Do it for all packages that
* mention perl, or
* have a directory name starting with p5-*, or
* depend on a package starting with p5-
like last time, for 5.18, where this didn't lead to complaints.
Let me know if you have any this time.
This is a SECURITY release, addressing a CRITICAL remote code execution
flaw in Exim version 4.82 (only) when built with DMARC support (an
experimental feature, not on by default). This release is identical to
4.82 except for the small change needed to plug the security hole. The
next release of Exim will, eventually, be 4.83, which will include the
many improvements we've made since 4.82, but which will require the
normal release candidate baking process before release.
You are not vulnerable unless you built Exim with EXPERIMENTAL_DMARC.
This issue is known by the CVE ID of CVE-2014-2957, was reported
directly to the Exim development team by a company which uses Exim for
its mail server. An Exim developer constructed a small patch which
altered the way the contents of the From header is parsed by converting
it to use safer and better internal functions. It was applied and
tested on a production server for correctness. We were notified of the
vulnerability Friday night, created a patch on Saturday, applied and
tested it on Sunday, notified OS packagers on Monday/Tuesday, and are
releasing on the next available work day, which is Wednesday.
This is why we have made the smallest feasible changes to prevent
exploit: we want this chagne to be as safe as possible to expedite into
production (if the packages were built with DMARC).
1. New command-line option -bI:sieve will list all supported sieve extensions
of this Exim build on standard output, one per line.
ManageSieve (RFC 5804) providers managing scripts for use by Exim should
query this to establish the correct list to include in the protocol's
SIEVE capability line.
2. If the -n option is combined with the -bP option, then the name of an
emitted option is not output, only the value (if visible to you).
For instance, "exim -n -bP pid_file_path" should just emit a pathname
followed by a newline, and no other text.
3. When built with SUPPORT_TLS and USE_GNUTLS, the SMTP transport driver now
has a "tls_dh_min_bits" option, to set the minimum acceptable number of
bits in the Diffie-Hellman prime offered by a server (in DH ciphersuites)
acceptable for security. (Option accepted but ignored if using OpenSSL).
Defaults to 1024, the old value. May be lowered only to 512, or raised as
far as you like. Raising this may hinder TLS interoperability with other
sites and is not currently recommended. Lowering this will permit you to
establish a TLS session which is not as secure as you might like.
Unless you really know what you are doing, leave it alone.
4. If not built with DISABLE_DNSSEC, Exim now has the main option
dns_dnssec_ok; if set to 1 then Exim will initialise the resolver library
to send the DO flag to your recursive resolver. If you have a recursive
resolver, which can set the Authenticated Data (AD) flag in results, Exim
can now detect this. Exim does not perform validation itself, instead
relying upon a trusted path to the resolver.
Current status: work-in-progress; $sender_host_dnssec variable added.
5. DSCP support for outbound connections: on a transport using the smtp driver,
set "dscp = ef", for instance, to cause the connections to have the relevant
DSCP (IPv4 TOS or IPv6 TCLASS) value in the header.
Similarly for inbound connections, there is a new control modifier, dscp,
so "warn control = dscp/ef" in the connect ACL, or after authentication.
Supported values depend upon system libraries. "exim -bI:dscp" to list the
ones Exim knows of. You can also set a raw number 0..0x3F.
6. The -G command-line flag is no longer ignored; it is now equivalent to an
ACL setting "control = suppress_local_fixups". The -L command-line flag
is now accepted and forces use of syslog, with the provided tag as the
process name. A few other flags used by Sendmail are now accepted and
ignored.
7. New cutthrough routing feature. Requested by a "control = cutthrough_delivery"
ACL modifier; works for single-recipient mails which are recieved on and
deliverable via SMTP. Using the connection made for a recipient verify,
if requested before the verify, or a new one made for the purpose while
the inbound connection is still active. The bulk of the mail item is copied
direct from the inbound socket to the outbound (as well as the spool file).
When the source notifies the end of data, the data acceptance by the destination
is negociated before the acceptance is sent to the source. If the destination
does not accept the mail item, for example due to content-scanning, the item
is not accepted from the source and therefore there is no need to generate
a bounce mail. This is of benefit when providing a secondary-MX service.
