X-Git-Url: https://git.hcoop.net/hcoop/debian/exim4.git/blobdiff_plain/d1e9e98adb057fac01d3b4db6c75347e05e88263..01e60269815612fced0df2994079cb2081f8ff0b:/debian/changelog diff --git a/debian/changelog b/debian/changelog index 02a8d87..6fcb27a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,40 +1,662 @@ -exim4 (4.89-2+deb9u6) stretch-security; urgency=high +exim4 (4.92-8+deb10u3) buster-security; urgency=high - * 85_01-string.c-do-not-interpret-before-0-CVE-2019-15846.patch Fix SNI + * 78_02-Fix-buffer-overflow-in-string_vformat.-Bug-2449.patch: + Fix buffer overflow in string_vformat. + + -- Andreas Metzler Fri, 27 Sep 2019 18:09:35 +0200 + +exim4 (4.92-8+deb10u2) buster-security; urgency=high + + * 78_01-string.c-do-not-interpret-before-0-CVE-2019-15846.patch Fix SNI related buffer overflow. CVE-2019-15846 - -- Andreas Metzler Tue, 03 Sep 2019 20:01:38 +0200 + -- Andreas Metzler Tue, 03 Sep 2019 19:51:11 +0200 -exim4 (4.89-2+deb9u5) stretch-security; urgency=high +exim4 (4.92-8+deb10u1) buster-security; urgency=high * Fix remote command execution vulnerability related to "${sort}"-expansion. CVE-2019-13917 OVE-20190718-0006 - -- Andreas Metzler Sat, 20 Jul 2019 13:32:35 +0200 + -- Andreas Metzler Sat, 20 Jul 2019 13:35:58 +0200 -exim4 (4.89-2+deb9u4) stretch-security; urgency=high +exim4 (4.92-8) unstable; urgency=low - * Non-maintainer upload by the Security Team. - * Fix remote command execution vulnerability (CVE-2019-10149) + * Pulled from exim-4.92+fixes branch: + + 75_11-GnuTLS-fix-tls_out_ocsp-under-hosts_request_ocsp.patch + Fix expansion of $tls_out_ocsp under hosts_request_ocsp. + + 75_12-GnuTLS-fix-the-advertising-of-acceptable-certs-by-th.patch + When tls_verify_certificates was set to a directory instead of a file + exim/GnuTLS would still send out the list of accepted certificates, + This did not match documented behavior. + + 75_13-Use-dsn_from-for-success-DSN-messages.-Bug-2404.patch + The dsn_from option was not used for DSN success messages. + * Pulled from upstream GIT master: + + 75_14-Fix-smtp-response-timeout.patch + Fix the timeout on smtp response to apply to the whole response instead + of resetting for every byte received. + + 75_15-Fix-detection-of-32b-platform-at-build-time.-Bug-240.patch + https://bugs.exim.org/show_bug.cgi?id=2405 + ${eval } was broken on 32bit archs. - -- Salvatore Bonaccorso Tue, 28 May 2019 22:13:55 +0200 + -- Andreas Metzler Sat, 08 Jun 2019 17:37:43 +0200 -exim4 (4.89-2+deb9u3) stretch-security; urgency=high +exim4 (4.92-7) unstable; urgency=medium - * Non-maintainer upload by the Security Team. - * Fix base64d() buffer size (CVE-2018-6789) (Closes: #890000) + * Upload to unstable. - -- Salvatore Bonaccorso Sat, 10 Feb 2018 09:26:05 +0100 + -- Andreas Metzler Tue, 07 May 2019 19:44:23 +0200 -exim4 (4.89-2+deb9u2) stretch-security; urgency=high +exim4 (4.92-6) experimental; urgency=medium - * Non-maintainer upload by the Security Team. - * Avoid release of store if there have been later allocations - (CVE-2017-16943) (Closes: #882648) - * Chunking: do not treat the first lonely dot special (CVE-2017-16944) - (Closes: #882671) + * Revert 90_localscan_dlopen.dpatch removal to give Magnus some chance for + debugging sa-exim. + * Set HAVE_LOCAL_SCAN=yes in EDITME. + * Upload to experimental. + + -- Andreas Metzler Tue, 16 Apr 2019 17:58:20 +0200 + +exim4 (4.92-5) unstable; urgency=medium + + * Improved spam-scanning example with accompaning information in + README.Debian. Explicitly warn about adding the default SpamAssassin + report in a header, which Closes: #774553 + * Drop 90_localscan_dlopen.dpatch. (It has been non-functional for a couple + of months.) Closes: #925982 Add a Conflicts for sa-exim, which relied on + the (working) version of the patch. Drop exim4-dev package. Add a NEWS + entry for this change. + + -- Andreas Metzler Sun, 07 Apr 2019 13:39:31 +0200 + +exim4 (4.92-4) unstable; urgency=medium + + * Another patch from exim-4.92+fixes branch: + 75_10-Harden-plaintext-authenticator.patch + + -- Andreas Metzler Fri, 22 Mar 2019 07:15:20 +0100 + +exim4 (4.92-3) unstable; urgency=medium + + * Pull fixes from exim-4.92+fixes branch. + + 75_05-Fix-expansions-for-RFC-822-addresses-having-comments.patch + + 75_06-Docs-Add-note-on-lsearch-for-IPv4-mapped-IPv6-addres.patch + + 75_07-Fix-crash-from-SRV-lookup-hitting-a-CNAME.patch + + 75_08-Logging-fix-initial-listening-on-log-line.patch + + 75_09-OpenSSL-Fix-aggregation-of-messages.patch + + -- Andreas Metzler Wed, 20 Mar 2019 17:01:29 +0100 + +exim4 (4.92-2) unstable; urgency=medium + + * Upload to unstable. + + -- Andreas Metzler Wed, 20 Feb 2019 19:23:11 +0100 + +exim4 (4.92-1) experimental; urgency=medium + + * Point watchfile to release directory again. + * New upstream stable release, identical to rc6 except for the version + string. + * Pull fixes from exim-4.92+fixes branch. + + 75_01-Fix-json-extract-operator-for-unfound-case.patch + + 75_02-Fix-transport-buffer-size-handling.patch + + 75_03-Fix-info-on-using-local_scan-in-the-default-Makefile.patch + + 75_04-GnuTLS-Fix-client-detection-of-server-reject-of-clie.patch + * Upload to experimental while waiting for rc6 to migrate. + + -- Andreas Metzler Sun, 17 Feb 2019 13:13:55 +0100 + +exim4 (4.92~RC6-1) unstable; urgency=low + + * New upstream snapshot rc6, includes + 40_01-Fix-dkim_verify_signers-option.-Bug-2366.patch. + + -- Andreas Metzler Sat, 09 Feb 2019 14:33:15 +0100 + +exim4 (4.92~RC5-2) unstable; urgency=high + + * In init script use start-stop-daemon directly instead of lsb-base's + killproc which currently fails to pass on the executable name to s-s-d + (921558). This broke with s-s-d 1.19.2 which (for security reasons) + requires further filtering arguments in addition to --pidfile when the pid + file is not owned by root. Closes: #921205 + + -- Andreas Metzler Thu, 07 Feb 2019 18:42:41 +0100 + +exim4 (4.92~RC5-1) unstable; urgency=medium + + * New upstream snapshot rc5. + * 40_01-Fix-dkim_verify_signers-option.-Bug-2366.patch: dkim_verify_signers + was ignored. + + -- Andreas Metzler Thu, 31 Jan 2019 19:25:03 +0100 + +exim4 (4.92~RC4-3) unstable; urgency=medium + + * Refresh debian/upstream/signing-key.asc from + https://downloads.exim.org/Exim-Maintainers-Keyring.asc. + * Drop outdated pointers to alioth package homepage from README.Debian. + * Update exim4-config Breaks to enforce upgrade to daemon binary package + with DANE support. Closes: #919902 + * [lintian] Minimize upstream/signing-key.asc. + + -- Andreas Metzler Sun, 20 Jan 2019 17:52:39 +0100 + +exim4 (4.92~RC4-2) unstable; urgency=medium + + * Upload to unstable. + + -- Andreas Metzler Sat, 05 Jan 2019 15:35:38 +0100 + +exim4 (4.92~RC4-1) experimental; urgency=low + + * New upstream version. + + Drop 75_GnuTLS-repeat-lowlevel-read-and-write-operations-whi.patch. + + Unfuzz patches. + + -- Andreas Metzler Mon, 31 Dec 2018 13:13:45 +0100 + +exim4 (4.92~RC3-1) unstable; urgency=low + + * Add 75_GnuTLS-repeat-lowlevel-read-and-write-operations-whi.patch from + upstream GIT master, fixing outgoing TLS 1.3. + https://bugs.exim.org/show_bug.cgi?id=2359 + * New upstream version. + * Upload to unstable. + + -- Andreas Metzler Wed, 26 Dec 2018 16:07:52 +0100 + +exim4 (4.92~RC2-1) experimental; urgency=low + + * New upstream version. + + Drop 75_01-Fix-parsing-of-option-type-Kint-integer-stored-in-K-.patch + + -- Andreas Metzler Tue, 18 Dec 2018 19:20:24 +0100 + +exim4 (4.92~RC1-1) experimental; urgency=low + + * Update upstream/signing-key.asc from + https://ftp.exim.org/pub/exim/Exim-Maintainers-Keyring.asc, adding + 96E4754B8F93C1B239F1A95785BCF7AC6735A680 while removing + 1F9C181B1E83D2099F02C95AC4F4F94804D29EBA and + FAA1C7F9CD077DC4304BC0C885AB833FDDC03262. + * New upstream release candidate: + + Point watchfile to test subdir. + + Update watchfile to handle -RC1 in addition to _RC1. + + Drop 75_fixes*.patch. + + Unfuzz 32_exim4.dpatch and 90_localscan_dlopen.dpatch + + Update configuration from upstream example, except for + tls_sni/tls_require_ciphers settings on remote_smtp_smarthost transport: + * Enable dns_dnssec_ok. + * Set dnssec_request_domains = * on dnslookup and + dnslookup_relay_to_domains routers. + * Set hosts_try_dane = */dnssec_request_domains = * on remote_smtp + transport unless REMOTE_SMTP_DISABLE_DANE is set. + * Set multi_domain on remote_smtp_smarthost transport. + * Post release updates: + + 75_01-Fix-parsing-of-option-type-Kint-integer-stored-in-K-.patch + + -- Andreas Metzler Sat, 15 Dec 2018 16:24:54 +0100 + +exim4 (4.91-9) unstable; urgency=low + + * Run "wrap-and-sort --max-line-length=72 --short-indent" and add back + autodeleted comments. + * Update from exim-4_91+fixes branch: + + 75_fixes_26-Fix-bad-use-of-library-copying-string-over-itself.patch + + 75_fixes_27-Fix-cyrus-sasl-authenticator-for-authenticated_fail_.patch + + 75_fixes_28-Avoid-leaving-domain-live-with-bogus-info-during-ser.patch + + 75_fixes_29-Fix-AUTH_GSASL-build.patch + + 75_fixes_30-Harden-string-list-handling.patch + + -- Andreas Metzler Thu, 06 Dec 2018 19:19:38 +0100 + +exim4 (4.91-8) unstable; urgency=low + + [ Andreas Metzler ] + * Update from exim-4_91+fixes branch: + + 75_fixes_18-Restore-Darwin-OS-configuration.patch + + 75_fixes_20-Fix-filter-noerror-command.-Bug-2318.patch + + 75_fixes_21-DANE-fix-TA-mode-verify-under-GnuTLS.-Bug-2311.patch + + 75_fixes_22-Testsuite-track-newer-GnuTLS-behaviour.patch + + 75_fixes_24-DANE-ignore-undersized-TLSA-records.patch + + 75_fixes_25-Logging-do-not-log-a-missing-proxy-address-on-delive.patch + + [ Marc Haber ] + * Move definition of CHECK_RCPT_*_LOCALPARTS macro to acl file proper. + + -- Andreas Metzler Sat, 29 Sep 2018 19:08:52 +0200 + +exim4 (4.91-7) unstable; urgency=low + + * Update from exim-4_91+fixes branch: + + 75_fixes_16-Fix-non-EVENTS-build.patch + + 75_fixes_17-Fix-cutthrough-delivery-for-more-than-one-iteration-.patch + + -- Andreas Metzler Sun, 26 Aug 2018 11:33:15 +0200 + +exim4 (4.91-6) unstable; urgency=low + + * Update from exim-4_91+fixes branch: + + 75_fixes_13-DKIM-Fix-signing-for-body-lines-starting-with-a-pair.patch + + 75_fixes_14-ARC-Fix-verification-to-do-AS-checks-in-reverse-orde.patch + + 75_fixes_15-I18N-Fix-protocol-recorded-for-a-multi-SMTPUTF8-mess.patch + * [lintian] Do not run mininal testsuite with DEB_BUILD_OPTIONS=nocheck. + (override_dh_auto_test-does-not-check-DEB_BUILD_OPTIONS) + + -- Andreas Metzler Fri, 20 Jul 2018 11:21:24 +0200 + +exim4 (4.91-5) unstable; urgency=medium + + * Update from exim-4_91+fixes branch: + + 75_fixes_10-Use-serial-number-1-for-self-generated-selfsigned-ce.patch + + 75_fixes_11-Fix-logging-of-cmdline-args-when-starting-in-an-unli.patch + + 75_fixes_12-ARC-Fix-signing-for-case-when-DKIM-signing-failed.patch + + -- Andreas Metzler Sat, 09 Jun 2018 18:10:39 +0200 + +exim4 (4.91-4) unstable; urgency=medium + + * Update from exim-4_91+fixes branch: + + 75_fixes_06-Cutthrough-fix-race-resulting-in-duplicate-delivery..patch + + 75_fixes_07-tidying.patch + + 75_fixes_08-ARC-fix-crash-on-signing-with-missing-key-file.patch + + 75_fixes_09-Content-scanning-Fix-locking-on-message-spool-files..patch + * [lintian] Delete trailing empty lines in changelog. + + -- Andreas Metzler Thu, 17 May 2018 17:14:53 +0200 + +exim4 (4.91-3) unstable; urgency=medium + + * Update from exim-4_91+fixes branch: + + 75_fixes_01-Belated-README.UPDATING-notes-for-Exim-4.91.patch + + 75_fixes_02-Avoid-doing-logging-in-signal-handlers.-Bug-1007.patch + + 75_fixes_03-Fix-typo-in-arc.-Bug-2262.patch + + 75_fixes_04-Fix-OpenSSL-non-OCSP-build.patch + + 75_fixes_05-DKIM-enforce-limit-of-20-on-received-DKIM-Signature-.patch + + Move 50_localscan_dlopen.dpatch to end of patch series and rename to + 90_... to preserve alphanumeric patch ordering. + * Add log_message for local blacklists to improve log readability. (Patch by + Dominic Hargreaves). + + -- Andreas Metzler Sat, 28 Apr 2018 14:59:36 +0200 + +exim4 (4.91-2) unstable; urgency=low + + * Upload to unstable. + + -- Andreas Metzler Sat, 21 Apr 2018 10:38:50 +0200 + +exim4 (4.91-1) experimental; urgency=medium + + * Point watchfile to release directory again and use downloads.exim.org + host. + * New upstream version. + * Tighten b-d on libgnutls28-dev to >= 3.5.7, earlier Debian packages did + not ship libgnutls-dane0. + + -- Andreas Metzler Sun, 15 Apr 2018 17:52:05 +0200 + +exim4 (4.91~RC4-1) experimental; urgency=medium + + * New upstream version. + + -- Andreas Metzler Mon, 09 Apr 2018 19:25:18 +0200 + +exim4 (4.91~RC3-1) experimental; urgency=medium + + * New upstream version. + * Point vcs* to salsa. + + -- Andreas Metzler Thu, 05 Apr 2018 19:43:39 +0200 + +exim4 (4.91~RC2-1) experimental; urgency=medium + + * New upstream version. + Drop 75_01-Fix-heavy-pipeline-SMTP-command-input-corruption.