summary |
shortlog | log |
commit |
commitdiff |
tree
first ⋅ prev ⋅ next
Clinton Ebadi [Sat, 7 Aug 2021 18:56:29 +0000 (14:56 -0400)]
Merge branch 'debian'
Andreas Metzler [Sat, 1 May 2021 09:42:39 +0000 (11:42 +0200)]
Import Debian changes 4.92-8+deb10u6
exim4 (4.92-8+deb10u6) buster-security; urgency=high
.
* Fix several security vulnerabilities reported by Qualys and add related
robustness improvements. (Originally fixed in upstream release 4.94.3 and
in upstream GIT branch exim-4.92.3+fixes. (Special thanks to Heiko)
+ CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()
+ CVE-2020-28018: Use-after-free in tls-openssl.c
+ CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()
+ CVE-2020-28010: Heap out-of-bounds write in main()
+ CVE-2020-28011: Heap buffer overflow in queue_run()
+ CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()
+ CVE-2020-28017: Integer overflow in receive_add_recipient()
+ CVE-2020-28022: Heap out-of-bounds read and write in extract_option()
+ CVE-2020-28026: Line truncation and injection in spool_read_header()
+ CVE-2020-28015 and CVE-2020-28021: New-line injection into spool header
file.
+ CVE-2020-28009: Integer overflow in get_stdinput()
+ CVE-2020-28024: Heap buffer underflow in smtp_ungetc()
+ CVE-2020-28012: Missing close-on-exec flag for privileged pipe
+ CVE-2020-28019: Failure to reset function pointer after BDAT error
+ CVE-2020-28007: Link attack in Exim's log directory
+ CVE-2020-28008: Assorted attacks in Exim's spool directory
+ CVE-2020-28014, CVE-2021-27216: Arbitrary PID file creation, clobbering,
and deletion.
.
exim4 (4.92-8+deb10u5) buster; urgency=medium
.
* Fix use of concurrent TLS connections under GnuTLS:
80_01-GnuTLS-fix-hanging-callout-connections.patch
80_02-GnuTLS-tls_write-wait-after-uncorking-the-session.patch
80_03-GnuTLS-Do-not-care-about-corked-data-when-uncorking.patch
(Thanks, Heiko Schlittermann for the backport)
* Pull 82_TLS-use-RFC-6125-rules-for-certifucate-name-checks-w.patch from
upstream git (already included in 4.94), on TLS connections to a CNAME
verify the certificate against the original CNAME instead of against
the A record. Closes: #985243
* In README.Debian explicitly document the limitation/extent of server
certificate checking (authenticity not enforced) in the default
configuration (Thanks, Jö Fahlke). This Closes: #985244 (improved
documentation and Closes: #985344 (Yes, without required cert
checking MitM attacks are possible, but for a stable update documenting
this is the best compromise.)
Clinton Ebadi [Sat, 20 Jun 2020 20:33:34 +0000 (16:33 -0400)]
Merge branch 'debian'
Andreas Metzler [Wed, 13 May 2020 16:01:31 +0000 (18:01 +0200)]
Import Debian changes 4.92-8+deb10u4
exim4 (4.92-8+deb10u4) buster-security; urgency=high
* Fix authentication bypass in SPA authenticator due to out-of-bound buffer
read. https://bugs.exim.org/show_bug.cgi?id=2571 CVE-2020-12783
Clinton Ebadi [Sun, 16 Feb 2020 04:26:09 +0000 (23:26 -0500)]
release hcoop build of 4.92+deb10u3
Clinton Ebadi [Sun, 16 Feb 2020 04:24:32 +0000 (23:24 -0500)]
refresh hcoop patch for exim 4.92
Clinton Ebadi [Sun, 16 Feb 2020 04:17:42 +0000 (23:17 -0500)]
Merge branch 'debian'
Andreas Metzler [Fri, 27 Sep 2019 16:09:35 +0000 (18:09 +0200)]
Import Debian changes 4.92-8+deb10u3
exim4 (4.92-8+deb10u3) buster-security; urgency=high
* 78_02-Fix-buffer-overflow-in-string_vformat.-Bug-2449.patch:
Fix buffer overflow in string_vformat.
exim4 (4.92-8+deb10u2) buster-security; urgency=high
* 78_01-string.c-do-not-interpret-before-0-CVE-2019-15846.patch Fix SNI
related buffer overflow. CVE-2019-15846
exim4 (4.92-8+deb10u1) buster-security; urgency=high
* Fix remote command execution vulnerability related to
"${sort}"-expansion. CVE-2019-13917 OVE-
20190718-0006
exim4 (4.92-8) unstable; urgency=low
* Pulled from exim-4.92+fixes branch:
+ 75_11-GnuTLS-fix-tls_out_ocsp-under-hosts_request_ocsp.patch
Fix expansion of $tls_out_ocsp under hosts_request_ocsp.
+ 75_12-GnuTLS-fix-the-advertising-of-acceptable-certs-by-th.patch
When tls_verify_certificates was set to a directory instead of a file
exim/GnuTLS would still send out the list of accepted certificates,
This did not match documented behavior.
+ 75_13-Use-dsn_from-for-success-DSN-messages.-Bug-2404.patch
The dsn_from option was not used for DSN success messages.
* Pulled from upstream GIT master:
+ 75_14-Fix-smtp-response-timeout.patch
Fix the timeout on smtp response to apply to the whole response instead
of resetting for every byte received.
