforms.
  - Revamped GnuTLS support, passing tls_require_ciphers to
    gnutls_priority_init, ignoring Exim options gnutls_require_kx,
    gnutls_require_mac & gnutls_require_protocols (no longer supported).
    Added SNI support via GnuTLS too.
    Made ${randint:..} supplier available, if using not-too-old GnuTLS.
  - Added EXPERIMENTAL_OCSP for OpenSSL.
  - Applied dnsdb SPF support patch from Janne Snabb.
    Applied second patch from Janne, implementing suggestion to default
    multiple-strings-in-record handling to match SPF spec.
  - Added expansion variable $tod_epoch_l for a higher-precision time.
  - Fix DCC dcc_header content corruption (stack memory referenced,
    read-only, out of scope).
    Patch from Wolfgang Breyha, report from Stuart Northfield.
  - Fix three issues highlighted by clang analyser static analysis.
    Only crash-plausible issue would require the Cambridge-specific
    iplookup router and a misconfiguration.
    Report from Marcin Mirosław.
  - Another attempt to deal with PCRE_PRERELEASE, this one less buggy.
  - %D in printf continues to cause issues (-Wformat=security), so for
    now guard some of the printf checks behind WANT_DEEPER_PRINTF_CHECKS.
    As part of this, removing so much warning spew let me fix some minor
    real issues in debug logging.
  - GnuTLS was always using default tls_require_ciphers, due to a missing
    assignment on my part.  Fixed.
  - Added tls_dh_max_bits option, defaulting to current hard-coded limit
    of NSS, for GnuTLS/NSS interop.
  - Validate tls_require_ciphers on startup, since debugging an invalid
    string otherwise requires a connection and a bunch more work and it's
    relatively easy to get wrong.  Should also expose TLS library linkage
    problems.
  - Pull in <features.h> on Linux, for some portability edge-cases of
    64-bit ${eval} (JH/03).
  - Define _GNU_SOURCE in exim.h; it's needed for some releases of
    protection layer was required, which is not implemented.  Bugzilla 1254
  - Overhaul DH prime handling, supply RFC-specified DH primes as built
    into Exim, default to IKE id 23 from RFC 5114 (2048 bit).  Make
    tls_dhparam take prime identifiers.  Also unbreak combination of
    OpenSSL+DH_params+TLSSNI.
  - Disable SSLv2 by default in OpenSSL support.

OBS-URL: https://build.opensuse.org/package/show/server:mail/exim?expand=0&rev=122
This commit is contained in:
Lars Müller 2012-08-19 14:12:43 +00:00 committed by Git OBS Bridge
parent a65dd7b580
commit 5861db2a32
6 changed files with 102 additions and 153 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
exim-4.77.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:0ccc13cf2f052b1163fcdf71c55a3578765050848ba413a6473d3ab5d20b1475
size 1576148

3
exim-4.80.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:787b6defd37fa75311737bcfc42e9e2b2cc62c5d027eed35bb7d800b2d9a0984
size 1649827

