From 1b5934349354d371dfd09372d6f75ac1954e9d6c7ca3236385d89e008c54a9f3 Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Thu, 15 Feb 2018 11:52:20 +0000 Subject: [PATCH 1/3] Accepting request 576288 from home:kbabioch:branches:server:mail - update to 4.90.1 * Allow PKG_CONFIG_PATH to be set in Local/Makefile and use it correctly during configuration. Wildcards are allowed and expanded. * Shorten the log line for daemon startup by collapsing adjacent sets of identical IP addresses on different listening ports. Will also affect "exiwhat" output. * Tighten up the checking in isip4 (et al): dotted-quad components larger than 255 are no longer allowed. * Default openssl_options to include +no_ticket, to reduce load on peers. Disable the session-cache too, which might reduce our load. Since we currrectly use a new context for every connection, both as server and client, there is no benefit for these. * Add $SOURCE_DATE_EPOCH support for reproducible builds, per spec at . * Fix smtp transport use of limited max_rcpt under mua_wrapper. Previously the check for any unsuccessful recipients did not notice the limit, and erroneously found still-pending ones. * Pipeline CHUNKING command and data together, on kernels that support MSG_MORE. Only in-clear (not on TLS connections). * Avoid using a temporary file during transport using dkim. Unless a transport-filter is involved we can buffer the headers in memory for creating the signature, and read the spool data file once for the signature and again for transmission. * Enable use of sendfile in Linux builds as default. It was disabled in 4.77 as the kernel support then wasn't solid, having issues in 64bit mode. Now, it's been long enough. Add support for FreeBSD also. * Add commandline_checks_require_admin option. * Do pipelining under TLS. * For the "sock" variant of the malware scanner interface, accept an empty cmdline element to get the documented default one. Previously it was inaccessible. * Prevent repeated use of -p/-oMr * DKIM: enforce the DNS pubkey record "h" permitted-hashes optional field, if present. * DKIM: when a message has multiple signatures matching an identity given in dkim_verify_signers, run the dkim acl once for each. * Support IDNA2008. * The path option on a pipe transport is now expanded before use * Have the EHLO response advertise VRFY, if there is a vrfy ACL defined. - Several bug fixes - Fix for buffer overflow in base64decode() (bsc#1079832 CVE-2018-6789) - removed patches (included upstream now): * exim-CVE-2017-1000369.patch * exim-CVE-2017-16943.patch * exim-CVE-2017-16944.patch * exim-4.86.2-mariadb_102_compile_fix.patch old: server:mail/exim new: home:kbabioch:branches:server:mail/exim rev None Index: exim.changes =================================================================== --- exim.changes (revision 200) +++ exim.changes (revision 4) @@ -1,4 +1,54 @@ ------------------------------------------------------------------- +Tue Feb 13 13:39:34 UTC 2018 - kbabioch@suse.com + +- update to 4.90.1 + * Allow PKG_CONFIG_PATH to be set in Local/Makefile and use it correctly + during configuration. Wildcards are allowed and expanded. + * Shorten the log line for daemon startup by collapsing adjacent sets of + identical IP addresses on different listening ports. Will also affect + "exiwhat" output. + * Tighten up the checking in isip4 (et al): dotted-quad components larger + than 255 are no longer allowed. + * Default openssl_options to include +no_ticket, to reduce load on peers. + Disable the session-cache too, which might reduce our load. Since we + currrectly use a new context for every connection, both as server and + client, there is no benefit for these. + * Add $SOURCE_DATE_EPOCH support for reproducible builds, per spec at + . + * Fix smtp transport use of limited max_rcpt under mua_wrapper. Previously + the check for any unsuccessful recipients did not notice the limit, and + erroneously found still-pending ones. + * Pipeline CHUNKING command and data together, on kernels that support + MSG_MORE. Only in-clear (not on TLS connections). + * Avoid using a temporary file during transport using dkim. Unless a + transport-filter is involved we can buffer the headers in memory for + creating the signature, and read the spool data file once for the + signature and again for transmission. + * Enable use of sendfile in Linux builds as default. It was disabled in + 4.77 as the kernel support then wasn't solid, having issues in 64bit + mode. Now, it's been long enough. Add support for FreeBSD also. + * Add commandline_checks_require_admin option. + * Do pipelining under TLS. + * For the "sock" variant of the malware scanner interface, accept an empty + cmdline element to get the documented default one. Previously it was + inaccessible. + * Prevent repeated use of -p/-oMr + * DKIM: enforce the DNS pubkey record "h" permitted-hashes optional field, + if present. + * DKIM: when a message has multiple signatures matching an identity given + in dkim_verify_signers, run the dkim acl once for each. + * Support IDNA2008. + * The path option on a pipe transport is now expanded before use + * Have the EHLO response advertise VRFY, if there is a vrfy ACL defined. +- Several bug fixes +- Fix for buffer overflow in base64decode() (bsc#1079832 CVE-2018-6789) +- removed patches (included upstream now): + * exim-CVE-2017-1000369.patch + * exim-CVE-2017-16943.patch + * exim-CVE-2017-16944.patch + * exim-4.86.2-mariadb_102_compile_fix.patch + +------------------------------------------------------------------- Thu Nov 30 08:32:50 UTC 2017 - wullinger@rz.uni-kiel.de - add exim-CVE-2017-16944.patch: Index: exim.spec =================================================================== --- exim.spec (revision 200) +++ exim.spec (revision 4) @@ -1,7 +1,7 @@ # # spec file for package exim # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -78,7 +78,7 @@ %endif Requires(pre): fileutils textutils %endif -Version: 4.88 +Version: 4.90.1 Release: 0 %if %{with_mysql} BuildRequires: mysql-devel @@ -93,8 +93,8 @@ License: GPL-2.0+ Group: Productivity/Networking/Email/Servers BuildRoot: %{_tmppath}/%{name}-%{version}-build -Source: http://ftp.exim.org/pub/exim/exim4/old/exim-%{version}.tar.bz2 -Source3: http://ftp.exim.org/pub/exim/exim4/old/exim-%{version}.tar.bz2.asc +Source: http://ftp.exim.org/pub/exim/exim4/exim-%{version}.tar.bz2 +Source3: http://ftp.exim.org/pub/exim/exim4/exim-%{version}.tar.bz2.asc # http://ftp.exim.org/pub/exim/Exim-Maintainers-Keyring.asc Source4: exim.keyring Source1: sysconfig.exim @@ -107,10 +107,6 @@ Source32: eximstats.conf-2.2 Source40: exim.service Patch0: exim-tail.patch -Patch3: exim-CVE-2017-1000369.patch -Patch4: exim-CVE-2017-16943.patch -Patch5: exim-CVE-2017-16944.patch -Patch6: exim-4.86.2-mariadb_102_compile_fix.patch %package -n eximon Summary: Eximon, an graphical frontend to administer Exim's mail queue @@ -153,10 +149,6 @@ %prep %setup -q -n exim-%{version} %patch0 -%patch3 -p 1 -%patch4 -p 1 -%patch5 -p 1 -%patch6 -p 1 # build with fPIE/pie on SUSE 10.0 or newer, or on any other platform %if %{?suse_version:%suse_version}%{?!suse_version:99999} > 930 fPIE="-fPIE" @@ -328,7 +320,7 @@ inst_info=$RPM_BUILD_ROOT/%{_infodir} \ INSTALL_ARG=-no_chown install #mv $RPM_BUILD_ROOT/usr/sbin/exim-%{version}* $RPM_BUILD_ROOT/usr/sbin/exim -mv $RPM_BUILD_ROOT/usr/sbin/exim-4.8* $RPM_BUILD_ROOT/usr/sbin/exim +mv $RPM_BUILD_ROOT/usr/sbin/exim-4.9* $RPM_BUILD_ROOT/usr/sbin/exim mv $RPM_BUILD_ROOT/etc/exim/exim.conf src/configure.default # with all substitutions done %if 0%{?suse_version} > 1220 install -m 0644 %{S:40} $RPM_BUILD_ROOT/%{_unitdir}/exim.service Index: exim-4.90.1.tar.bz2 =================================================================== Binary file exim-4.90.1.tar.bz2 (revision 4) added Index: exim-4.90.1.tar.bz2.asc =================================================================== --- exim-4.90.1.tar.bz2.asc (added) +++ exim-4.90.1.tar.bz2.asc (revision 4) @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEE0L/WueylaUpvFJ3Or0zGdqa2wUIFAlp8U0MACgkQr0zGdqa2 +wUKEiwf9GmNYK5sbmpi/c2TdfPqsqU1o76l3PoTt+kxSQi5t4j30dsqZdWvzvkuj +k+/x1SsDRg44+wv19ynnYH4tSCZ3QSwTevyfXvR7bSGpSTCN0tTnaWm/AuBXNC8D +9lukQckwdZckVNciRriVCLi9VTymV/tdnIxowQu/WfdEzFTXDeYzu3KoioG+jKAV +MWhnyUDfhPYPYs+u8IKdFDE3Z9bO/I/EbgTHiR6PetLWusSugrp/MyJjICp8HsvI +f/pMj+rytJo2hOnI9x/wpUiXb7XnnQnph3mic5BQU4DF+tI6dK1zTS66PyTYAoNI +p6Po3uLY/umKYT+W6jxURPfC2TH1+A== +=k4cD +-----END PGP SIGNATURE----- Index: exim-4.86.2-mariadb_102_compile_fix.patch =================================================================== --- exim-4.86.2-mariadb_102_compile_fix.patch (revision 200) +++ exim-4.86.2-mariadb_102_compile_fix.patch (deleted) @@ -1,94 +0,0 @@ -Index: exim-4.86.2/src/lookups/mysql.c -=================================================================== ---- exim-4.86.2.orig/src/lookups/mysql.c -+++ exim-4.86.2/src/lookups/mysql.c -@@ -14,6 +14,53 @@ functions. */ - - #include /* The system header */ - -+/* We define symbols for *_VERSION_ID (numeric), *_VERSION_STR (char*) -+and *_BASE_STR (char*). It's a bit of guesswork. Especially for mariadb -+with versions before 10.2, as they do not define there there specific symbols. -+*/ -+ -+// Newer (>= 10.2) MariaDB -+#if defined MARIADB_VERSION_ID -+#define EXIM_MxSQL_VERSION_ID MARIADB_VERSION_ID -+ -+// MySQL defines MYSQL_VERSION_ID, and MariaDB does so -+// https://dev.mysql.com/doc/refman/5.7/en/c-api-server-client-versions.html -+#elif defined LIBMYSQL_VERSION_ID -+#define EXIM_MxSQL_VERSION_ID LIBMYSQL_VERSION_ID -+#elif defined MYSQL_VERSION_ID -+#define EXIM_MxSQL_VERSION_ID MYSQL_VERSION_ID -+ -+#else -+#define EXIM_MYSQL_VERSION_ID 0 -+#endif -+ -+// Newer (>= 10.2) MariaDB -+#ifdef MARIADB_CLIENT_VERSION_STR -+#define EXIM_MxSQL_VERSION_STR MARIADB_CLIENT_VERSION_STR -+ -+// Mysql uses MYSQL_SERVER_VERSION -+#elif defined LIBMYSQL_VERSION -+#define EXIM_MxSQL_VERSION_STR LIBMYSQL_VERSION -+#elif defined MYSQL_SERVER_VERSION -+#define EXIM_MxSQL_VERSION_STR MYSQL_SERVER_VERSION -+ -+#else -+#define EXIM_MxSQL_VERSION_STR "N.A." -+#endif -+ -+#if defined MARIADB_BASE_VERSION -+#define EXIM_MxSQL_BASE_STR MARIADB_BASE_VERSION -+ -+#elif defined MARIADB_PACKAGE_VERSION -+#define EXIM_MxSQL_BASE_STR "mariadb" -+ -+#elif defined MYSQL_BASE_VERSION -+#define EXIM_MxSQL_BASE_STR MYSQL_BASE_VERSION -+ -+#else -+#define EXIM_MxSQL_BASE_STR "n.A." -+#endif -+ - - /* Structure and anchor for caching connections. */ - -@@ -423,10 +470,10 @@ return quoted; - void - mysql_version_report(FILE *f) - { --fprintf(f, "Library version: MySQL: Compile: %s [%s]\n" -- " Runtime: %s\n", -- MYSQL_SERVER_VERSION, MYSQL_COMPILATION_COMMENT, -- mysql_get_client_info()); -+fprintf(f, "Library version: MySQL: Compile: %lu %s [%s]\n" -+ " Runtime: %lu %s\n", -+ (long)EXIM_MxSQL_VERSION_ID, EXIM_MxSQL_VERSION_STR, EXIM_MxSQL_BASE_STR, -+ mysql_get_client_version(), mysql_get_client_info()); - #ifdef DYNLOOKUP - fprintf(f, " Exim version %s\n", EXIM_VERSION_STR); - #endif -Index: exim-4.86.2/src/EDITME -=================================================================== ---- exim-4.86.2.orig/src/EDITME -+++ exim-4.86.2/src/EDITME -@@ -253,7 +253,7 @@ TRANSPORT_SMTP=yes - # you perform upgrades and revert them. You should consider the benefit of - # embedding the Exim version number into LOOKUP_MODULE_DIR, so that you can - # maintain two concurrent sets of modules. --# -+# - # *BEWARE*: ability to modify the files in LOOKUP_MODULE_DIR is equivalent to - # the ability to modify the Exim binary, which is often setuid root! The Exim - # developers only intend this functionality be used by OS software packagers -@@ -301,6 +301,7 @@ LOOKUP_DNSDB=yes - # LOOKUP_IBASE=yes - # LOOKUP_LDAP=yes - # LOOKUP_MYSQL=yes -+# LOOKUP_MYSQL_PC=mariadb - # LOOKUP_NIS=yes - # LOOKUP_NISPLUS=yes - # LOOKUP_ORACLE=yes Index: exim-4.88.tar.bz2 =================================================================== Binary file exim-4.88.tar.bz2 (revision 200) deleted Index: exim-4.88.tar.bz2.asc =================================================================== --- exim-4.88.tar.bz2.asc (revision 200) +++ exim-4.88.tar.bz2.asc (deleted) @@ -1,10 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEcBAABAgAGBQJYVqBoAAoJELzljIzkHzLf5vIH/R4gcGqdEwGkFDRwQA5ImNif -USPeSli63U2tL2YRpf8E/sMWlf2ywZl9vGkVWhvYFvMWI4gn+hNAh0jUj2BakCdI -aEjUk0KSA0nXHzIGmNyf0lAcC1VONRq0KLxfQvlGF8RrKnBL7urg46EVFagmU8g9 -m3KVHPjv1cUIICZdJVWICUChjjm23pBvtqr1M9TgUAhWQU0FaG9dmgY2Kh4s2pnG -0o+llbQdU1hvtk0lTMzZYmYTtS3totoyR3aKYdws/epOnE1MgVOIlnp2q5R9FMO1 -RE5bHa2Qg5UCf5wwAKSOxIDLPEVUoX6qkbP7inByuGKZ5dSvBQwUGPAt+b2Lb38= -=jgHZ ------END PGP SIGNATURE----- Index: exim-CVE-2017-1000369.patch =================================================================== --- exim-CVE-2017-1000369.patch (revision 200) +++ exim-CVE-2017-1000369.patch (deleted) @@ -1,43 +0,0 @@ -commit 65e061b76867a9ea7aeeb535341b790b90ae6c21 -Author: Heiko Schlittermann (HS12-RIPE) -Date: Wed May 31 23:08:56 2017 +0200 - - Cleanup (prevent repeated use of -p/-oMr to avoid mem leak) - -diff --git a/src/exim.c b/src/src/exim.c -index 67583e58..88e11977 100644 ---- a/src/exim.c -+++ b/src/exim.c -@@ -3106,7 +3106,14 @@ for (i = 1; i < argc; i++) - - /* -oMr: Received protocol */ - -- else if (Ustrcmp(argrest, "Mr") == 0) received_protocol = argv[++i]; -+ else if (Ustrcmp(argrest, "Mr") == 0) -+ -+ if (received_protocol) -+ { -+ fprintf(stderr, "received_protocol is set already\n"); -+ exit(EXIT_FAILURE); -+ } -+ else received_protocol = argv[++i]; - - /* -oMs: Set sender host name */ - -@@ -3202,7 +3209,15 @@ for (i = 1; i < argc; i++) - - if (*argrest != 0) - { -- uschar *hn = Ustrchr(argrest, ':'); -+ uschar *hn; -+ -+ if (received_protocol) -+ { -+ fprintf(stderr, "received_protocol is set already\n"); -+ exit(EXIT_FAILURE); -+ } -+ -+ hn = Ustrchr(argrest, ':'); - if (hn == NULL) - { - received_protocol = argrest; Index: exim-CVE-2017-16943.patch =================================================================== --- exim-CVE-2017-16943.patch (revision 200) +++ exim-CVE-2017-16943.patch (deleted) @@ -1,40 +0,0 @@ -From 4e6ae6235c68de243b1c2419027472d7659aa2b4 Mon Sep 17 00:00:00 2001 -From: Jeremy Harris -Date: Fri, 24 Nov 2017 20:22:33 +0000 -Subject: [PATCH] Avoid release of store if there have been later allocations. - Bug 2199 - ---- - src/src/receive.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/src/src/receive.c b/src/src/receive.c -index e7e518a..d9b5001 100644 ---- a/src/receive.c -+++ b/src/receive.c -@@ -1810,8 +1810,8 @@ for (;;) - (and sometimes lunatic messages can have ones that are 100s of K long) we - call store_release() for strings that have been copied - if the string is at - the start of a block (and therefore the only thing in it, because we aren't -- doing any other gets), the block gets freed. We can only do this because we -- know there are no other calls to store_get() going on. */ -+ doing any other gets), the block gets freed. We can only do this release if -+ there were no allocations since the once that we want to free. */ - - if (ptr >= header_size - 4) - { -@@ -1820,9 +1820,10 @@ for (;;) - header_size *= 2; - if (!store_extend(next->text, oldsize, header_size)) - { -+ BOOL release_ok = store_last_get[store_pool] == next->text; - uschar *newtext = store_get(header_size); - memcpy(newtext, next->text, ptr); -- store_release(next->text); -+ if (release_ok) store_release(next->text); - next->text = newtext; - } - } --- -1.9.1 - Index: exim-CVE-2017-16944.patch =================================================================== --- exim-CVE-2017-16944.patch (revision 200) +++ exim-CVE-2017-16944.patch (deleted) @@ -1,41 +0,0 @@ -diff -ru a/src/receive.c b/src/receive.c ---- a/src/receive.c 2017-11-30 09:15:29.593364805 +0100 -+++ b/src/receive.c 2017-11-30 09:17:32.026970431 +0100 -@@ -1759,7 +1759,7 @@ - prevent further reading), and break out of the loop, having freed the - empty header, and set next = NULL to indicate no data line. */ - -- if (ptr == 0 && ch == '.' && (smtp_input || dot_ends)) -+ if (ptr == 0 && ch == '.' && dot_ends) - { - ch = (receive_getc)(); - if (ch == '\r') -diff -ru a/src/smtp_in.c b/src/smtp_in.c ---- a/src/smtp_in.c 2017-11-30 09:15:29.593364805 +0100 -+++ b/src/smtp_in.c 2017-11-30 09:41:47.270055566 +0100 -@@ -4751,11 +4751,17 @@ - ? CHUNKING_LAST : CHUNKING_ACTIVE; - chunking_data_left = chunking_datasize; - -+ /* push the current receive_* function on the "stack", and -+ replace them by bdat_getc(), which in turn will use the lwr_receive_* -+ functions to do the dirty work. */ - lwr_receive_getc = receive_getc; - lwr_receive_ungetc = receive_ungetc; -+ - receive_getc = bdat_getc; - receive_ungetc = bdat_ungetc; - -+ dot_ends = FALSE; -+ - DEBUG(D_any) - debug_printf("chunking state %d\n", (int)chunking_state); - goto DATA_BDAT; -@@ -4763,6 +4769,7 @@ - - case DATA_CMD: - HAD(SCH_DATA); -+ dot_ends = TRUE; - - DATA_BDAT: /* Common code for DATA and BDAT */ - if (!discarded && recipients_count <= 0) OBS-URL: https://build.opensuse.org/request/show/576288 OBS-URL: https://build.opensuse.org/package/show/server:mail/exim?expand=0&rev=201 --- exim-4.86.2-mariadb_102_compile_fix.patch | 94 ----------------------- exim-4.88.tar.bz2 | 3 - exim-4.88.tar.bz2.asc | 10 --- exim-4.90.1.tar.bz2 | 3 + exim-4.90.1.tar.bz2.asc | 11 +++ exim-CVE-2017-1000369.patch | 43 ----------- exim-CVE-2017-16943.patch | 40 ---------- exim-CVE-2017-16944.patch | 41 ---------- exim.changes | 50 ++++++++++++ exim.spec | 18 ++--- 10 files changed, 69 insertions(+), 244 deletions(-) delete mode 100644 exim-4.86.2-mariadb_102_compile_fix.patch delete mode 100644 exim-4.88.tar.bz2 delete mode 100644 exim-4.88.tar.bz2.asc create mode 100644 exim-4.90.1.tar.bz2 create mode 100644 exim-4.90.1.tar.bz2.asc delete mode 100644 exim-CVE-2017-1000369.patch delete mode 100644 exim-CVE-2017-16943.patch delete mode 100644 exim-CVE-2017-16944.patch diff --git a/exim-4.86.2-mariadb_102_compile_fix.patch b/exim-4.86.2-mariadb_102_compile_fix.patch deleted file mode 100644 index f560720..0000000 --- a/exim-4.86.2-mariadb_102_compile_fix.patch +++ /dev/null @@ -1,94 +0,0 @@ -Index: exim-4.86.2/src/lookups/mysql.c -=================================================================== ---- exim-4.86.2.orig/src/lookups/mysql.c -+++ exim-4.86.2/src/lookups/mysql.c -@@ -14,6 +14,53 @@ functions. */ - - #include /* The system header */ - -+/* We define symbols for *_VERSION_ID (numeric), *_VERSION_STR (char*) -+and *_BASE_STR (char*). It's a bit of guesswork. Especially for mariadb -+with versions before 10.2, as they do not define there there specific symbols. -+*/ -+ -+// Newer (>= 10.2) MariaDB -+#if defined MARIADB_VERSION_ID -+#define EXIM_MxSQL_VERSION_ID MARIADB_VERSION_ID -+ -+// MySQL defines MYSQL_VERSION_ID, and MariaDB does so -+// https://dev.mysql.com/doc/refman/5.7/en/c-api-server-client-versions.html -+#elif defined LIBMYSQL_VERSION_ID -+#define EXIM_MxSQL_VERSION_ID LIBMYSQL_VERSION_ID -+#elif defined MYSQL_VERSION_ID -+#define EXIM_MxSQL_VERSION_ID MYSQL_VERSION_ID -+ -+#else -+#define EXIM_MYSQL_VERSION_ID 0 -+#endif -+ -+// Newer (>= 10.2) MariaDB -+#ifdef MARIADB_CLIENT_VERSION_STR -+#define EXIM_MxSQL_VERSION_STR MARIADB_CLIENT_VERSION_STR -+ -+// Mysql uses MYSQL_SERVER_VERSION -+#elif defined LIBMYSQL_VERSION -+#define EXIM_MxSQL_VERSION_STR LIBMYSQL_VERSION -+#elif defined MYSQL_SERVER_VERSION -+#define EXIM_MxSQL_VERSION_STR MYSQL_SERVER_VERSION -+ -+#else -+#define EXIM_MxSQL_VERSION_STR "N.A." -+#endif -+ -+#if defined MARIADB_BASE_VERSION -+#define EXIM_MxSQL_BASE_STR MARIADB_BASE_VERSION -+ -+#elif defined MARIADB_PACKAGE_VERSION -+#define EXIM_MxSQL_BASE_STR "mariadb" -+ -+#elif defined MYSQL_BASE_VERSION -+#define EXIM_MxSQL_BASE_STR MYSQL_BASE_VERSION -+ -+#else -+#define EXIM_MxSQL_BASE_STR "n.A." -+#endif -+ - - /* Structure and anchor for caching connections. */ - -@@ -423,10 +470,10 @@ return quoted; - void - mysql_version_report(FILE *f) - { --fprintf(f, "Library version: MySQL: Compile: %s [%s]\n" -- " Runtime: %s\n", -- MYSQL_SERVER_VERSION, MYSQL_COMPILATION_COMMENT, -- mysql_get_client_info()); -+fprintf(f, "Library version: MySQL: Compile: %lu %s [%s]\n" -+ " Runtime: %lu %s\n", -+ (long)EXIM_MxSQL_VERSION_ID, EXIM_MxSQL_VERSION_STR, EXIM_MxSQL_BASE_STR, -+ mysql_get_client_version(), mysql_get_client_info()); - #ifdef DYNLOOKUP - fprintf(f, " Exim version %s\n", EXIM_VERSION_STR); - #endif -Index: exim-4.86.2/src/EDITME -=================================================================== ---- exim-4.86.2.orig/src/EDITME -+++ exim-4.86.2/src/EDITME -@@ -253,7 +253,7 @@ TRANSPORT_SMTP=yes - # you perform upgrades and revert them. You should consider the benefit of - # embedding the Exim version number into LOOKUP_MODULE_DIR, so that you can - # maintain two concurrent sets of modules. --# -+# - # *BEWARE*: ability to modify the files in LOOKUP_MODULE_DIR is equivalent to - # the ability to modify the Exim binary, which is often setuid root! The Exim - # developers only intend this functionality be used by OS software packagers -@@ -301,6 +301,7 @@ LOOKUP_DNSDB=yes - # LOOKUP_IBASE=yes - # LOOKUP_LDAP=yes - # LOOKUP_MYSQL=yes -+# LOOKUP_MYSQL_PC=mariadb - # LOOKUP_NIS=yes - # LOOKUP_NISPLUS=yes - # LOOKUP_ORACLE=yes diff --git a/exim-4.88.tar.bz2 b/exim-4.88.tar.bz2 deleted file mode 100644 index 1a027bc..0000000 --- a/exim-4.88.