-Bu.patch - -- Salvatore Bonaccorso Tue, 28 Nov 2017 22:58:00 +0100 + -- Andreas Metzler Wed, 21 Mar 2018 19:25:44 +0100 + +exim4 (4.91~RC1-1) experimental; urgency=medium + + * Point watchfile to test subdirectory. + * New upstream version: + + Drop debian/patches/75_*. + + Update example.conf.md5. + Upstream now enables verify = header_syntax check in default config, + mirror this change in Debian, introduce + NO_CHECK_DATA_VERIFY_HEADER_SYNTAX macro to override this. + * Build with newly available (well, for GnuTLS) DANE support. + * Pull 75_01-Fix-heavy-pipeline-SMTP-command-input-corruption.-Bu.patch from + upstream master, fixing https://bugs.exim.org/show_bug.cgi?id=2250. + + -- Andreas Metzler Sat, 17 Mar 2018 17:41:51 +0100 + +exim4 (4.90.1-5) unstable; urgency=medium + + * Update from exim-4_90+fixes branch: + 75_15-Pipe-transport-part-two.-Bug-2257.patch + 75_16-Fix-spool_wireformat-final-dot-on-LMTP-transport.-Bu.patch + 75_17-Cutthrough-enforce-non-use-in-combination-with-DKIM-.patch + + -- Andreas Metzler Sat, 31 Mar 2018 07:14:31 +0200 + +exim4 (4.90.1-4) unstable; urgency=medium + + * Update from exim-4_90+fixes branch: + 75_11-DMARC-add-variables-to-list-of-those-now-unused-at-t.patch + 75_12-Fix-heavy-pipeline-SMTP-command-input-corruption.-Bu.patch + 75_13-Unbreak-DMARC.patch + 75_14-Fix-pipe-transport-to-not-use-a-socket-only-syscall..patch + + -- Andreas Metzler Thu, 22 Mar 2018 07:44:05 +0100 + +exim4 (4.90.1-3) unstable; urgency=medium + + * Update from exim-4_90+fixes branch: + 75_07-Fix-ldap-lookups-for-zero-length-attribute-value.-Bu.patch + 75_08-Mark-variables-unused-before-release-of-store-in-the.patch + 75_09-Mark-variables-unused-before-release-of-store-in-the.patch + 75_10-Mark-variables-that-are-unused-before-release-of-sto.patch + + -- Andreas Metzler Fri, 16 Mar 2018 18:35:01 +0100 + +exim4 (4.90.1-2) unstable; urgency=medium + + * Update from exim-4_90+fixes branch: + 75_01-ACL-Enforce-non-usability-of-control-utf8_downconver.patch + 75_02-Fix-memory-leak-during-multi-message-reception-using.patch + 75_03-OpenSSL-Fix-memory-leak-during-multi-message-connect.patch + 75_04-Fix-exim_dbmbuild-to-permit-directoryless-filenames..patch + 75_05-OpenSSL-revert-needless-free-of-certificate-list.-Th.patch + 75_06-I18N-Fix-utf8_downconvert-propagation-through-a-redi.patch + + -- Andreas Metzler Sat, 10 Mar 2018 14:25:51 +0100 + +exim4 (4.90.1-1) unstable; urgency=high + + * New upstream version, fixing CVE-2018-6789. Closes: #890000 + + Drop 75_*.patch. + + -- Andreas Metzler Sat, 10 Feb 2018 13:45:40 +0100 + +exim4 (4.90-7) unstable; urgency=medium + + * Update from exim-4_90+fixes branch. (exim-4.90.0.27) + + 75_21-DKIM-fix-buffer-overflow-in-verify.patch + + 75_22-Repair-Heimdal-GSSAPI-authenticator-init.patch + + 75_23-Repair-Heimdal-GSSAPI-authenticator-init-part-2.patch + * Typo fixes in old patch descriptions. (Thanks, lintian!) + + -- Andreas Metzler Sat, 10 Feb 2018 13:13:37 +0100 + +exim4 (4.90-6) unstable; urgency=medium + + * Update from exim-4_90+fixes branch. + + 75_17-Cutthrough-fix-for-port-number-defined-by-router.-Bu.patch + + 75_18-GnuTLS-fix-to-ignore-timeout-on-unrelated-callout-co.patch + Closes: #887489 + + 75_19-Build-.git-may-be-a-file-when-this-repo-is-a-submodu.patch + + 75_20-Debugging-fix-potential-null-derefs-in-DSN-debug_pri.patch + + -- Andreas Metzler Wed, 07 Feb 2018 19:37:03 +0100 + +exim4 (4.90-5) unstable; urgency=low + + * Add 75_16-Cutthrough-fix-multi-message-initiating-connections.patch from + exim-4_90+fixes branch. + * Improved exim4-daemon-custom documentation by Gedalya. Closes: #887971 + * [update-exim4.conf] stop converting variables set to an empty value in + /etc/exim4/update-exim4.conf.conf to exim macros with a literal value of + "empty" in the generated configuration. Thanks, Gedalya. Closes: #887972 + + -- Andreas Metzler Sat, 27 Jan 2018 17:00:42 +0100 + +exim4 (4.90-4) unstable; urgency=low + + * Update from exim-4_90+fixes branch. + 75_13-Lookups-fix-mysql-lookup-returns-for-no-data-queries.patch + 75_14-Fix-D-string-expansion-to-not-use-millisec.patch + 75_15-DKIM-DNS-records-having-no-v-tag-are-acceptable.