+ 75_15-Fix-detection-of-32b-platform-at-build-time.-Bug-240.patch
https://bugs.exim.org/show_bug.cgi?id=2405
${eval } was broken on 32bit archs.
exim4 (4.92-7) unstable; urgency=medium
* Upload to unstable.
exim4 (4.92-6) experimental; urgency=medium
* Revert 90_localscan_dlopen.dpatch removal to give Magnus some chance for
debugging sa-exim.
* Set HAVE_LOCAL_SCAN=yes in EDITME.
* Upload to experimental.
exim4 (4.92-5) unstable; urgency=medium
* Improved spam-scanning example with accompaning information in
README.Debian. Explicitly warn about adding the default SpamAssassin
report in a header, which Closes: #774553
* Drop 90_localscan_dlopen.dpatch. (It has been non-functional for a couple
of months.) Closes: #925982 Add a Conflicts for sa-exim, which relied on
the (working) version of the patch. Drop exim4-dev package. Add a NEWS
entry for this change.
exim4 (4.92-4) unstable; urgency=medium
* Another patch from exim-4.92+fixes branch:
75_10-Harden-plaintext-authenticator.patch
exim4 (4.92-3) unstable; urgency=medium
* Pull fixes from exim-4.92+fixes branch.
+ 75_05-Fix-expansions-for-RFC-822-addresses-having-comments.patch
+ 75_06-Docs-Add-note-on-lsearch-for-IPv4-mapped-IPv6-addres.patch
+ 75_07-Fix-crash-from-SRV-lookup-hitting-a-CNAME.patch
+ 75_08-Logging-fix-initial-listening-on-log-line.patch
+ 75_09-OpenSSL-Fix-aggregation-of-messages.patch
exim4 (4.92-2) unstable; urgency=medium
* Upload to unstable.
exim4 (4.92-1) experimental; urgency=medium
* Point watchfile to release directory again.
* New upstream stable release, identical to rc6 except for the version
string.
* Pull fixes from exim-4.92+fixes branch.
+ 75_01-Fix-json-extract-operator-for-unfound-case.patch
+ 75_02-Fix-transport-buffer-size-handling.patch
+ 75_03-Fix-info-on-using-local_scan-in-the-default-Makefile.patch
+ 75_04-GnuTLS-Fix-client-detection-of-server-reject-of-clie.patch
* Upload to experimental while waiting for rc6 to migrate.
exim4 (4.92~RC6-1) unstable; urgency=low
* New upstream snapshot rc6, includes
40_01-Fix-dkim_verify_signers-option.-Bug-2366.patch.
exim4 (4.92~RC5-2) unstable; urgency=high
* In init script use start-stop-daemon directly instead of lsb-base's
killproc which currently fails to pass on the executable name to s-s-d
(921558). This broke with s-s-d 1.19.2 which (for security reasons)
requires further filtering arguments in addition to --pidfile when the pid
file is not owned by root. Closes: #921205
exim4 (4.92~RC5-1) unstable; urgency=medium
* New upstream snapshot rc5.
* 40_01-Fix-dkim_verify_signers-option.-Bug-2366.patch: dkim_verify_signers
was ignored.
exim4 (4.92~RC4-3) unstable; urgency=medium
* Refresh debian/upstream/signing-key.asc from
https://downloads.exim.org/Exim-Maintainers-Keyring.asc.
* Drop outdated pointers to alioth package homepage from README.Debian.
* Update exim4-config Breaks to enforce upgrade to daemon binary package
with DANE support. Closes: #919902
* [lintian] Minimize upstream/signing-key.asc.
exim4 (4.92~RC4-2) unstable; urgency=medium
* Upload to unstable.
exim4 (4.92~RC4-1) experimental; urgency=low
* New upstream version.
+ Drop 75_GnuTLS-repeat-lowlevel-read-and-write-operations-whi.patch.
+ Unfuzz patches.
exim4 (4.92~RC3-1) unstable; urgency=low
* Add 75_GnuTLS-repeat-lowlevel-read-and-write-operations-whi.patch from
upstream GIT master, fixing outgoing TLS 1.3.
https://bugs.exim.org/show_bug.cgi?id=2359
* New upstream version.
* Upload to unstable.
exim4 (4.92~RC2-1) experimental; urgency=low
* New upstream version.
+ Drop 75_01-Fix-parsing-of-option-type-Kint-integer-stored-in-K-.patch
exim4 (4.92~RC1-1) experimental; urgency=low
* Update upstream/signing-key.asc from
https://ftp.exim.org/pub/exim/Exim-Maintainers-Keyring.asc, adding
96E4754B8F93C1B239F1A95785BCF7AC6735A680 while removing
1F9C181B1E83D2099F02C95AC4F4F94804D29EBA and
FAA1C7F9CD077DC4304BC0C885AB833FDDC03262.
* New upstream release candidate:
+ Point watchfile to test subdir.
+ Update watchfile to handle -RC1 in addition to _RC1.
+ Drop 75_fixes*.patch.
+ Unfuzz 32_exim4.dpatch and 90_localscan_dlopen.dpatch
+ Update configuration from upstream example, except for
tls_sni/tls_require_ciphers settings on remote_smtp_smarthost transport:
* Enable dns_dnssec_ok.
* Set dnssec_request_domains = * on dnslookup and
dnslookup_relay_to_domains routers.
* Set hosts_try_dane = */dnssec_request_domains = * on remote_smtp
transport unless REMOTE_SMTP_DISABLE_DANE is set.
* Set multi_domain on remote_smtp_smarthost transport.
* Post release updates:
+ 75_01-Fix-parsing-of-option-type-Kint-integer-stored-in-K-.patch
exim4 (4.91-9) unstable; urgency=low
* Run "wrap-and-sort --max-line-length=72 --short-indent" and add back
autodeleted comments.