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:119d5fd7e31fc224e84dfa458fe182f200856bae7adf852a8287c242161f8a2d -size 1824610 diff --git a/exim-4.88.tar.bz2.asc b/exim-4.88.tar.bz2.asc deleted file mode 100644 index 76c9930..0000000 --- a/exim-4.88.tar.bz2.asc +++ /dev/null @@ -1,10 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEcBAABAgAGBQJYVqBoAAoJELzljIzkHzLf5vIH/R4gcGqdEwGkFDRwQA5ImNif -USPeSli63U2tL2YRpf8E/sMWlf2ywZl9vGkVWhvYFvMWI4gn+hNAh0jUj2BakCdI -aEjUk0KSA0nXHzIGmNyf0lAcC1VONRq0KLxfQvlGF8RrKnBL7urg46EVFagmU8g9 -m3KVHPjv1cUIICZdJVWICUChjjm23pBvtqr1M9TgUAhWQU0FaG9dmgY2Kh4s2pnG -0o+llbQdU1hvtk0lTMzZYmYTtS3totoyR3aKYdws/epOnE1MgVOIlnp2q5R9FMO1 -RE5bHa2Qg5UCf5wwAKSOxIDLPEVUoX6qkbP7inByuGKZ5dSvBQwUGPAt+b2Lb38= -=jgHZ ------END PGP SIGNATURE----- diff --git a/exim-4.90.1.tar.bz2 b/exim-4.90.1.tar.bz2 new file mode 100644 index 0000000..6ff8bf6 --- /dev/null +++ b/exim-4.90.1.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d8f510056c85fd8565242cad06560c5cb44a0678ea76241331eca096f7a6cbf0 +size 1854894 diff --git a/exim-4.90.1.tar.bz2.asc b/exim-4.90.1.tar.bz2.asc new file mode 100644 index 0000000..c5f9cf0 --- /dev/null +++ b/exim-4.90.1.tar.bz2.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEE0L/WueylaUpvFJ3Or0zGdqa2wUIFAlp8U0MACgkQr0zGdqa2 +wUKEiwf9GmNYK5sbmpi/c2TdfPqsqU1o76l3PoTt+kxSQi5t4j30dsqZdWvzvkuj +k+/x1SsDRg44+wv19ynnYH4tSCZ3QSwTevyfXvR7bSGpSTCN0tTnaWm/AuBXNC8D +9lukQckwdZckVNciRriVCLi9VTymV/tdnIxowQu/WfdEzFTXDeYzu3KoioG+jKAV +MWhnyUDfhPYPYs+u8IKdFDE3Z9bO/I/EbgTHiR6PetLWusSugrp/MyJjICp8HsvI +f/pMj+rytJo2hOnI9x/wpUiXb7XnnQnph3mic5BQU4DF+tI6dK1zTS66PyTYAoNI +p6Po3uLY/umKYT+W6jxURPfC2TH1+A== +=k4cD +-----END PGP SIGNATURE----- diff --git a/exim-CVE-2017-1000369.patch b/exim-CVE-2017-1000369.patch deleted file mode 100644 index 13d70fa..0000000 --- a/exim-CVE-2017-1000369.patch +++ /dev/null @@ -1,43 +0,0 @@ -commit 65e061b76867a9ea7aeeb535341b790b90ae6c21 -Author: Heiko Schlittermann (HS12-RIPE) -Date: Wed May 31 23:08:56 2017 +0200 - - Cleanup (prevent repeated use of -p/-oMr to avoid mem leak) - -diff --git a/src/exim.c b/src/src/exim.c -index 67583e58..88e11977 100644 ---- a/src/exim.c -+++ b/src/exim.c -@@ -3106,7 +3106,14 @@ for (i = 1; i < argc; i++) - - /* -oMr: Received protocol */ - -- else if (Ustrcmp(argrest, "Mr") == 0) received_protocol = argv[++i]; -+ else if (Ustrcmp(argrest, "Mr") == 0) -+ -+ if (received_protocol) -+ { -+ fprintf(stderr, "received_protocol is set already\n"); -+ exit(EXIT_FAILURE); -+ } -+ else received_protocol = argv[++i]; - - /* -oMs: Set sender host name */ - -@@ -3202,7 +3209,15 @@ for (i = 1; i < argc; i++) - - if (*argrest != 0) - { -- uschar *hn = Ustrchr(argrest, ':'); -+ uschar *hn; -+ -+ if (received_protocol) -+ { -+ fprintf(stderr, "received_protocol is set already\n"); -+ exit(EXIT_FAILURE); -+ } -+ -+ hn = Ustrchr(argrest, ':'); - if (hn == NULL) - { - received_protocol = argrest; diff --git a/exim-CVE-2017-16943.patch b/exim-CVE-2017-16943.patch deleted file mode 100644 index 5de1597..0000000 --- a/exim-CVE-2017-16943.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 4e6ae6235c68de243b1c2419027472d7659aa2b4 Mon Sep 17 00:00:00 2001 -From: Jeremy Harris -Date: Fri, 24 Nov 2017 20:22:33 +0000 -Subject: [PATCH] Avoid release of store if there have been later allocations. - Bug 2199 - ---- - src/src/receive.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/src/src/receive.c b/src/src/receive.c -index e7e518a..d9b5001 100644 ---- a/src/receive.c -+++ b/src/receive.c -@@ -1810,8 +1810,8 @@ for (;;) - (and sometimes lunatic messages can have ones that are 100s of K long) we - call store_release() for strings that have been copied - if the string is at - the start of a block (and therefore the only thing in it, because we aren't -- doing any other gets), the block gets freed. We can only do this because we -- know there are no other calls to store_get() going on. */ -+ doing any other gets), the block gets freed. We can only do this release if -+ there were no allocations since the once that we want to free. */ - - if (ptr >= header_size - 4) - { -@@ -1820,9 +1820,10 @@ for (;;) - header_size *= 2; - if (!store_extend(next->text, oldsize, header_size)) - { -+ BOOL release_ok = store_last_get[store_pool] == next->text; - uschar *newtext = store_get(header_size); - memcpy(newtext, next->text, ptr); -- store_release(next->text); -+ if (release_ok) store_release(next->text); - next->text = newtext; - } - } --- -1.9.1 - diff --git a/exim-CVE-2017-16944.patch b/exim-CVE-2017-16944.patch deleted file mode 100644 index 2658fe0..0000000 --- a/exim-CVE-2017-16944.patch +++ /dev/null @@ -1,41 +0,0 @@ -diff -ru a/src/receive.c b/src/receive.c ---- a/src/receive.c 2017-11-30 09:15:29.593364805 +0100 -+++ b/src/receive.c 2017-11-30 09:17:32.026970431 +0100 -@@ -1759,7 +1759,7 @@ - prevent further reading), and break out of the loop, having freed the - empty header, and set next = NULL to indicate no data line. */ - -- if (ptr == 0 && ch == '.' && (smtp_input || dot_ends)) -+ if (ptr == 0 && ch == '.' && dot_ends) - { - ch = (receive_getc)(); - if (ch == '\r') -diff -ru a/src/smtp_in.c b/src/smtp_in.c ---- a/src/smtp_in.c 2017-11-30 09:15:29.593364805 +0100 -+++ b/src/smtp_in.c 2017-11-30 09:41:47.270055566 +0100 -@@ -4751,11 +4751,17 @@ - ? CHUNKING_LAST : CHUNKING_ACTIVE; - chunking_data_left = chunking_datasize; - -+ /* push the current receive_* function on the "stack", and -+ replace them by bdat_getc(), which in turn will use the lwr_receive_* -+ functions to do the dirty work. */ - lwr_receive_getc = receive_getc; - lwr_receive_ungetc = receive_ungetc; -+ - receive_getc = bdat_getc; - receive_ungetc = bdat_ungetc; - -+ dot_ends = FALSE; -+ - DEBUG(D_any) - debug_printf("chunking state %d\n", (int)chunking_state); - goto DATA_BDAT; -@@ -4763,6 +4769,7 @@ - - case DATA_CMD: - HAD(SCH_DATA); -+ dot_ends = TRUE; - - DATA_BDAT: /* Common code for DATA and BDAT */ - if (!discarded && recipients_count <= 0) diff --git a/exim.changes b/exim.changes index 92d074c..2071530 100644 --- a/exim.changes +++ b/exim.changes @@ -1,3 +1,53 @@ +------------------------------------------------------------------- +Tue Feb 13 13:39:34 UTC 2018 - kbabioch@suse.com + +- update to 4.90.1 + * Allow PKG_CONFIG_PATH to be set in Local/Makefile and use it correctly + during configuration. Wildcards are allowed and expanded. + * Shorten the log line for daemon startup by collapsing adjacent sets of + identical IP addresses on different listening ports. Will also affect + "exiwhat" output. + * Tighten up the checking in isip4 (et al): dotted-quad components larger + than 255 are no longer allowed. + * Default openssl_options to include +no_ticket, to reduce load on peers. + Disable the session-cache too, which might reduce our load. Since we + currrectly use a new context for every connection, both as server and + client, there is no benefit for these. + * Add $SOURCE_DATE_EPOCH support for reproducible builds, per spec at + . + * Fix smtp transport use of limited max_rcpt under mua_wrapper. Previously + the check for any unsuccessful recipients did not notice the limit, and + erroneously found still-pending ones. + * Pipeline CHUNKING command and data together, on kernels that support + MSG_MORE. Only in-clear (not on TLS connections). + * Avoid using a temporary file during transport using dkim. Unless a + transport-filter is involved we can buffer the headers in memory for + creating the signature, and read the spool data file once for the + signature and again for transmission. + * Enable use of sendfile in Linux builds as default. It was disabled in + 4.77 as the kernel support then wasn't solid, having issues in 64bit + mode. Now, it's been long enough. Add support for FreeBSD also. + * Add commandline_checks_require_admin option. + * Do pipelining under TLS. + * For the "sock" variant of the malware scanner interface, accept an empty + cmdline element to get the documented default one. Previously it was + inaccessible. + * Prevent repeated use of -p/-oMr + * DKIM: enforce the DNS pubkey record "h" permitted-hashes optional field, + if present. + * DKIM: when a message has multiple signatures matching an identity given + in dkim_verify_signers, run the dkim acl once for each. + * Support IDNA2008. + * The path option on a pipe transport is now expanded before use + * Have the EHLO response advertise VRFY, if there is a vrfy ACL defined. +- Several bug fixes +- Fix for buffer overflow in base64decode() (bsc#1079832 CVE-2018-6789) +- removed patches (included upstream now): + * exim-CVE-2017-1000369.patch + * exim-CVE-2017-16943.patch + * exim-CVE-2017-16944.patch + * exim-4.86.2-mariadb_102_compile_fix.patch + ------------------------------------------------------------------- Thu Nov 30 08:32:50 UTC 2017 - wullinger@rz.uni-kiel.de diff --git a/exim.spec b/exim.spec index 71f1489..9cd8e75 100644 --- a/exim.spec +++ b/exim.spec @@ -1,7 +1,7 @@ # # spec file for package exim # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -78,7 +78,7 @@ Requires(pre): group(mail) %endif Requires(pre): fileutils textutils %endif -Version: 4.88 +Version: 4.90.1 Release: 0 %if %{with_mysql} BuildRequires: mysql-devel @@ -93,8 +93,8 @@ Summary: The Exim Mail Transfer Agent, a Replacement for sendmail License: GPL-2.0+ Group: Productivity/Networking/Email/Servers BuildRoot: %{_tmppath}/%{name}-%{version}-build -Source: http://ftp.exim.org/pub/exim/exim4/old/exim-%{version}.tar.bz2 -Source3: http://ftp.exim.org/pub/exim/exim4/old/exim-%{version}.tar.bz2.asc +Source: http://ftp.exim.org/pub/exim/exim4/exim-%{version}.tar.bz2 +Source3: http://ftp.exim.org/pub/exim/exim4/exim-%{version}.tar.bz2.asc # http://ftp.exim.org/pub/exim/Exim-Maintainers-Keyring.asc Source4: exim.keyring Source1: sysconfig.exim @@ -107,10 +107,6 @@ Source31: eximstats.conf Source32: eximstats.conf-2.2 Source40: exim.service Patch0: exim-tail.patch -Patch3: exim-CVE-2017-1000369.patch -Patch4: exim-CVE-2017-16943.patch -Patch5: exim-CVE-2017-16944.patch -Patch6: exim-4.86.2-mariadb_102_compile_fix.patch %package -n eximon Summary: Eximon, an graphical frontend to administer Exim's mail queue @@ -153,10 +149,6 @@ once, if at all. The rest is done by logrotate / cron.) %prep %setup -q -n exim-%{version} %patch0 -%patch3 -p 1 -%patch4 -p 1 -%patch5 -p 1 -%patch6 -p 1 # build with fPIE/pie on SUSE 10.0 or newer, or on any other platform %if %{?suse_version:%suse_version}%{?!suse_version:99999} > 930 fPIE="-fPIE" @@ -328,7 +320,7 @@ make inst_dest=$RPM_BUILD_ROOT/usr/sbin \ inst_info=$RPM_BUILD_ROOT/%{_infodir} \ INSTALL_ARG=-no_chown install #mv $RPM_BUILD_ROOT/usr/sbin/exim-%{version}* $RPM_BUILD_ROOT/usr/sbin/exim -mv $RPM_BUILD_ROOT/usr/sbin/exim-4.8* $RPM_BUILD_ROOT/usr/sbin/exim +mv $RPM_BUILD_ROOT/usr/sbin/exim-4.9* $RPM_BUILD_ROOT/usr/sbin/exim mv $RPM_BUILD_ROOT/etc/exim/exim.conf src/configure.default # with all substitutions done %if 0%{?suse_version} > 1220 install -m 0644 %{S:40} $RPM_BUILD_ROOT/%{_unitdir}/exim.service From 3bb5245254dc8d6f8ecf6ee9d526a83a98956233d01457712eb6af5d3dc92eb4 Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Tue, 20 Mar 2018 10:29:00 +0000 Subject: [PATCH 2/3] Accepting request 587627 from home:elvigia:branches:server:mail - Replace xorg-x11-devel by individual pkgconfig() buildrequires. OBS-URL: https://build.opensuse.org/request/show/587627 OBS-URL: https://build.opensuse.org/package/show/server:mail/exim?expand=0&rev=202 --- exim.changes | 5 +++++ exim.spec | 17 ++++++----------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/exim.changes b/exim.changes index 2071530..5157014 100644 --- a/exim.changes +++ b/exim.