0
exim-4.12-tail.patch → exim-tail.patch
View File

97
exim.changes
View File

@ -1,3 +1,100 @@
-------------------------------------------------------------------
Sun Aug 19 13:36:59 UTC 2012 - lars@samba.org
- update to 4.80
- Bugzilla 949 - Documentation tweak.
- Bugzilla 1093 - eximstats DATA reject detection regexps improved.
- Bugzilla 1169 - primary_hostname spelling was incorrect in docs.
- Implemented gsasl authenticator.
- Implemented heimdal_gssapi authenticator with "server_keytab" option.
- Local/Makefile support for (AUTH|LOOKUP)_*_PC=foo to use
`pkg-config foo` for cflags/libs.
- Swapped $auth1/$auth2 for gsasl GSSAPI mechanism, to be more consistent
with rest of GSASL and with heimdal_gssapi.
- Local/Makefile support for USE_(GNUTLS|OPENSSL)_PC=foo to use
`pkg-config foo` for cflags/libs for the TLS implementation.
- New expansion variable $tls_bits; Cyrus SASL server connection
properties get this fed in as external SSF. A number of robustness
and debugging improvements to the cyrus_sasl authenticator.
- cyrus_sasl server now expands the server_realm option.
- Bugzilla 1214 - Log authentication information in reject log.
- Added dbmjz lookup type.
- Let heimdal_gssapi authenticator take a SASL message without an authzid.
- MAIL args handles TAB as well as SP, for better interop with
non-compliant senders.
- Bugzilla 1237 - fix cases where printf format usage not indicated.
- tls_peerdn now print-escaped for spool files.
Observed some $tls_peerdn in wild which contained \n, which resulted
in spool file corruption.
- TLS fixes for OpenSSL: support TLS 1.1 & 1.2; new "openssl_options"
values; set SSL_MODE_AUTO_RETRY so that OpenSSL will retry a read
or write after TLS renegotiation, which otherwise led to messages
"Got SSL error 2".
- Bugzilla 1239 - fix DKIM verification when signature was not inserted
as a tracking header (ie: a signed header comes before the signature).
- Bugzilla 660 - Multi-valued attributes from ldap now parseable as a
comma-sep list; embedded commas doubled.
- Refactored ACL "verify =" logic to table-driven dispatch.
- LDAP: Check for errors of TLS initialisation, to give correct diagnostics.
- Removed "dont_insert_empty_fragments" fron "openssl_options".
Removed SSL_clear() after SSL_new() which led to protocol negotiation
failures. We appear to now support TLS1.1+ with Exim.
- OpenSSL: new expansion var $tls_sni, which if used in tls_certificate
lets Exim select keys and certificates based upon TLS SNI from client.
Also option tls_sni on SMTP Transports. Also clear $tls_bits correctly
before an outbound SMTP session. New log_selector, +tls_sni.
- Bugzilla 1122 - check localhost_number expansion for failure, avoid
NULL dereference.
- Revert part of NM/04, it broke log_path containing %D expansions.
Left warnings. Added "eximon gdb" invocation mode.
- Defaulting "accept_8bitmime" to true, not false.
- Added -bw for inetd wait mode support.
- Added PCRE_CONFIG=yes support to Makefile for using pcre-config to
locate the relevant includes and libraries. Made this the default.
- Fixed headers_only on smtp transports (was not sending trailing dot).
Bugzilla 1246, report and most of solution from Tomasz Kusy.
- ${eval } now uses 64-bit and supports a "g" suffix (like to "k" and "m").
This may cause build issues on older platforms.
- Revamped GnuTLS support, passing tls_require_ciphers to
gnutls_priority_init, ignoring Exim options gnutls_require_kx,
gnutls_require_mac & gnutls_require_protocols (no longer supported).
Added SNI support via GnuTLS too.
Made ${randint:..} supplier available, if using not-too-old GnuTLS.
- Added EXPERIMENTAL_OCSP for OpenSSL.
- Applied dnsdb SPF support patch from Janne Snabb.
Applied second patch from Janne, implementing suggestion to default
multiple-strings-in-record handling to match SPF spec.
- Added expansion variable $tod_epoch_l for a higher-precision time.
- Fix DCC dcc_header content corruption (stack memory referenced,
read-only, out of scope).
Patch from Wolfgang Breyha, report from Stuart Northfield.
- Fix three issues highlighted by clang analyser static analysis.
Only crash-plausible issue would require the Cambridge-specific
iplookup router and a misconfiguration.
Report from Marcin Mirosław.
- Another attempt to deal with PCRE_PRERELEASE, this one less buggy.
- %D in printf continues to cause issues (-Wformat=security), so for
now guard some of the printf checks behind WANT_DEEPER_PRINTF_CHECKS.
As part of this, removing so much warning spew let me fix some minor
real issues in debug logging.
- GnuTLS was always using default tls_require_ciphers, due to a missing
assignment on my part. Fixed.
- Added tls_dh_max_bits option, defaulting to current hard-coded limit
of NSS, for GnuTLS/NSS interop.
- Validate tls_require_ciphers on startup, since debugging an invalid
string otherwise requires a connection and a bunch more work and it's
relatively easy to get wrong. Should also expose TLS library linkage
problems.
- Pull in <features.h> on Linux, for some portability edge-cases of
64-bit ${eval} (JH/03).
- Define _GNU_SOURCE in exim.h; it's needed for some releases of
protection layer was required, which is not implemented. Bugzilla 1254
- Overhaul DH prime handling, supply RFC-specified DH primes as built
into Exim, default to IKE id 23 from RFC 5114 (2048 bit). Make
tls_dhparam take prime identifiers. Also unbreak combination of
OpenSSL+DH_params+TLSSNI.
- Disable SSLv2 by default in OpenSSL support.
------------------------------------------------------------------- -------------------------------------------------------------------
Sat Mar 17 19:42:30 UTC 2012 - lars@samba.org Sat Mar 17 19:42:30 UTC 2012 - lars@samba.org