* Update from exim-4_91+fixes branch:
+ 75_fixes_26-Fix-bad-use-of-library-copying-string-over-itself.patch
+ 75_fixes_27-Fix-cyrus-sasl-authenticator-for-authenticated_fail_.patch
+ 75_fixes_28-Avoid-leaving-domain-live-with-bogus-info-during-ser.patch
+ 75_fixes_29-Fix-AUTH_GSASL-build.patch
+ 75_fixes_30-Harden-string-list-handling.patch
exim4 (4.91-8) unstable; urgency=low
[ Andreas Metzler ]
* Update from exim-4_91+fixes branch:
+ 75_fixes_18-Restore-Darwin-OS-configuration.patch
+ 75_fixes_20-Fix-filter-noerror-command.-Bug-2318.patch
+ 75_fixes_21-DANE-fix-TA-mode-verify-under-GnuTLS.-Bug-2311.patch
+ 75_fixes_22-Testsuite-track-newer-GnuTLS-behaviour.patch
+ 75_fixes_24-DANE-ignore-undersized-TLSA-records.patch
+ 75_fixes_25-Logging-do-not-log-a-missing-proxy-address-on-delive.patch
[ Marc Haber ]
* Move definition of CHECK_RCPT_*_LOCALPARTS macro to acl file proper.
exim4 (4.91-7) unstable; urgency=low
* Update from exim-4_91+fixes branch:
+ 75_fixes_16-Fix-non-EVENTS-build.patch
+ 75_fixes_17-Fix-cutthrough-delivery-for-more-than-one-iteration-.patch
exim4 (4.91-6) unstable; urgency=low
* Update from exim-4_91+fixes branch:
+ 75_fixes_13-DKIM-Fix-signing-for-body-lines-starting-with-a-pair.patch
+ 75_fixes_14-ARC-Fix-verification-to-do-AS-checks-in-reverse-orde.patch
+ 75_fixes_15-I18N-Fix-protocol-recorded-for-a-multi-SMTPUTF8-mess.patch
* [lintian] Do not run mininal testsuite with DEB_BUILD_OPTIONS=nocheck.
(override_dh_auto_test-does-not-check-DEB_BUILD_OPTIONS)
exim4 (4.91-5) unstable; urgency=medium
* Update from exim-4_91+fixes branch:
+ 75_fixes_10-Use-serial-number-1-for-self-generated-selfsigned-ce.patch
+ 75_fixes_11-Fix-logging-of-cmdline-args-when-starting-in-an-unli.patch
+ 75_fixes_12-ARC-Fix-signing-for-case-when-DKIM-signing-failed.patch
exim4 (4.91-4) unstable; urgency=medium
* Update from exim-4_91+fixes branch:
+ 75_fixes_06-Cutthrough-fix-race-resulting-in-duplicate-delivery..patch
+ 75_fixes_07-tidying.patch
+ 75_fixes_08-ARC-fix-crash-on-signing-with-missing-key-file.patch
+ 75_fixes_09-Content-scanning-Fix-locking-on-message-spool-files..patch
* [lintian] Delete trailing empty lines in changelog.
exim4 (4.91-3) unstable; urgency=medium
* Update from exim-4_91+fixes branch:
+ 75_fixes_01-Belated-README.UPDATING-notes-for-Exim-4.91.patch
+ 75_fixes_02-Avoid-doing-logging-in-signal-handlers.-Bug-1007.patch
+ 75_fixes_03-Fix-typo-in-arc.-Bug-2262.patch
+ 75_fixes_04-Fix-OpenSSL-non-OCSP-build.patch
+ 75_fixes_05-DKIM-enforce-limit-of-20-on-received-DKIM-Signature-.patch
+ Move 50_localscan_dlopen.dpatch to end of patch series and rename to
90_... to preserve alphanumeric patch ordering.
* Add log_message for local blacklists to improve log readability. (Patch by
Dominic Hargreaves).
exim4 (4.91-2) unstable; urgency=low
* Upload to unstable.
exim4 (4.91-1) experimental; urgency=medium
* Point watchfile to release directory again and use downloads.exim.org
host.
* New upstream version.
* Tighten b-d on libgnutls28-dev to >= 3.5.7, earlier Debian packages did
not ship libgnutls-dane0.
exim4 (4.91~RC4-1) experimental; urgency=medium
* New upstream version.
exim4 (4.91~RC3-1) experimental; urgency=medium
* New upstream version.
* Point vcs* to salsa.
exim4 (4.91~RC2-1) experimental; urgency=medium
* New upstream version.
Drop 75_01-Fix-heavy-pipeline-SMTP-command-input-corruption.-Bu.patch
exim4 (4.91~RC1-1) experimental; urgency=medium
* Point watchfile to test subdirectory.
* New upstream version:
+ Drop debian/patches/75_*.
+ Update example.conf.md5.
Upstream now enables verify = header_syntax check in default config,
mirror this change in Debian, introduce
NO_CHECK_DATA_VERIFY_HEADER_SYNTAX macro to override this.
* Build with newly available (well, for GnuTLS) DANE support.