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Thu Mar 15 20:22:09 UTC 2018 - crrodriguez@opensuse.org + +- Replace xorg-x11-devel by individual pkgconfig() buildrequires. + ------------------------------------------------------------------- Tue Feb 13 13:39:34 UTC 2018 - kbabioch@suse.com diff --git a/exim.spec b/exim.spec index 9cd8e75..da27da6 100644 --- a/exim.spec +++ b/exim.spec @@ -47,17 +47,12 @@ BuildRequires: pam-devel BuildRequires: openldap2-devel %endif BuildRequires: pcre-devel -%if %{?suse_version:1}%{?!suse_version:0} -BuildRequires: libopenssl-devel BuildRequires: tcpd-devel -BuildRequires: xorg-x11-devel -%else -BuildRequires: libXaw-devel -BuildRequires: libXext-devel -BuildRequires: libXt-devel -BuildRequires: openssl-devel -BuildRequires: tcp_wrappers -%endif +BuildRequires: pkgconfig(libcrypto) +BuildRequires: pkgconfig(libssl) +BuildRequires: pkgconfig(xaw7) +BuildRequires: pkgconfig(xmu) +BuildRequires: pkgconfig(xt) Url: http://www.exim.org/ Conflicts: sendmail sendmail-tls postfix Provides: smtp_daemon @@ -90,7 +85,7 @@ BuildRequires: postgresql-devel BuildRequires: sqlite3-devel %endif Summary: The Exim Mail Transfer Agent, a Replacement for sendmail -License: GPL-2.0+ +License: GPL-2.0-or-later Group: Productivity/Networking/Email/Servers BuildRoot: %{_tmppath}/%{name}-%{version}-build Source: http://ftp.exim.org/pub/exim/exim4/exim-%{version}.tar.bz2 From e5a07ffaf76d4413eaa8033581bb101a30565573669c5b0940d2b11d4ad2cc0c Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Wed, 2 May 2018 15:09:25 +0000 Subject: [PATCH 3/3] Accepting request 597094 from home:pwcau:branches:server:mail update to 4.91. Note that this removes two, previously deprecated SPF ACL conditions (err_temp and err_perm). OBS-URL: https://build.opensuse.org/request/show/597094 OBS-URL: https://build.opensuse.org/package/show/server:mail/exim?expand=0&rev=203 --- exim-4.90.1.tar.bz2 | 3 -- exim-4.90.1.tar.bz2.asc | 11 ----- exim-4.91.tar.bz2 | 3 ++ exim-4.91.tar.bz2.asc | 10 +++++ exim.changes | 94 +++++++++++++++++++++++++++++++++++++++++ exim.spec | 4 +- 6 files changed, 109 insertions(+), 16 deletions(-) delete mode 100644 exim-4.90.1.tar.bz2 delete mode 100644 exim-4.90.1.tar.bz2.asc create mode 100644 exim-4.91.tar.bz2 create mode 100644 exim-4.91.tar.bz2.asc diff --git a/exim-4.90.1.tar.bz2 b/exim-4.90.1.tar.bz2 deleted file mode 100644 index 6ff8bf6..0000000 --- a/exim-4.90.1.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:d8f510056c85fd8565242cad06560c5cb44a0678ea76241331eca096f7a6cbf0 -size 1854894 diff --git a/exim-4.90.1.tar.bz2.asc b/exim-4.90.1.tar.bz2.asc deleted file mode 100644 index c5f9cf0..0000000 --- a/exim-4.90.1.tar.bz2.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEE0L/WueylaUpvFJ3Or0zGdqa2wUIFAlp8U0MACgkQr0zGdqa2 -wUKEiwf9GmNYK5sbmpi/c2TdfPqsqU1o76l3PoTt+kxSQi5t4j30dsqZdWvzvkuj -k+/x1SsDRg44+wv19ynnYH4tSCZ3QSwTevyfXvR7bSGpSTCN0tTnaWm/AuBXNC8D -9lukQckwdZckVNciRriVCLi9VTymV/tdnIxowQu/WfdEzFTXDeYzu3KoioG+jKAV -MWhnyUDfhPYPYs+u8IKdFDE3Z9bO/I/EbgTHiR6PetLWusSugrp/MyJjICp8HsvI -f/pMj+rytJo2hOnI9x/wpUiXb7XnnQnph3mic5BQU4DF+tI6dK1zTS66PyTYAoNI -p6Po3uLY/umKYT+W6jxURPfC2TH1+A== -=k4cD ------END PGP SIGNATURE----- diff --git a/exim-4.91.tar.bz2 b/exim-4.91.tar.bz2 new file mode 100644 index 0000000..7f89729 --- /dev/null +++ b/exim-4.91.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:eff5b41276a0039e89af4b447da13aaa61c5823d4ec2c37353dc23577cfb02d3 +size 1912811 diff --git a/exim-4.91.tar.bz2.asc b/exim-4.91.tar.bz2.asc new file mode 100644 index 0000000..d6479bd --- /dev/null +++ b/exim-4.91.tar.bz2.asc @@ -0,0 +1,10 @@ +-----BEGIN PGP SIGNATURE----- + +iQEcBAABAgAGBQJa01I+AAoJELzljIzkHzLfBRAH/R4DJhI01BTVIl6/7gQOVfST +fmhBh3rTRXhkSR7XfzxWgNR2jJnDJReitBdjDvkgLdYZ7+S3G7+WIJeSuoP2+PPO +VfSEWQdaeYYyvz6C81xPHo+UARnQcGTygPQpLk9XDiVYZ7X9TYUuomNX4MsK1EXb +2ZJUJ1Sm1DoZx9MbPXJfUSPXeBJGMJwjSjh9KRssFg5VddjBc/oNHf3oL/ThodzU +SmMyPc29r8ZZe+EC5lVumN6G8UalDFPROa/0VEYkJsj7zFG6JgIlRhWgYaIq3nGn +m6ghRaRNQFSktjzISD+mf3ttiqyoJAPRc4x2fbvDAnUjpNQ3VuxOP8uz758cPTw= +=I/a+ +-----END PGP SIGNATURE----- diff --git a/exim.changes b/exim.changes index 5157014..88a4013 100644 --- a/exim.changes +++ b/exim.changes @@ -1,3 +1,97 @@ +------------------------------------------------------------------- +Mon Apr 16 13:57:17 UTC 2018 - wullinger@rz.uni-kiel.de + +- update to 4.91 + * DEFER rather than ERROR on redis cluster MOVED response. + * Catch and remove uninitialized value warning in exiqsumm + * Disallow '/' characters in queue names specified for the "queue=" ACL + modifier. This matches the restriction on the commandline. + * Fix pgsql lookup for multiple result-tuples with a single column. + Previously only the last row was returned. + * Bug 2217: Tighten up the parsing of DKIM signature headers. + * Bug 2215: Fix crash associated with dnsdb lookup done from DKIM ACL. + * Fix issue with