The downside is that delays are under the control of the ultimate destination
system not your own.
The Recieved-by: header on items delivered by cutthrough is generated
early in reception rather than at the end; this will affect any timestamp
included. The log line showing delivery is recorded before that showing
reception; it uses a new ">>" tag instead of "=>".
To support the feature, verify-callout connections can now use ESMTP and TLS.
The usual smtp transport options are honoured, plus a (new, default everything)
hosts_verify_avoid_tls.
New variable families named tls_in_cipher, tls_out_cipher etc. are introduced
for specific access to the information for each connection. The old names
are present for now but deprecated.
Not yet supported: IGNOREQUOTA, SIZE, PIPELINING.
8. New expansion operators ${listnamed:name} to get the content of a named list
and ${listcount:string} to count the items in a list.
9. New global option "gnutls_allow_auto_pkcs11", defaults false. The GnuTLS
rewrite in 4.80 combines with GnuTLS 2.12.0 or later, to autoload PKCS11
modules. For some situations this is desirable, but we expect admin in
those situations to know they want the feature. More commonly, it means
that GUI user modules get loaded and are broken by the setuid Exim being
unable to access files specified in environment variables and passed
through, thus breakage. So we explicitly inhibit the PKCS11 initialisation
unless this new option is set.
Some older OS's with earlier versions of GnuTLS might not have pkcs11 ability,
so have also added a build option which can be used to build Exim with GnuTLS
but without trying to use any kind of PKCS11 support. Uncomment this in the
Local/Makefile:
AVOID_GNUTLS_PKCS11=yes
10. The "acl = name" condition on an ACL now supports optional arguments.
New expansion item "${acl {name}{arg}...}" and expansion condition
"acl {{name}{arg}...}" are added. In all cases up to nine arguments
can be used, appearing in $acl_arg1 to $acl_arg9 for the called ACL.
Variable $acl_narg contains the number of arguments. If the ACL sets
a "message =" value this becomes the result of the expansion item,
or the value of $value for the expansion condition. If the ACL returns
accept the expansion condition is true; if reject, false. A defer
return results in a forced fail.
11. Routers and transports can now have multiple headers_add and headers_remove
option lines. The concatenated list is used.
12. New ACL modifier "remove_header" can remove headers before message gets
handled by routers/transports.
13. New dnsdb lookup pseudo-type "a+". A sequence of "a6" (if configured),
"aaaa" and "a" lookups is done and the full set of results returned.
14. New expansion variable $headers_added with content from ACL add_header
modifier (but not yet added to messsage).
15. New 8bitmime status logging option for received messages. Log field "M8S".
16. New authenticated_sender logging option, adding to log field "A".
17. New expansion variables $router_name and $transport_name. Useful
particularly for debug_print as -bt commandline option does not
require privilege whereas -d does.
18. If built with EXPERIMENTAL_PRDR, per-recipient data responses per a
proposed extension to SMTP from Eric Hall.
19. The pipe transport has gained the force_command option, to allow
decorating commands from user .forward pipe aliases with prefix
wrappers, for instance.
20. Callout connections can now AUTH; the same controls as normal delivery
connections apply.
21. Support for DMARC, using opendmarc libs, can be enabled. It adds new
options: dmarc_forensic_sender, dmarc_history_file, and dmarc_tld_file.
It adds new expansion variables $dmarc_ar_header, $dmarc_status,
$dmarc_status_text, and $dmarc_used_domain. It adds a new acl modifier
dmarc_status. It adds new control flags dmarc_disable_verify and
dmarc_enable_forensic.
22. Add expansion variable $authenticated_fail_id, which is the username
provided to the authentication method which failed. It is available
for use in subsequent ACL processing (typically quit or notquit ACLs).
23. New ACL modifer "udpsend" can construct a UDP packet to send to a given
UDP host and port.
24. New ${hexquote:..string..} expansion operator converts non-printable
characters in the string to \xNN form.