* Pull 75_01-Fix-heavy-pipeline-SMTP-command-input-corruption.-Bu.patch from
upstream master, fixing https://bugs.exim.org/show_bug.cgi?id=2250.
exim4 (4.90.1-5) unstable; urgency=medium
* Update from exim-4_90+fixes branch:
75_15-Pipe-transport-part-two.-Bug-2257.patch
75_16-Fix-spool_wireformat-final-dot-on-LMTP-transport.-Bu.patch
75_17-Cutthrough-enforce-non-use-in-combination-with-DKIM-.patch
exim4 (4.90.1-4) unstable; urgency=medium
* Update from exim-4_90+fixes branch:
75_11-DMARC-add-variables-to-list-of-those-now-unused-at-t.patch
75_12-Fix-heavy-pipeline-SMTP-command-input-corruption.-Bu.patch
75_13-Unbreak-DMARC.patch
75_14-Fix-pipe-transport-to-not-use-a-socket-only-syscall..patch
exim4 (4.90.1-3) unstable; urgency=medium
* Update from exim-4_90+fixes branch:
75_07-Fix-ldap-lookups-for-zero-length-attribute-value.-Bu.patch
75_08-Mark-variables-unused-before-release-of-store-in-the.patch
75_09-Mark-variables-unused-before-release-of-store-in-the.patch
75_10-Mark-variables-that-are-unused-before-release-of-sto.patch
exim4 (4.90.1-2) unstable; urgency=medium
* Update from exim-4_90+fixes branch:
75_01-ACL-Enforce-non-usability-of-control-utf8_downconver.patch
75_02-Fix-memory-leak-during-multi-message-reception-using.patch
75_03-OpenSSL-Fix-memory-leak-during-multi-message-connect.patch
75_04-Fix-exim_dbmbuild-to-permit-directoryless-filenames..patch
75_05-OpenSSL-revert-needless-free-of-certificate-list.-Th.patch
75_06-I18N-Fix-utf8_downconvert-propagation-through-a-redi.patch
exim4 (4.90.1-1) unstable; urgency=high
* New upstream version, fixing CVE-2018-6789. Closes: #890000
+ Drop 75_*.patch.
exim4 (4.90-7) unstable; urgency=medium
* Update from exim-4_90+fixes branch. (exim-4.90.0.27)
+ 75_21-DKIM-fix-buffer-overflow-in-verify.patch
+ 75_22-Repair-Heimdal-GSSAPI-authenticator-init.patch
+ 75_23-Repair-Heimdal-GSSAPI-authenticator-init-part-2.patch
* Typo fixes in old patch descriptions. (Thanks, lintian!)
exim4 (4.90-6) unstable; urgency=medium
* Update from exim-4_90+fixes branch.
+ 75_17-Cutthrough-fix-for-port-number-defined-by-router.-Bu.patch
+ 75_18-GnuTLS-fix-to-ignore-timeout-on-unrelated-callout-co.patch
Closes: #887489
+ 75_19-Build-.git-may-be-a-file-when-this-repo-is-a-submodu.patch
+ 75_20-Debugging-fix-potential-null-derefs-in-DSN-debug_pri.patch
exim4 (4.90-5) unstable; urgency=low
* Add 75_16-Cutthrough-fix-multi-message-initiating-connections.patch from
exim-4_90+fixes branch.
* Improved exim4-daemon-custom documentation by Gedalya. Closes: #887971
* [update-exim4.conf] stop converting variables set to an empty value in
/etc/exim4/update-exim4.conf.conf to exim macros with a literal value of
"empty" in the generated configuration. Thanks, Gedalya. Closes: #887972
exim4 (4.90-4) unstable; urgency=low
* Update from exim-4_90+fixes branch.
75_13-Lookups-fix-mysql-lookup-returns-for-no-data-queries.patch
75_14-Fix-D-string-expansion-to-not-use-millisec.patch
75_15-DKIM-DNS-records-having-no-v-tag-are-acceptable.-Bug.patch
exim4 (4.90-3) unstable; urgency=medium
* Three more patches from exim-4_90+fixes branch:
75_10-Fix-issue-with-continued-connections-when-the-DNS-sh.patch
75_11-MIME-ACL-fix-SMTP-response-for-non-accept-result-of-.patch
75_12-DKIM-permit-dkim_private_key-to-override-dkim_strict.patch
exim4 (4.90-2) unstable; urgency=medium
* Update to exim-4_90+fixes branch:
+ Replace 75_Lookups-fix-pgsql-multiple-row-single-column-return.patch.
+ 75_01-TLS-Fix-excessive-calling-of-smtp_auth_acl-under-AUT.patch
+ 75_02-TLS-avoid-calling-smtp_auth_acl-on-client-cert-when-.patch
+ 75_03-Debug-fix-coding-in-dnssec-reporting.-Bug-2205.patch
+ 75_04-DKIM-Ignore-non-DKIM-TXT-records-in-DNS-response.-Bu.patch
+ 75_05-Fix-build-of-nisplus-lookup.patch
+ 75_06-Fix-const-issue-in-nisplus-lookup.patch
+ 75_08-DKIM-tighter-checking-while-parsing-signature-header.patch
+ 75_09-Fix-crash-associated-with-dnsdb-lookup-done-from-DKI.patch
exim4 (4.90-1) unstable; urgency=low
* rc4 released as 4.90.
* Point watchfile to release directory again.
* 75_Lookups-fix-pgsql-multiple-row-single-column-return.patch from upstream
GIT master branch. Fix pgsql lookup for multiple result-tuples with a
single column. Previously only the last row was returned.
https://lists.exim.org/lurker/message/
20171223.102237.
a53dd5bd.en.html
* Simplify debian/rules and make it usable with dh v10 compat. The
fine-grained support for selecting the to be built packages (-custom with
or without -base) was dropped. The build process is now controlled by
attaching tasks to dh-override hooks instead of using file dependencies,
makefile-style. The latter broke with dh v10 due to upstream's
build-system which always has the main targets out-of-date inter alia due
to the compile-number feature.