6
exim.spec
View File

@ -43,7 +43,7 @@ Provides: smtp_daemon
Requires: logrotate Requires: logrotate
PreReq: %insserv_prereq %fillup_prereq /usr/sbin/useradd fileutils textutils PreReq: %insserv_prereq %fillup_prereq /usr/sbin/useradd fileutils textutils
%endif %endif
Version: 4.77 Version: 4.80
Release: 0 Release: 0
%if %{?build_with_mysql:1}0 %if %{?build_with_mysql:1}0
BuildRequires: mysql-devel BuildRequires: mysql-devel
@ -66,8 +66,7 @@ Source13: apparmor.usr.sbin.exim
Source20: http://www.logic.univie.ac.at/~ametzler/debian/exim4manpages/exim4-manpages.tar.bz2 Source20: http://www.logic.univie.ac.at/~ametzler/debian/exim4manpages/exim4-manpages.tar.bz2
Source30: eximstats-html-update.py Source30: eximstats-html-update.py
Source31: eximstats.conf Source31: eximstats.conf
Patch: exim-4.12-tail.patch Patch: exim-tail.patch
Patch2: format-security.diff
%if !%{?build_with_mysql:1}0 && !%{?build_with_pgsql:1}0 %if !%{?build_with_mysql:1}0 && !%{?build_with_pgsql:1}0
%package -n eximon %package -n eximon
@ -119,7 +118,6 @@ once, if at all. The rest is done by logrotate / cron.)
%prep %prep
%setup -q -n exim-%{version} %setup -q -n exim-%{version}
%patch %patch
%patch2
# build with fPIE/pie on SUSE 10.0 or newer, or on any other platform # build with fPIE/pie on SUSE 10.0 or newer, or on any other platform
%if %{?suse_version:%suse_version}%{?!suse_version:99999} > 930 %if %{?suse_version:%suse_version}%{?!suse_version:99999} > 930
fPIE="-fPIE" fPIE="-fPIE"