25. Experimental TPDA (Transport Post Delivery Action) function added.
Patch provided by Axel Rau.
26. Experimental Redis lookup added. Patch provided by Warren Baker.
are replaced with .include "../../devel/readline/buildlink3.mk", and
USE_GNU_READLINE are removed,
* .include "../../devel/readline/buildlink3.mk" without USE_GNU_READLINE
are replaced with .include "../../mk/readline.buildlink3.mk".
a) refer 'perl' in their Makefile, or
b) have a directory name of p5-*, or
c) have any dependency on any p5-* package
Like last time, where this caused no complaints.
Exim version 4.80.1
-------------------
PP/01 SECURITY: protect DKIM DNS decoding from remote exploit.
CVE-2012-5671
This, or similar/improved, will also be change PP/11 of 4.81.
See: https://secunia.com/advisories/51098/
1. New authenticator driver, "gsasl". Server-only (at present).
This is a SASL interface, licensed under GPL, which can be found at
http://www.gnu.org/software/gsasl/.
This system does not provide sources of data for authentication, so
careful use needs to be made of the conditions in Exim.
2. New authenticator driver, "heimdal_gssapi". Server-only.
A replacement for using cyrus_sasl with Heimdal, now that $KRB5_KTNAME
is no longer honoured for setuid programs by Heimdal. Use the
"server_keytab" option to point to the keytab.
3. The "pkg-config" system can now be used when building Exim to reference
cflags and library information for lookups and authenticators, rather
than having to update "CFLAGS", "AUTH_LIBS", "LOOKUP_INCLUDE" and
"LOOKUP_LIBS" directly. Similarly for handling the TLS library support
without adjusting "TLS_INCLUDE" and "TLS_LIBS".
In addition, setting PCRE_CONFIG=yes will query the pcre-config tool to
find the headers and libraries for PCRE.
4. New expansion variable $tls_bits.
5. New lookup type, "dbmjz". Key is an Exim list, the elements of which will
be joined together with ASCII NUL characters to construct the key to pass
into the DBM library. Can be used with gsasl to access sasldb2 files as
used by Cyrus SASL.
6. OpenSSL now supports TLS1.1 and TLS1.2 with OpenSSL 1.0.1.
Avoid release 1.0.1a if you can. Note that the default value of
"openssl_options" is no longer "+dont_insert_empty_fragments", as that
increased susceptibility to attack. This may still have interoperability
implications for very old clients (see version 4.31 change 37) but
administrators can choose to make the trade-off themselves and restore
compatibility at the cost of session security.
7. Use of the new expansion variable $tls_sni in the main configuration option
tls_certificate will cause Exim to re-expand the option, if the client
sends the TLS Server Name Indication extension, to permit choosing a
different certificate; tls_privatekey will also be re-expanded. You must
still set these options to expand to valid files when $tls_sni is not set.
The SMTP Transport has gained the option tls_sni, which will set a hostname
for outbound TLS sessions, and set $tls_sni too.
A new log_selector, +tls_sni, has been added, to log received SNI values
for Exim as a server.
8. The existing "accept_8bitmime" option now defaults to true. This means
that Exim is deliberately not strictly RFC compliant. We're following
Dan Bernstein's advice in http://cr.yp.to/smtp/8bitmime.html by default.
Those who disagree, or know that they are talking to mail servers that,
even today, are not 8-bit clean, need to turn off this option.
9. Exim can now be started with -bw (with an optional timeout, given as
-bw<timespec>). With this, stdin at startup is a socket that is
already listening for connections. This has a more modern name of
"socket activation", but forcing the activated socket to fd 0. We're
interested in adding more support for modern variants.
10. ${eval } now uses 64-bit values on supporting platforms. A new "G" suffix
for numbers indicates multiplication by 1024^3.
11. The GnuTLS support has been revamped; the three options gnutls_require_kx,
gnutls_require_mac & gnutls_require_protocols are no longer supported.
tls_require_ciphers is now parsed by gnutls_priority_init(3) as a priority
string, documentation for which is at:
http://www.gnu.org/software/gnutls/manual/html_node/Priority-Strings.html
SNI support has been added to Exim's GnuTLS integration too.