* Use hardening=+all instead of hardening=+bindnow,+pie. (Does not change
buildflags ATM.)
* Use debhelper v10 compat.
* Drop override_dh_strip-arch, we have had enough toolchain and
source changes to prevent file conflicts.
exim4 (4.90~RC4-1) unstable; urgency=medium
* New upstream version.
exim4 (4.90~RC3-2) unstable; urgency=low
* Upload to unstable.
* Point homepage to https URL.
exim4 (4.90~RC3-1) experimental; urgency=medium
* New upstream version.
+ Fix a use-after-free while reading smtp input for header lines.
A crafted sequence of BDAT commands could result in in-use memory
being freed. CVE-2017-16943. Closes: #882648
+ Fix checking for leading-dot on a line during headers reading
from SMTP input. Previously it was always done; now only done for
DATA and not BDAT commands. CVE-2017-16944 Closes: #882671
* Drop 78_Disable-chunking-BDAT-by-default.patch again.
exim4 (4.90~RC2-3) experimental; urgency=medium
* As a workaround for the yet-unfixed security vulnerability resurrect (and
adapt for 4.90) 78_Disable-chunking-BDAT-by-default.patch (dropped in
4.89-4) to disable both incoming and outgoing BDAT/CHUNKING. #882648
https://lists.exim.org/lurker/message/
20171125.034842.
d1d75cac.en.html
exim4 (4.90~RC2-2) experimental; urgency=low
* B-d on lynx, instead of lynx-cur | lynx.
exim4 (4.90~RC2-1) experimental; urgency=low
* New upstream release candidate.
+ Unfuzz patches, drop 40_reproducible_build.diff and
75_fix_ftbfs_SOURCE_DATE_EPOCH.diff.
+ Refresh debian/example.conf.md5, No changes to Debian's configuration
needed, upstream added a (commented) entry to change OpenSSL ciphers.
exim4 (4.90~RC1-1) experimental; urgency=low
* New upstream release candidate.
+ Point watchfile to test subdirectory.
+ Update 40_reproducible_build.diff
+ Drop 75_fixes*.patch and
80_Repair-manualroute-transport-name-not-last-option.patch.
+ Unfuzz EDITME*.diff
+ 75_fix_ftbfs_SOURCE_DATE_EPOCH.diff Fix build-error when
SOURCE_DATE_EPOCH is set.
* Drop trailing whitespace in debian/README.source, debian/changelog and
debian/rules. (Thanks, lintian)
* Drop debian/README.source and outdated parts of debian/copyright.
exim4 (4.89-13) unstable; urgency=high
* 75_fixes_21-Chunking-do-not-treat-the-first-lonely-dot-special.-.patch
from exim-4_89+fixes branch. Closes: #882671 CVE-2017-16944
exim4 (4.89-12) unstable; urgency=high
* Sync with exim-4_89+fixes branch:
+ 75_fixes_19-Fix-mariadb-mysql-macro-confusion.patch
+ 75_fixes_20-Avoid-release-of-store-if-there-have-been-later-allo.patch
Closes: #882648 (use-after-free, remote-code-execution) CVE-2017-16943
* Update EDITME* for 75_fixes_19-Fix-mariadb-mysql-macro-confusion.patch.
exim4 (4.89-11) unstable; urgency=critical
* B-d on lynx, instead of lynx-cur | lynx.
exim4 (4.89-10) unstable; urgency=critical
* As a workaround for the yet-unfixed security vulnerability resurrect
78_Disable-chunking-BDAT-by-default.patch (dropped in 4.89-4) to disable
both incoming and outgoing BDAT/CHUNKING. #882648
https://lists.exim.org/lurker/message/
20171125.034842.
d1d75cac.en.html
exim4 (4.89-9) unstable; urgency=medium
* Upload to unstable.
exim4 (4.89-8) experimental; urgency=low
* Sync with exim-4_89+fixes branch:
75_fixes_17-Fix-queue_run_in_order-to-ignore-the-PID-portion-of-.patch
75_fixes_18-Use-safer-routine-for-possibly-overlapping-copy.patch
* Point watchfile to https site.
exim4 (4.89-7) unstable; urgency=low
* In debian/rules' manually called update-mtaconflicts target use
grep-aptavail instead of hard-coding /var/lib/apt/lists/.
(Thanks, Julian Andres Klode) Closes: #874772
* Update debian/mtalist.
* Sync with exim-4_89+fixes branch:
75_fixes_13-Document-CVE-assignment-for-Berkeley-DB-issue.patch
75_fixes_14-DKIM-fix-signing-bug-induced-by-total-size-of-parame.patch
75_fixes_15-SOCKS-fix-unitialized-pointer.patch
75_fixes_16-Fix-crash-in-transport-on-second-smtp-connect-fail-f.patch.
exim4 (4.89-6) unstable; urgency=medium
* Use "runuser --command ..." instead of "su - --command ..." in
exim4-base.cron.daily to avoid invoking pam_systemd. Closes: #871688
(Thanks, Jakobus Schürz)
* Sync priorities with override file: exim4{,-base,-config,-daemon-light}
optional from standard, exim4-dev optional from extra.