-Bug.patch + + -- Andreas Metzler Sat, 20 Jan 2018 08:00:45 +0100 + +exim4 (4.90-3) unstable; urgency=medium + + * Three more patches from exim-4_90+fixes branch: + 75_10-Fix-issue-with-continued-connections-when-the-DNS-sh.patch + 75_11-MIME-ACL-fix-SMTP-response-for-non-accept-result-of-.patch + 75_12-DKIM-permit-dkim_private_key-to-override-dkim_strict.patch + + -- Andreas Metzler Mon, 08 Jan 2018 18:55:28 +0100 + +exim4 (4.90-2) unstable; urgency=medium + + * Update to exim-4_90+fixes branch: + + Replace 75_Lookups-fix-pgsql-multiple-row-single-column-return.patch. + + 75_01-TLS-Fix-excessive-calling-of-smtp_auth_acl-under-AUT.patch + + 75_02-TLS-avoid-calling-smtp_auth_acl-on-client-cert-when-.patch + + 75_03-Debug-fix-coding-in-dnssec-reporting.-Bug-2205.patch + + 75_04-DKIM-Ignore-non-DKIM-TXT-records-in-DNS-response.-Bu.patch + + 75_05-Fix-build-of-nisplus-lookup.patch + + 75_06-Fix-const-issue-in-nisplus-lookup.patch + + 75_08-DKIM-tighter-checking-while-parsing-signature-header.patch + + 75_09-Fix-crash-associated-with-dnsdb-lookup-done-from-DKI.patch + + -- Andreas Metzler Sat, 30 Dec 2017 15:43:52 +0100 + +exim4 (4.90-1) unstable; urgency=low + + * rc4 released as 4.90. + * Point watchfile to release directory again. + * 75_Lookups-fix-pgsql-multiple-row-single-column-return.patch from upstream + GIT master branch. Fix pgsql lookup for multiple result-tuples with a + single column. Previously only the last row was returned. + https://lists.exim.org/lurker/message/20171223.102237.a53dd5bd.en.html + * Simplify debian/rules and make it usable with dh v10 compat. The + fine-grained support for selecting the to be built packages (-custom with + or without -base) was dropped. The build process is now controlled by + attaching tasks to dh-override hooks instead of using file dependencies, + makefile-style. The latter broke with dh v10 due to upstream's + build-system which always has the main targets out-of-date inter alia due + to the compile-number feature. + * Use hardening=+all instead of hardening=+bindnow,+pie. (Does not change + buildflags ATM.) + * Use debhelper v10 compat. + * Drop override_dh_strip-arch, we have had enough toolchain and + source changes to prevent file conflicts. + + -- Andreas Metzler Thu, 28 Dec 2017 13:42:23 +0100 + +exim4 (4.90~RC4-1) unstable; urgency=medium + + * New upstream version. + + -- Andreas Metzler Thu, 14 Dec 2017 18:11:40 +0100 + +exim4 (4.90~RC3-2) unstable; urgency=low + + * Upload to unstable. + * Point homepage to https URL. + + -- Andreas Metzler Sat, 02 Dec 2017 17:37:13 +0100 + +exim4 (4.90~RC3-1) experimental; urgency=medium + + * New upstream version. + + Fix a use-after-free while reading smtp input for header lines. + A crafted sequence of BDAT commands could result in in-use memory + being freed. CVE-2017-16943. Closes: #882648 + + Fix checking for leading-dot on a line during headers reading + from SMTP input. Previously it was always done; now only done for + DATA and not BDAT commands. CVE-2017-16944 Closes: #882671 + * Drop 78_Disable-chunking-BDAT-by-default.patch again. + + -- Andreas Metzler Fri, 01 Dec 2017 19:14:08 +0100 + +exim4 (4.90~RC2-3) experimental; urgency=medium + + * As a workaround for the yet-unfixed security vulnerability resurrect (and + adapt for 4.90) 78_Disable-chunking-BDAT-by-default.patch (dropped in + 4.89-4) to disable both incoming and outgoing BDAT/CHUNKING. #882648 + https://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html + + -- Andreas Metzler Sat, 25 Nov 2017 12:01:40 +0100 + +exim4 (4.90~RC2-2) experimental; urgency=low + + * B-d on lynx, instead of lynx-cur | lynx. + + -- Andreas Metzler Fri, 17 Nov 2017 17:03:10 +0100 + +exim4 (4.90~RC2-1) experimental; urgency=low + + * New upstream release candidate. + + Unfuzz patches, drop 40_reproducible_build.diff and + 75_fix_ftbfs_SOURCE_DATE_EPOCH.diff. + + Refresh debian/example.conf.md5, No changes to Debian's configuration + needed, upstream added a (commented) entry to change OpenSSL ciphers. + + -- Andreas Metzler Thu, 16 Nov 2017 19:40:35 +0100 + +exim4 (4.90~RC1-1) experimental; urgency=low + + * New upstream release candidate. + + Point watchfile to test subdirectory. + + Update 40_reproducible_build.diff + + Drop 75_fixes*.patch and + 80_Repair-manualroute-transport-name-not-last-option.patch. + + Unfuzz EDITME*.diff + + 75_fix_ftbfs_SOURCE_DATE_EPOCH.diff Fix build-error when + SOURCE_DATE_EPOCH is set. + * Drop trailing whitespace in debian/README.source, debian/changelog and + debian/rules. (Thanks, lintian) + * Drop debian/README.source and outdated parts of debian/copyright. + + -- Andreas Metzler Sun, 29 Oct 2017 10:52:30 +0100 + +exim4 (4.89-13) unstable; urgency=high + + * 75_fixes_21-Chunking-do-not-treat-the-first-lonely-dot-special.