For sufficiently recent GnuTLS libraries, ${randint:..} will now use
gnutls_rnd(), asking for GNUTLS_RND_NONCE level randomness.
12. With OpenSSL, if built with EXPERIMENTAL_OCSP, a new option tls_ocsp_file
is now available. If the contents of the file are valid, then Exim will
send that back in response to a TLS status request; this is OCSP Stapling.
Exim will not maintain the contents of the file in any way: administrators
are responsible for ensuring that it is up-to-date.
13. ${lookup dnsdb{ }} supports now SPF record types. They are handled
identically to TXT record lookups.
14. New expansion variable $tod_epoch_l for higher-precision time.
15. New global option tls_dh_max_bits, defaulting to current value of NSS
hard-coded limit of DH ephemeral bits, to fix interop problems caused by
GnuTLS 2.12 library recommending a bit count higher than NSS supports.
16. tls_dhparam now used by both OpenSSL and GnuTLS, can be path or identifier.
Option can now be a path or an identifier for a standard prime.
If unset, we use the DH prime from section 2.2 of RFC 5114, "ike23".
Set to "historic" to get the old GnuTLS behaviour of auto-generated DH
primes.
17. SSLv2 now disabled by default in OpenSSL. (Never supported by GnuTLS).
Use "openssl_options -no_sslv2" to re-enable support, if your OpenSSL
install was not built with OPENSSL_NO_SSL2 ("no-ssl2").
* Solaris build fix for Oracle's LDAP libraries.
* HP/UX build fix: avoid arithmetic on a void pointer.
* DKIM Verification: Fix relaxed canon for empty headers w/o whitespace trailer
* Fix a couple more cases where we did not log the error message when unlink()
failed.
* Make the exiwhat support code safe for signals. Previously Exim might lock up
or crash if it happened to be inside a call to libc when it got a SIGUSR1
from exiwhat.
* Improved ratelimit ACL condition.
* Removed a few PCRE remnants.
* Automatically extract Exim's version number from tags in the git repository
when doing development or release builds.
* Raise smtp_cmd_buffer_size to 16kB.
* Implement SSL-on-connect outbound with protocol=smtps on smtp transport.
* Use .dylib instead of .so for dynamic library loading on MacOS.
* Variable $av_failed, true if the AV scanner deferred.
* Stop make process more reliably on build failure.
* Make maildir_use_size_file an _expandable_ boolean.
* Handle ${run} returning more data than OS pipe buffer size.
* Handle IPv6 addresses with SPF.
* GnuTLS: support TLS 1.2 & 1.1.
* match_* no longer expand right-hand-side by default.
* fix uninitialised greeting string from PP/03 (smtps client support).
* shell and compiler warnings fixes for RC1-RC4 changes.
* The new ldap_require_cert option would segfault if used. Fixed.
* Harmonised TLS library version reporting; only show if debugging.
Layout now matches that introduced for other libraries in 4.74 PP/03.
* New openssl_options items: no_sslv2 no_sslv3 no_ticket no_tlsv1
* New "dns_use_edns0" global option.
* Don't segfault on misconfiguration of ref:name exim-user as uid.
* Extra paranoia around buffer usage at the STARTTLS transition.
nb: Exim is not vulnerable to http://www.kb.cert.org/vuls/id/555316
* Updated PolarSSL code to 0.14.2.
* Catch divide-by-zero in ${eval:...}.
* Condition negation of bool{}/bool_lax{} did not negate. Fixed.
* CVE-2011-1764 - DKIM log line was subject to a format-string attack --
SECURITY: remote arbitrary code execution.
* SECURITY - DKIM signature header parsing was double-expanded, second
time unintentionally subject to list matching rules, letting the header
cause arbitrary Exim lookups (of items which can occur in lists, *not*
arbitrary string expansion). This allowed for information disclosure.
* Fix another SIGFPE (x86) in ${eval:...} expansion, this time related to
INT_MIN/-1 -- value coerced to INT_MAX.