* In debian/rules when setting up the build-tree for -custom also copy
EDITME.eximon to allow building based on EDITME.exim4-light with eximon
building *not* disabled. (Thanks, Marko von Oppen) Closes: #783813
exim4 (4.89-5) unstable; urgency=medium
* Update to exim-4_89+fixes branch:
75_fixes_01-Start-exim-4_89-fixes-to-cherry-pick-some-commits-fr.patch
75_fixes_02-Cleanup-prevent-repeated-use-of-p-oMr-to-avoid-mem-l.patch
(replaces 79_CVE-2017-
1000369.patch)
75_fixes_03-Fix-log-line-corruption-for-DKIM-status.patch (replaces
81_Fix-log-line-corruption-for-DKIM-status.patch)
75_fixes_04-Openssl-disable-session-tickets-by-default-and-sessi.patch
75_fixes_05-Transport-fix-smtp-under-combo-of-mua_wrapper-and-li.patch
75_fixes_07-Openssl-disable-session-tickets-by-default-and-sessi.patch
75_fixes_08-Transport-fix-smtp-under-combo-of-mua_wrapper-and-li.patch
75_fixes_09-Use-the-BDB-environment-so-that-a-database-config-fi.patch
(CVE-2017-10140)
75_fixes_10-Fix-cache-cold-random-callout-verify.-Bug-2147.patch
75_fixes_11-On-callout-avoid-SIZE-every-time-but-noncacheable-rc.patch
75_fixes_12-Fix-build-for-earlier-version-Berkeley-DB.patch
* Simplify debian/rules by including buildflags.mk unconditionally which was
introduced in dpkg 1.16.1 released in October 2011.
* Use pkg-info.mk to get package-version, upstream-version and
SOURCE_DATE_EPOCH. For the latter fall back to current time if it is not
provided by pkg-info.mk.
* [lintian] In *daemon.postinst use which certtool instead of
[ -x /usr/bin/certtool ] to check for availablility of the command.
exim4 (4.89-4) unstable; urgency=low
* 80_Repair-manualroute-transport-name-not-last-option.patch from GIT
master: Starting with 4.85 a transport name needed to specified after
options in route_list. Closes: #865287
* Add 81_Fix-log-line-corruption-for-DKIM-status.patch from GIT master.
* Drop 78_Disable-chunking-BDAT-by-default.patch, enable BDAT/Chunking by
default.
* Standards-Version: 4.0.0
+ Do not check for availability of invoke-rc.d, use it always and do not
fall back to invoking the init-script directly.
+ Drop eximon menu file.
* Migrate to automatic debug packages. Bump b-d on debhelper since
--dbgsym-migration was introduced in debhelper 9.
20160114.
exim4 (4.89-3) unstable; urgency=high
* Re-upload to unstable.
Clinton Ebadi [Sun, 16 Feb 2020 04:06:36 +0000 (23:06 -0500)]
Import Upstream version 4.92
Clinton Ebadi [Fri, 6 Sep 2019 18:23:36 +0000 (14:23 -0400)]
Merge branch 'debian'
Andreas Metzler [Tue, 3 Sep 2019 18:01:38 +0000 (20:01 +0200)]
Import Debian changes 4.89-2+deb9u6
exim4 (4.89-2+deb9u6) stretch-security; urgency=high
* 85_01-string.c-do-not-interpret-before-0-CVE-2019-15846.patch Fix SNI
related buffer overflow. CVE-2019-15846
Andreas Metzler [Sat, 20 Jul 2019 11:32:35 +0000 (13:32 +0200)]
Import Debian changes 4.89-2+deb9u5
exim4 (4.89-2+deb9u5) stretch-security; urgency=high
* Fix remote command execution vulnerability related to
"${sort}"-expansion. CVE-2019-13917 OVE-
20190718-0006
Clinton Ebadi [Thu, 6 Jun 2019 23:36:26 +0000 (19:36 -0400)]
Merge branch 'debian'
New upstream security release
Salvatore Bonaccorso [Tue, 28 May 2019 20:13:55 +0000 (22:13 +0200)]
Import Debian changes 4.89-2+deb9u4
exim4 (4.89-2+deb9u4) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
* Fix remote command execution vulnerability (CVE-2019-10149)
exim4 (4.89-2+deb9u3) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
* Fix base64d() buffer size (CVE-2018-6789) (Closes: #890000)
exim4 (4.89-2+deb9u2) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
* Avoid release of store if there have been later allocations
(CVE-2017-16943) (Closes: #882648)
* Chunking: do not treat the first lonely dot special (CVE-2017-16944)
(Closes: #882671)
exim4 (4.89-2+deb9u1) stretch-security; urgency=medium
* CVE-2017-100369
exim4 (4.89-2) unstable; urgency=medium
* Revert addition of header "# pidfile: /var/run/exim4/exim.pid" to
initscript (#844178). It breaks when the initscript does not start a
daemon but only runs update-exim4.conf. (inetd or QUEUERUNNER='nodaemon').
Closes: #860317
* When reporting bugs also attach /etc/default/exim4 by default.
exim4 (4.89-1) unstable; urgency=medium
* Enable inbound (server-side) proxying for -heavy. Closes: #856712
* New upstream release, source identical to RC7.
exim4 (4.89~RC7-1) unstable; urgency=medium
* New upstream version.
exim4 (4.89~RC6-1) unstable; urgency=medium
* Document E4BCD_PANICLOG_LINES in README.Debian.
* New upstream version.
exim4 (4.89~RC5-1) unstable; urgency=medium
* New upstream version.
exim4 (4.89~RC4-1) unstable; urgency=medium
* New upstream version.
+ Drop 92_CVE-2016-1238.diff.
* Use /run/exim4/ instead of legacy directory /var/run/exim4 for pidfile
while we are changing the init script.
exim4 (4.89~RC3-1) unstable; urgency=medium
* New upstream version.