146
format-security.diff
View File

@ -1,146 +0,0 @@
From: Dirk Mueller <dmueller@suse.com>
Subject: check format strings
Reported-Upstream: Yes
Bugtracker: http://bugs.exim.org/show_bug.cgi?id=1237
Index: exim_monitor/em_log.c
===================================================================
--- exim_monitor/em_log.c.orig
+++ exim_monitor/em_log.c
@@ -56,6 +56,8 @@ static int scrolled = FALSE;
static int size = 0;
static int top = 0;
+static void show_log(char *s, ...) PRINTF_FUNCTION(1,2);
+
static void show_log(char *s, ...)
{
int length, newtop;
@@ -362,7 +364,7 @@ link count of zero on the currently open
if (log_datestamping)
{
uschar log_file_wanted[256];
- string_format(log_file_wanted, sizeof(log_file_wanted), CS log_file);
+ string_format(log_file_wanted, sizeof(log_file_wanted), "%s", CS log_file);
if (Ustrcmp(log_file_wanted, log_file_open) != 0)
{
if (LOG != NULL)
Index: exim_monitor/em_main.c
===================================================================
--- exim_monitor/em_main.c.orig
+++ exim_monitor/em_main.c
@@ -654,7 +654,7 @@ today.) */
if (log_file[0] != 0)
{
- (void)string_format(log_file_open, sizeof(log_file_open), CS log_file);
+ (void)string_format(log_file_open, sizeof(log_file_open), "%s", CS log_file);
log_datestamping = string_datestamp_offset >= 0;
LOG = fopen(CS log_file_open, "r");
Index: exim_monitor/em_text.c
===================================================================
--- exim_monitor/em_text.c.orig
+++ exim_monitor/em_text.c
@@ -58,6 +58,8 @@ XawTextSetInsertionPoint(w, text_count);
* Display text from format *
*************************************************/
+void text_showf(Widget w, char *s, ...) PRINTF_FUNCTION(2,3);
+
void text_showf(Widget w, char *s, ...)
{
va_list ap;
Index: src/demime.c
===================================================================
--- src/demime.c.orig
+++ src/demime.c
@@ -821,7 +821,7 @@ void mime_trigger_error(int level, uscha
(void)string_vformat(US f, 16383,(char *)format, ap);
va_end(ap);
f-=22;
- log_write(0, LOG_MAIN, f);
+ log_write(0, LOG_MAIN, "%s", f);
/* then copy to demime_reason_buffer if new
level is greater than old level */
if (level > demime_errorlevel) {
Index: src/functions.h
===================================================================
--- src/functions.h.orig
+++ src/functions.h
@@ -80,7 +80,7 @@ extern void decode_bits(unsigned int
int, int, uschar *, bit_table *, int, uschar *, int);
extern address_item *deliver_make_addr(uschar *, BOOL);
extern int deliver_message(uschar *, BOOL, BOOL);
-extern void deliver_msglog(const char *, ...);
+extern void deliver_msglog(const char *, ...) PRINTF_FUNCTION(1,2);
extern void deliver_set_expansions(address_item *);
extern int deliver_split_address(address_item *);
extern void deliver_succeeded(address_item *);
@@ -180,9 +180,9 @@ extern int mime_regex(uschar **);
extern uschar *moan_check_errorcopy(uschar *);
extern BOOL moan_skipped_syntax_errors(uschar *, error_block *, uschar *,
BOOL, uschar *);
-extern void moan_smtp_batch(uschar *, const char *, ...);
+extern void moan_smtp_batch(uschar *, const char *, ...) PRINTF_FUNCTION(2,3);
extern void moan_tell_someone(uschar *, address_item *,
- const uschar *, const char *, ...);
+ const uschar *, const char *, ...) PRINTF_FUNCTION(4,5);
extern BOOL moan_to_sender(int, error_block *, header_line *, FILE *, BOOL);
extern void moan_write_from(FILE *);
extern FILE *modefopen(const uschar *, const char *, mode_t);
@@ -270,7 +270,7 @@ extern int search_findtype_partial(u
int *);
extern void *search_open(uschar *, int, int, uid_t *, gid_t *);
extern void search_tidyup(void);
-extern void set_process_info(const char *, ...);
+extern void set_process_info(const char *, ...) PRINTF_FUNCTION(1,2);
extern void sha1_end(sha1 *, const uschar *, int, uschar *);
extern void sha1_mid(sha1 *, const uschar *);
extern void sha1_start(sha1 *);
@@ -298,7 +298,7 @@ extern int smtp_setup_msg(void);
extern BOOL smtp_start_session(void);
extern int smtp_ungetc(int);
extern BOOL smtp_verify_helo(void);
-extern int smtp_write_command(smtp_outblock *, BOOL, const char *, ...);
+extern int smtp_write_command(smtp_outblock *, BOOL, const char *, ...) PRINTF_FUNCTION(3,4);
#ifdef WITH_CONTENT_SCAN
extern int spam(uschar **);
extern FILE *spool_mbox(unsigned long *, uschar *);
@@ -320,13 +320,13 @@ extern uschar *string_copy_malloc(uschar
extern uschar *string_copylc(uschar *);
extern uschar *string_copynlc(uschar *, int);
extern uschar *string_dequote(uschar **);
-extern BOOL string_format(uschar *, int, const char *, ...);
+extern BOOL string_format(uschar *, int, const char *, ...) PRINTF_FUNCTION(3,4);
extern uschar *string_format_size(int, uschar *);
extern int string_interpret_escape(uschar **);
extern int string_is_ip_address(uschar *, int *);
extern uschar *string_log_address(address_item *, BOOL, BOOL);
extern uschar *string_nextinlist(uschar **, int *, uschar *, int);
-extern uschar *string_open_failed(int, const char *, ...);
+extern uschar *string_open_failed(int, const char *, ...) PRINTF_FUNCTION(2,3);
extern uschar *string_printing2(uschar *, BOOL);
extern uschar *string_split_message(uschar *);
extern BOOL string_vformat(uschar *, int, const char *, va_list);
Index: src/local_scan.h
===================================================================
--- src/local_scan.h.orig
+++ src/local_scan.h
@@ -173,7 +173,7 @@ extern void header_add_at_position(BO
extern void header_remove(int, const uschar *);
extern BOOL header_testname(header_line *, const uschar *, int, BOOL);
extern BOOL header_testname_incomplete(header_line *, const uschar *, int, BOOL);
-extern void log_write(unsigned int, int, const char *format, ...);
+extern void log_write(unsigned int, int, const char *format, ...) PRINTF_FUNCTION(3,4);
extern int lss_b64decode(uschar *, uschar **);
extern uschar *lss_b64encode(uschar *, int);
extern int lss_match_domain(uschar *, uschar *);
@@ -188,6 +188,6 @@ extern void smtp_printf(const char *,
extern void smtp_vprintf(const char *, va_list);
extern uschar *string_copy(uschar *);
extern uschar *string_copyn(uschar *, int);
-extern uschar *string_sprintf(const char *, ...);
+extern uschar *string_sprintf(const char *, ...) PRINTF_FUNCTION(1,2);
/* End of local_scan.h */