1. In addition to the existing LDAP and LDAP/SSL ("ldaps") support, there
is now LDAP/TLS support, given sufficiently modern OpenLDAP client
libraries. The following global options have been added in support of
this: ldap_ca_cert_dir, ldap_ca_cert_file, ldap_cert_file, ldap_cert_key,
ldap_cipher_suite, ldap_require_cert, ldap_start_tls.
2. The pipe transport now takes a boolean option, "freeze_signal", default
false. When true, if the external delivery command exits on a signal then
Exim will freeze the message in the queue, instead of generating a bounce.
3. Log filenames may now use %M as an escape, instead of %D (still available).
The %M pattern expands to yyyymm, providing month-level resolution.
4. The $message_linecount variable is now updated for the maildir_tag option,
in the same way as $message_size, to reflect the real number of lines,
including any header additions or removals from transport.
5. When contacting a pool of SpamAssassin servers configured in spamd_address,
Exim now selects entries randomly, to better scale in a cluster setup.
* Failure to get a lock on a hints database can have serious
consequences so log it to the panic log.
* Log LMTP confirmation messages in the same way as SMTP,
controlled using the smtp_confirmation log selector.
* Include the error message when we fail to unlink a spool file.
* Bugzilla 139: Support dynamically loaded lookups as modules.
* Bugzilla 139: Documentation and portability issues.
Avoid GNU Makefile-isms, let Exim continue to build on BSD.
Handle per-OS dynamic-module compilation flags.
* Let /dev/null have normal permissions.
The 4.73 fixes were a little too stringent and complained about the
permissions on /dev/null. Exempt it from some checks.
* Report version information for many libraries, including
Exim version information for dynamically loaded libraries. Created
version.h, now support a version extension string for distributors
who patch heavily. Dynamic module ABI change.
* CVE-2011-0017 - check return value of setuid/setgid. This is a
privilege escalation vulnerability whereby the Exim run-time user
can cause root to append content of the attacker's choosing to
arbitrary files.
* Bugzilla 1041: merged DCC maintainer's fixes for return code.
* Bugzilla 1071: fix delivery logging with untrusted macros.
If dropping privileges for untrusted macros, we disabled normal logging
on the basis that it would fail; for the Exim run-time user, this is not
the case, and it resulted in successful deliveries going unlogged.
* Date: & Message-Id: revert to normally being appended to a message,
only prepend for the Resent-* case. Fixes regression introduced in
Exim 4.70 by NM/22 for Bugzilla 607.
* Include check_rfc2047_length in configure.default because we're seeing
increasing numbers of administrators be bitten by this.
* Added DISABLE_DKIM and comment to src/EDITME
* Bugzilla 994: added openssl_options main configuration option.
* Bugzilla 995: provide better SSL diagnostics on failed reads.
* Bugzilla 834: provide a permit_coredump option for pipe transports.
* Adjust NTLM authentication to handle SASL Initial Response.
* If TLS negotiated an anonymous cipher, we could end up with SSL but
without a peer certificate, leading to a segfault because of an
assumption that peers always have certificates. Be a little more paranoid.
* Bugzilla 926: switch ClamAV to use the new zINSTREAM API for content
filtering; old API available if built with WITH_OLD_CLAMAV_STREAM=yes
NB: ClamAV planning to remove STREAM in "middle of 2010".
CL also introduces -bmalware, various -d+acl logging additions and
more caution in buffer sizes.
* Implemented reverse_ip expansion operator.
* Bugzilla 937: provide a "debug" ACL control.
* Bugzilla 922: Documentation dusting, patch provided by John Horne.
* Bugzilla 973: Implement --version.
* Bugzilla 752: Refuse to build/run if Exim user is root/0.
* Build without WITH_CONTENT_SCAN. Path from Andreas Metzler.
* Bugzilla 816: support multiple condition rules on Routers.
* Add bool_lax{} expansion operator and use that for combining multiple
condition rules, instead of bool{}. Make both bool{} and bool_lax{}
ignore trailing whitespace.