+ Unfuzz 92_CVE-2016-1238.diff.
* init file:
+ Source /etc/default/exim4 *before* defining the shell
variables holding the pidfilenames. Overriding these via
/etc/default/exim4 is not supported.
+ Add missing support for reload when QUEUERUNNER='queueonly'.
+ For QUEUERUNNER='queueonly' use $PIDFILE instead of $QRPIDFILE. This way
$PIDFILE is used for the main exim process for all available QUEUERUNNER
choices.
+ Add header "# pidfile: /var/run/exim4/exim.pid" for improved systemd
interaction. systemd-sysv-generator uses this pseudoheader to set
PIDFile in the generated service file and it also sets
RemainAfterExit=no instead of yes if it is present. Thanks, Michael
Biebl for suggestion and explanation. Closes: #844178
exim4 (4.89~RC2-1) unstable; urgency=medium
* New upstream version.
+ Drop 75_add_bak_spec.txt.diff.
exim4 (4.89~RC1-1) unstable; urgency=low
* Refresh debian/upstream/signing-key.asc.
* New upstream bugfix release.
+ Drop superfluous patches.
75_00_DKIM-More-validation-of-DNS-key-record.-Bug-1926.patch
75_01_DKIM-Under-debug-when-signing-do-an-extra-check-on-t.patch
75_02_Do-not-call-ldap_start_tls_s-on-ldapi-connections.patch
75_03_PROXY-fix-v2-protocol-decode.-Bugs-2003-1747.patch
75_04_CHUNKING-fix-non-pipelined-synch-checks.-Bug-2004.patch
+ Unfuzz 31_eximmanpage.dpatch and
78_Disable-chunking-BDAT-by-default.patch.
+ Add 75_add_bak_spec.txt.diff - spec.txt and filter.txt missing in rc
tarball.
+ Unfuzz debian/EDITME.exim4-*.
+ Update debian/example.conf.md5. - Upstream typo fix.
exim4 (4.88-5) unstable; urgency=medium
* 78_Disable-chunking-BDAT-by-default.patch: Change default value of main
option chunking_advertise_hosts and smtp transport option
hosts_try_chunking from "*" to empty.
This is a Debian specific change, we are right before the freeze and BDAT
needs a little time.
exim4 (4.88-4) unstable; urgency=medium
* Upload to unstable.
exim4 (4.88-3) experimental; urgency=medium
* Pull multiple patches from upstream GIT:
+ 75_00_DKIM-More-validation-of-DNS-key-record.-Bug-1926.patch,
75_01_DKIM-Under-debug-when-signing-do-an-extra-check-on-t.patch
+ 75_02_Do-not-call-ldap_start_tls_s-on-ldapi-connections.patch
+ 75_03_PROXY-fix-v2-protocol-decode.-Bugs-2003-1747.patch
+ 75_04_CHUNKING-fix-non-pipelined-synch-checks.-Bug-2004.patch
(Thanks, Bart Noordervliet for the pointer) Closes: #850175
exim4 (4.88-2) unstable; urgency=medium
* Upload to unstable.
exim4 (4.88-1) experimental; urgency=medium
* New upstream version.
* Upload to experimental, let (almost identical) 4.88~RC6-2 propagate to
testing.
* Drop 75_Fix-DKIM-information-leakage.patch.
exim4 (4.88~RC6-2) unstable; urgency=high
* Add macro IGNORE_SMTP_LINE_LENGTH_LIMIT to allow disabling the SMTP DATA
physical line limit check for both for SMTP DATA ACL and remote_smtp*
transports. Closes: #828801
Also update corresponding NEWS entry.
* [lintian] debian/changelog: s/lenght/length/
* Pull 75_Fix-DKIM-information-leakage.patch from upstream GIT, fixing DKIM
information leakage issue CVE-2016-9963.
exim4 (4.88~RC6-1) unstable; urgency=low
* New upstream version.
exim4 (4.88~RC5-1) unstable; urgency=low
* New upstream version.
+ Drop 75_01-Ensure-socket-is-nonblocking-before-draining.diff.
exim4 (4.88~RC4-2) unstable; urgency=low
* Pull 75_01-Ensure-socket-is-nonblocking-before-draining.diff from upstream
GIT to fix exim bug 1914 (exim doesn't close connection after quit.
* Upload to unstable.
exim4 (4.88~RC4-1) experimental; urgency=low
* New upstream version.
exim4 (4.88~RC3-1) experimental; urgency=medium
* New upstream version.
Drop 75_01-Fix-check-for-commandline-macro-definition.patch
75_02_Fix-bug-with-aborted-server-TLS-connection-under-Gnu.patch.
exim4 (4.88~RC2-3) experimental; urgency=medium
* Fix thinko in exim4-daemon-*.postinst. Do not regenerate gnutls params on
every upgrade.
* 75_02_Fix-bug-with-aborted-server-TLS-connection-under-Gnu.patch: Fix
longstanding bug with aborted TLS server connection handling. Under
GnuTLS, when a session startup failed (eg because the client
disconnected) Exim did stdio operations after fclose. This was exposed by
a recent change which nulled out the file handle after the fclose.
exim4 (4.88~RC2-2) experimental; urgency=medium
* 75_01-Fix-check-for-commandline-macro-definition.patch - Fix permission
problems on commandline mail submission. Closes: #840355
exim4 (4.88~RC2-1) experimental; urgency=low
* New upstream version.
+ Changed default Diffie-Hellman parameters to be Exim-specific, created
by Phil Pennock. Added RFC7919 DH primes as an alternative.