-.patch + from exim-4_89+fixes branch. Closes: #882671 CVE-2017-16944 + + -- Andreas Metzler Wed, 29 Nov 2017 19:30:37 +0100 + +exim4 (4.89-12) unstable; urgency=high + + * Sync with exim-4_89+fixes branch: + + 75_fixes_19-Fix-mariadb-mysql-macro-confusion.patch + + 75_fixes_20-Avoid-release-of-store-if-there-have-been-later-allo.patch + Closes: #882648 (use-after-free, remote-code-execution) CVE-2017-16943 + * Update EDITME* for 75_fixes_19-Fix-mariadb-mysql-macro-confusion.patch. + + -- Andreas Metzler Tue, 28 Nov 2017 20:04:23 +0100 + +exim4 (4.89-11) unstable; urgency=critical + + * B-d on lynx, instead of lynx-cur | lynx. + + -- Andreas Metzler Sat, 25 Nov 2017 13:02:43 +0100 + +exim4 (4.89-10) unstable; urgency=critical + + * As a workaround for the yet-unfixed security vulnerability resurrect + 78_Disable-chunking-BDAT-by-default.patch (dropped in 4.89-4) to disable + both incoming and outgoing BDAT/CHUNKING. #882648 + https://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html + + -- Andreas Metzler Sat, 25 Nov 2017 11:43:24 +0100 + +exim4 (4.89-9) unstable; urgency=medium + + * Upload to unstable. + + -- Andreas Metzler Fri, 27 Oct 2017 19:23:25 +0200 + +exim4 (4.89-8) experimental; urgency=low + + * Sync with exim-4_89+fixes branch: + 75_fixes_17-Fix-queue_run_in_order-to-ignore-the-PID-portion-of-.patch + 75_fixes_18-Use-safer-routine-for-possibly-overlapping-copy.patch + * Point watchfile to https site. + + -- Andreas Metzler Mon, 23 Oct 2017 19:14:24 +0200 + +exim4 (4.89-7) unstable; urgency=low + + * In debian/rules' manually called update-mtaconflicts target use + grep-aptavail instead of hard-coding /var/lib/apt/lists/. + (Thanks, Julian Andres Klode) Closes: #874772 + * Update debian/mtalist. + * Sync with exim-4_89+fixes branch: + 75_fixes_13-Document-CVE-assignment-for-Berkeley-DB-issue.patch + 75_fixes_14-DKIM-fix-signing-bug-induced-by-total-size-of-parame.patch + 75_fixes_15-SOCKS-fix-unitialized-pointer.patch + 75_fixes_16-Fix-crash-in-transport-on-second-smtp-connect-fail-f.patch. + + -- Andreas Metzler Wed, 27 Sep 2017 07:35:23 +0200 + +exim4 (4.89-6) unstable; urgency=medium + + * Use "runuser --command ..." instead of "su - --command ..." in + exim4-base.cron.daily to avoid invoking pam_systemd. Closes: #871688 + (Thanks, Jakobus Schürz) + * Sync priorities with override file: exim4{,-base,-config,-daemon-light} + optional from standard, exim4-dev optional from extra. + * In debian/rules when setting up the build-tree for -custom also copy + EDITME.eximon to allow building based on EDITME.exim4-light with eximon + building *not* disabled. (Thanks, Marko von Oppen) Closes: #783813 + + -- Andreas Metzler Sat, 09 Sep 2017 15:29:39 +0200 + +exim4 (4.89-5) unstable; urgency=medium + + * Update to exim-4_89+fixes branch: + 75_fixes_01-Start-exim-4_89-fixes-to-cherry-pick-some-commits-fr.patch + 75_fixes_02-Cleanup-prevent-repeated-use-of-p-oMr-to-avoid-mem-l.patch + (replaces 79_CVE-2017-1000369.patch) + 75_fixes_03-Fix-log-line-corruption-for-DKIM-status.patch (replaces + 81_Fix-log-line-corruption-for-DKIM-status.patch) + 75_fixes_04-Openssl-disable-session-tickets-by-default-and-sessi.patch + 75_fixes_05-Transport-fix-smtp-under-combo-of-mua_wrapper-and-li.patch + 75_fixes_07-Openssl-disable-session-tickets-by-default-and-sessi.patch + 75_fixes_08-Transport-fix-smtp-under-combo-of-mua_wrapper-and-li.patch + 75_fixes_09-Use-the-BDB-environment-so-that-a-database-config-fi.patch + (CVE-2017-10140) + 75_fixes_10-Fix-cache-cold-random-callout-verify.