* prevent non-panic DKIM error from being sent to paniclog
* added tcp_wrappers_daemon_name to allow host entries other than
"exim" to be used
* Fix malware regression for cmdline scanner introduced in PP/08.
Notification from Dr Andrew Aitchison.
* Change ClamAV response parsing to be more robust and to handle ClamAV's
ExtendedDetectionInfo response format.
* OpenSSL 1.0.0a compatibility const-ness change, should be backwards
compatible.
* installed exipick 20100104.1, adding $max_received_linelength, $data_path,
and $header_path variables; fixed documentation bugs and typos
* installed exipick 20100222.0, added --input-dir and --finput to allow
exipick to access non-standard spools, including the "frozen" queue (Finput)
* Support mysql stored procedures.
* Spacing fix (syntax error) on Makefile directives for NetBSD
* Documentation fix for max_rcpts.
* Fix for unknown responses from Dovecot authenticator.
* Added umask to procmail example.
* installed exipick 20100323.0, fixing doc bug
* CVE-2010-2023 - prevent hardlink attack on sticky mail directory.
* Upgrade PolarSSL files to upstream version 0.12.1.
* Improve log output when DKIM signing operation fails.
* Treat the transport option dkim_domain as a colon separated list, not as
a single string, and sign the message with each element, omitting multiple
occurences of the same signer.
* Null terminate DKIM strings, Null initialise DKIM variable
* dnsdb DNS TXT record bug fix (DKIM-related)
* CVE-2010-2024 - work round race condition on MBX locking.
file cannot run without EXIM_USER being present on the system, so
scripts/exim_install was changed to derive the Exim version from the
pkgsrc package version (see PKGSRC_EXIM_VERSION in the Makefile and patch-ae).
Added LICENSE information.
Ok'd by abs@
* Added patch by Johannes Berg that expands the main option
"spamd_servers" if it starts with a dollar sign.
* Write list of recipients to X-Envelope-Sender header when building
the mbox-format spool file for content scanning.
* Added patch by Wolfgang Breyha that adds experimental DCC
(http://www.dcc-servers.net/) support via dccifd. Activated by
setting EXPERIMENTAL_DCC=yes in Local/Makefile. Check out
experimental_spec.txt for more documentation.
* Bugzilla 673: Add f-protd malware scanner support.
* Bugzilla 657: Embedded PCRE removed from the exim source tree.
When building exim an external PCRE library is now needed -
PCRE is a system library on the majority of modern systems.
See entry on PCRE_LIBS in EDITME file.
* Bugzilla 646: Removed unwanted C/R in Dovecot authenticator
conversation. Added nologin parameter to request.
* Do not log submission mode rewrites if they do not change the address.
* Bugzilla 662: Fix stack corruption before exec() in daemon.c.
* Bugzilla 602: exicyclog now handles panic log, and creates empty
log files in place. Contributed by Roberto Lima
* Bugzilla 667: close socket used by dovecot authenticator
* Bugzilla 615: When checking the local_parts router precondition
after a local_part_suffix or local_part_prefix option, Exim now
does not use the address's named list lookup cache, since this
contains cached lookups for the whole local part.
* Bugzilla 521: Integrated SPF Best Guess support contributed by
Robert Millan. Documentation is in experimental-spec.txt
* Bugzilla 668: Fix parallel build (make -j).
* Bugzilla 437: Prevent Maildir aux files being created with mode 000
* Bugzilla 598: Improvement to Dovecot authenticator handling.
* Leading white space used to be stripped from $spam_report which
wrecked the formatting. Now it is preserved.
* Save $spam_score, $spam_bar, and $spam_report in spool files, so
that they are available at delivery time.
* Fix the way ${extract is skipped in the untaken branch of a conditional.
* TLS error reporting now respects the incoming_interface and
incoming_port log selectors.
* more...
- Add support for getifaddrs() and enable on NetBSD - submitted back to
exim bugzilla as http://bugs.exim.org/show_bug.cgi?id=802
- Increase size of addrbuf[512] used in old style ioctl() version of
os_common_find_running_interfaces()
Fixes issue on NetBSD 5.0