continued-connections when the DNS shifts unreliably. + * Bug 2214: Fix SMTP responses resulting from non-accept result of MIME ACL. + * The "support for" informational output now, which built with Content + Scanning support, has a line for the malware scanner interfaces compiled + in. Interface can be individually included or not at build time. + * The "aveserver", "kavdaemon" and "mksd" interfaces are now not included + by the template makefile "src/EDITME". The "STREAM" support for an older + ClamAV interface method is removed. + * Bug 2223: Fix mysql lookup returns for the no-data case (when the number of + rows affected is given instead). + * The runtime Berkeley DB library version is now additionally output by + "exim -d -bV". Previously only the compile-time version was shown. + * Bug 2230: Fix cutthrough routing for nonfirst messages in an initiating + SMTP connection. + * Bug 2229: Fix cutthrough routing for nonstandard port numbers defined by + routers. + * Bug 2174: A timeout on connect for a callout was also erroneously seen as + a timeout on read on a GnuTLS initiating connection, resulting in the + initiating connection being dropped. + * Relax results from ACL control request to enable cutthrough, in + unsupported situations, from error to silently (except under debug) + ignoring. + * Fix Buffer overflow in base64d() (CVE-2018-6789) + * Fix bug in DKIM verify: a buffer overflow could corrupt the malloc + metadata, resulting in a crash in free(). + * Fix broken Heimdal GSSAPI authenticator integration. + * Bug 2113: Fix conversation closedown with the Avast malware scanner. + * Bug 2239: Enforce non-usability of control=utf8_downconvert in the mail ACL. + * Speed up macro lookups during configuration file read, by skipping non- + macro text after a replacement (previously it was only once per line) and + by skipping builtin macros when searching for an uppercase lead character. + * DANE support moved from Experimental to mainline. The Makefile control + for the build is renamed. + * Fix memory leak during multi-message connections using STARTTLS. + * Bug 2236: When a DKIM verification result is overridden by ACL, DMARC + reported the original. Fix to report (as far as possible) the ACL + result replacing the original. + * Fix memory leak during multi-message connections using STARTTLS under + OpenSSL + * Bug 2242: Fix exim_dbmbuild to permit directoryless filenames. + * Fix utf8_downconvert propagation through a redirect router. + * Bug 2253: For logging delivery lines under PRDR, append the overall + DATA response info to the (existing) per-recipient response info for + the "C=" log element. + * Bug 2251: Fix ldap lookups that return a single attribute having zero- + length value. + * Support Avast multiline protocol, this allows passing flags to + newer versions of the scanner. + * Ensure that variables possibly set during message acceptance are marked + dead before release of memory in the daemon loop. + * Bug 2250: Fix a longstanding bug in heavily-pipelined SMTP input (such + as a multi-recipient message from a mailinglist manager). + * The (EXPERIMENTAL_DMARC) variable $dmarc_ar_header is withdrawn, being + replaced by the ${authresults } expansion. + * Bug 2257: Fix pipe transport to not use a socket-only syscall. + * Set a handler for SIGTERM and call exit(3) if running as PID 1. This + allows proper process termination in container environments. + * Bug 2258: Fix spool_wireformat in combination with LMTP transport. + Previously the "final dot" had a newline after it; ensure it is CR,LF. + * SPF: remove support for the "spf" ACL condition outcome values "err_temp" + and "err_perm", deprecated since 4.83 when the RFC-defined words + " temperror" and "permerror" were introduced. + * Re-introduce enforcement of no cutthrough delivery on transports having + transport-filters or DKIM-signing. + * Cutthrough: for a final-dot response timeout (and nonunderstood responses) + in defer=pass mode supply a 450 to the initiator. Previously the message + would be spooled. + * DANE: add dane_require_tls_ciphers SMTP Transport option; if unset, + tls_require_ciphers is used as before. + * Malware Avast: Better match the Avast multiline protocol. + * Fix reinitialisation of DKIM logging variable between messages. + * Bug 2255: Revert the disable of the OpenSSL session caching. + * Add util/renew-opendmarc-tlds.sh script for safe renewal of public + suffix list. + * DKIM: accept Ed25519 pubkeys in SubjectPublicKeyInfo-wrapped form, + since the IETF WG has not yet settled on that versus the original + "bare" representation. + * Fix syslog logging for syslog_timestamp=no and log_selector +millisec. + Previously the millisecond value corrupted the output. + Fix also for syslog_pid=no and log_selector +pid, for which the pid + corrupted the output. + ------------------------------------------------------------------- Thu Mar 15 20:22:09 UTC 2018 - crrodriguez@opensuse.org diff --git a/exim.spec b/exim.spec index da27da6..41fca55 100644 --- a/exim.spec +++ b/exim.spec @@ -73,7 +73,7 @@ Requires(pre): group(mail) %endif Requires(pre): fileutils textutils %endif -Version: 4.90.1 +Version: 4.91 Release: 0 %if %{with_mysql} BuildRequires: mysql-devel @@ -281,7 +281,7 @@ cat <<-EOF > Local/Makefile EXPERIMENTAL_DSN=yes SYSTEM_ALIASES_FILE=/etc/aliases %if %{with dane} - EXPERIMENTAL_DANE=yes + DANE=yes %endif EXPERIMENTAL_SOCKS=yes %if %{with i18n}