-Bug-2147.patch + 75_fixes_11-On-callout-avoid-SIZE-every-time-but-noncacheable-rc.patch + 75_fixes_12-Fix-build-for-earlier-version-Berkeley-DB.patch + * Simplify debian/rules by including buildflags.mk unconditionally which was + introduced in dpkg 1.16.1 released in October 2011. + * Use pkg-info.mk to get package-version, upstream-version and + SOURCE_DATE_EPOCH. For the latter fall back to current time if it is not + provided by pkg-info.mk. + * [lintian] In *daemon.postinst use which certtool instead of + [ -x /usr/bin/certtool ] to check for availablility of the command. + + -- Andreas Metzler Thu, 10 Aug 2017 10:17:05 +0200 + +exim4 (4.89-4) unstable; urgency=low + + * 80_Repair-manualroute-transport-name-not-last-option.patch from GIT + master: Starting with 4.85 a transport name needed to specified after + options in route_list. Closes: #865287 + * Add 81_Fix-log-line-corruption-for-DKIM-status.patch from GIT master. + * Drop 78_Disable-chunking-BDAT-by-default.patch, enable BDAT/Chunking by + default. + * Standards-Version: 4.0.0 + + Do not check for availability of invoke-rc.d, use it always and do not + fall back to invoking the init-script directly. + + Drop eximon menu file. + * Migrate to automatic debug packages. Bump b-d on debhelper since + --dbgsym-migration was introduced in debhelper 9.20160114. + + -- Andreas Metzler Sat, 15 Jul 2017 12:46:16 +0200 + +exim4 (4.89-3) unstable; urgency=high + + * Re-upload to unstable. + + -- Andreas Metzler Mon, 19 Jun 2017 18:51:13 +0200 exim4 (4.89-2+deb9u1) stretch-security; urgency=medium @@ -615,7 +1237,7 @@ exim4 (4.86~RC2-1) experimental; urgency=medium +Drop included patches. (-72_0001-Guard-routing-against-a-null-deref.-Bug-1639.patch, 72_0002-Spamd-add-missing-initialiser.-Rspamd-mode-was-incor.patch, - 72_0003-DSN-fix-null-deref-when-bounce-is-due-to-conn-timeou.patch, + 72_0003-DSN-fix-null-deref-when-bounce-is-due-to-conn-timeou.patch, 72_0004-Content-scan-Use-ETIMEDOUT-not-ETIME-as-having-bette.patch) * Sync Debian config with upstream default config: + Set prdr_enable. @@ -1029,7 +1651,7 @@ exim4 (4.82~rc1-1) experimental; urgency=low 86_Dovecot-robustness.diff 87_localinjected_mimeacl.diff), unfuzz patches. * Applying upstream's default configuration updates to Debian configuration change 30_exim4-config_examples to use tls_in_cipher/tls_out_cipher - instead of tls_out_cipher. - exim4-config therefore Breaks + instead of tls_out_cipher. - exim4-config therefore Breaks exim daemon << 4.82~rc1. * 80_addmanuallybuiltdocs.diff: Upstream rc tarball ships empty filter.txt and spec.txt, replace these with correct handbuilt versions. @@ -1249,7 +1871,7 @@ exim4 (4.77~rc4-1) experimental; urgency=low "match_ip" & "match_local_part". Named lists can still be used. The previous behavior made it too easy to create (remotely) vulnerable configurations. A more detailed rationale and explanation can be found - on + on https://lists.exim.org/lurker/message/20111003.122326.fbcf32b7.en.html + doc/pcrepattern.txt is not shipped anymore as part of the exim tarball (and therefore the Debian package suite.) @@ -1433,14 +2055,14 @@ exim4 (4.73~rc1-1) experimental; urgency=low + Drop exim4-config's conflicts with bash (<< 2.05). This was relevant pre-sarge. + Drop exim4-daemon-* dependency on exim4-base (>> 4.71-2). This one is - superfluous because of of the dependency on + superfluous because of of the dependency on exim4-base (>= ${Upstream-Version}). + exim4-config breaks instead of conflicts with pre-DKIM (i.e. << 4.69.1) exim4-daemon. + exim4-base breaks instead of conflicts with <<${Upstream-Version} daemon packages. * Add Vcs-Svn and Vcs-Browser fields to debian/control. - * Build depend on libmysqlclient-dev | libmysqlclient15-dev instead of + * Build depend on libmysqlclient-dev | libmysqlclient15-dev instead of libmysqlclient15-dev. libmysqlclient-dev is not a virtual package anymore. Closes: #590218 * Use db_settitle unconditionally, even etch supports this. Drop unneeded @@ -1527,7 +2149,7 @@ exim4 (4.72-2) unstable; urgency=low Thanks to Fabien André. Closes: #578176 * Re-work config.autogenerated header to more exactly reflect configuration source. (mh) Closes: #593984 - + [ Andreas Metzler ] * Fix getopt invocation to make update-exim4.conf.template -o work. (Thank you Matthew W. S. Bell) Closes: #590333 @@ -1540,7 +2162,7 @@ exim4 (4.72-2) unstable; urgency=low exim4 (4.72-1) unstable; urgency=low - * New upstream release. (Identical to the git snapshot previously + * New upstream release. (Identical to the git snapshot previously uploaded to experimental.) -- Andreas Metzler Thu, 03 Jun 2010 17:42:52 +0200 @@ -1680,7 +2302,7 @@ exim4 (4.70~cvs+20091017-1) experimental; urgency=low * New upstream cvs snapshot. + Drop unnecessary patches: 36_pcre 37_exiwhatpsmisc. + Close dovecot socket after wrong password was given. Closes: #515503 - + Standalone DKIM support. Obsoletes and therefore + + Standalone DKIM support. Obsoletes and therefore Closes: #486437,#459883 * Drop upstream URL from package descriptions. Closes: #471425 * [patches/00_unpack.dpatch] Drop workaround for tar 1.14, even oldstable @@ -1742,7 +2364,7 @@ exim4 (4.69-10) unstable; urgency=low * [exim4 init-script]. Modify check for smtp inetd entry to use an anchored pattern, matching "smtp" but not "smtp-foo". Closes: #516146 * exim4-daemon-light now Provides: default-mta. See #508644. - * Ship both transport-filter.pl and ratelimit.pl in + * Ship both transport-filter.pl and ratelimit.pl in /usr/share/doc/exim4-base/examples. Closes: #518836 * [lintian] Add ${misc:Depends} to all Depends. * [lintian] Add override for dbg-package-missing-depends exim4-dbg. @@ -1789,7 +2411,7 @@ exim4 (4.69-8) unstable; urgency=low exim4 (4.69-7) unstable; urgency=low [ Andreas Metzler ] - * Sync from ubuntu: Refer to spec.txt.gz instead of spec.txt in + * Sync from ubuntu: Refer to spec.txt.gz instead of spec.txt in README.Debian.xml. [ Debconf translations ] @@ -1892,13 +2514,13 @@ exim4 (4.69-3) unstable; urgency=low in daily cron job. Thanks to Justin Pryzby. Closes: #476541 * Move docs from Apps/Net to Network/Communication * linda R.I.P. - + [ Robert Millan ] * Process acl_local_deny_exceptions ACL before rejecting a message in SPF check. Thanks to Miklos Szeredi. Closes: #451633 [ Andreas Metzler ] - * Fix typos in exinext's man page (/s/eximnext/exinext/). (Thanks, + * Fix typos in exinext's man page (/s/eximnext/exinext/). (Thanks, Filipus Klutiero) Closes: #471113 * exiwhat: Check at runtime whether killall is available. Fall back to a combination of 'ps ax' and regular kill otherwise. @@ -2107,7 +2729,7 @@ exim4 (4.67-6) unstable; urgency=low exim4 (4.67-5) unstable; urgency=low * the "verderben viele Koeche den Brei?" release - + [ Andreas Metzler ] * Point to exim4_passwd(5) instead of non-existing exim_passwd(5) in AUTH section of configuration. (Thanks Arkadiusz Dykiel, #430149) @@ -3592,7 +4214,7 @@ exim4 (4.43-1) experimental; urgency=low - better documentation about differences in configuring for GnuTLS or OpenSSL. (Closes: #241725) - verify = header_sender now respects callout options. (Closes: #260114) - - There is now an overall timeout for performing a callout verification. + - There is now an overall timeout for performing a callout verification. (Closes: #261511) - Less typos in filter.txt. (Closes: #230545) - New ACL: acl_smtp_predata, useful for greylisting. (Closes: #237947) @@ -4291,7 +4913,7 @@ exim4 (4.22-5) unstable; urgency=low * Sorry, this is not 4.23. Tom is on holidays and because 4.23 changes some ACL code, exiscan needs in depth checking and not just applying the - patch by hand. + patch by hand. * exim4-config conflicts with bash (<< 2.05), because it cannot handle aliases in functions. This does not necessarily fix dist-upgrades from potato to sarge because debconf-config might happen before the @@ -4867,7 +5489,7 @@ exim4 (4.10.13-0.0.4) unstable; urgency=low * remove the %s from PID_FILE_PATH * apply debian/fix-pid.issue.patch to fix minor security issue http://www.exim.org/pipermail/exim-users/Week-of-Mon-20021202/046978.html - * test in init-script for working config before reloading/restarting + * test in init-script for working config before reloading/restarting (Andreas Piesk) -- Andreas Metzler Thu, 5 Dec 2002 13:04:51 +0100 @@ -5339,5 +5961,3 @@ exim (3.35-1) unstable; urgency=low * debian/control: Short description improved (Closes: #130698) -- Mark Baker Mon, 4 Mar 2002 23:04:52 +0000 - -