Closes: #839978
* Set tls_dhparam = historic to use site-specific DH parameters.
* Again, ship /usr/share/exim4/exim4_refresh_gnutls-params, use it in
-daemon postinst.
* Initialize /var/spool/exim4/gnutls-params-2048 at daemon install, either
by running certtool or by installing
/usr/share/exim4/gnutls-params-2048. Do not try to use
openssl dhparam, it takes too long.
exim4 (4.88~RC1-1) experimental; urgency=low
* Drop reference to removed (in 4.80-7) "what"-option in init script usage
message. (Thanks, Calum Mackay!) Closes: #823855
* 92_CVE-2016-1238.diff: eximstats: Remove . from @INC [CVE-2016-1238]
Closes: #832442
* [lintian] update-exim4.conf.8 - fix typo.
* [lintian] Drop unused override binaries-have-file-conflict.
* B-d on default-libmysqlclient-dev.
* New upstream version.
+ Refresh patches: 31_eximmanpage.dpatch 32_exim4.dpatch 35_install.dpatch
50_localscan_dlopen.dpatch
+ Drop superfluous patches.
71_01_configure.default-nice-message-for-overlong-lines-Bu.patch
71_02_Delivery-quieten-smtp-transport-conn-reuse-vs.-deliv.patch
71_03_Avoid-exposing-passwords-in-log-on-failing-ldap-look.patch
71_04_Avoid-exposing-passwords-in-log-on-failing-ldap-look.patch
+ Fix crash in VRFY handling when handed an unqualified name
(lacking @domain). Apply the same qualification processing as RCPT.
Closes: #834699
+ Fix a possible security hole, wherein a process operating with the Exim
UID can gain a root shell. Credit to http://www.halfdog.net/ for
discovery and writeup. LP: #
1580454
* [lintian] exim4-config_files.5 - fix typo.
exim4 (4.87-3) unstable; urgency=medium
* Pull multiple patches from upstream GIT:
+ 71_01_configure.default-nice-message-for-overlong-lines-Bu.patch
Improved message on overlong lines in example config.
+ 71_02_Delivery-quieten-smtp-transport-conn-reuse-vs.-deliv.patch
Fix race condition related to connection reuse.
https://bugs.exim.org/show_bug.cgi?id=1810
+ 71_03_Avoid-exposing-passwords-in-log-on-failing-ldap-look.patch
71_04_Avoid-exposing-passwords-in-log-on-failing-ldap-look.patch
Avoid exposing passwords in log on failing ldap lookup
expansion. https://bugs.exim.org/show_bug.cgi?id=165
* Copy information message on rejecting overlong lines in data ACL from
upstream example configuration. Closes: #823418
* Add NEWS entry on line-length-limit introduced in 4.87~RC1-1.
Closes: 821830
exim4 (4.87-2) unstable; urgency=medium
* Fix reference to README.Debian in 01_exim4-config_listmacrosdefs.
(Thanks, L. Guruprasad!) Closes: #821416
* Add REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS macro to enforce TLS
connections (hosts_require_tls option) in remote_smtp_smarthost
transport. Closes: #822174
* exim4-daemon-heavy: Disable WITH_OLD_DEMIME ("demime" ACL condition). It
is deprecated and will be removed in 4.88.
* README.Debian*: Fix minor issues found by lintian.
* Fix reference to spec.txt in 30_exim4-config_check_rcpt. Closes: #665399
* Drop exim4-base Recommends on perl-modules. This had been unnecessary
since 4.80~rc6-1 which dropped /usr/share/exim4/timeout.pl.
exim4 (4.87-1) unstable; urgency=medium
* Fix comment in
conf.d/transport/30_exim4-config_remote_smtp_smarthost. (Thanks,
Jörg-Volker Peetz!) Closes: #819780
* New upstream release.
exim4 (4.87~RC7-1) unstable; urgency=low
* Enable SOCKS support in both -light and -heavy. Closes: #818091
* Fix typos in configuration. (Thanks, Vincent Lefevre!) Closes: #819482
* New upstream version.
+ Drop 74_Store-the-initial-working-directory.diff,
75_String-expansions-fix-extract.patch,
76_only_warn_on_nonempty_environment.diff.
+ Update debian/example.conf.md5.
exim4 (4.87~RC6-3) unstable; urgency=medium
* Merge changelog entries for 4.86.2-1 and -2.
* Upload to unstable.
* Add link to CVE details to latest NEWS entry and bump its version and date
to match this upload. Closes: #818349, #817244
exim4 (4.87~RC6-2) experimental; urgency=medium
* 74_Store-the-initial-working-directory.diff,
76_only_warn_on_nonempty_environment.diff: Upstream followups on the
CVE fix (Thanks, Heiko Schlittermann!):
+ Runtime warning is only generated if (and only if) keep_environment
is unset and environment is nonempty.
+ Store the initial working directory and make it available in the new
expansion variable $initial_cwd.
* Merge all NEWS.Debian files into a single one, identical for all binary
packages. - Different NEWS files built from a single source package is not
and has not ever been supported by apt-listchanges which is the most
important frontend.
* Add a NEWS entry about the environment related runtime warning.
exim4 (4.87~RC6-1) experimental; urgency=medium
* New upstream version.
* Add 75_String-expansions-fix-extract.patch from upstream GIT, fixing
${extract } string expansion for the numeric/3-string case. (Bug was
introduced in 4.85.)
* Set keep_environment to empty value instead of setting a minimal PATH in
add_environment.
exim4 (4.87~RC5-2) experimental; urgency=medium
* Update debian/upstream/signing-key.asc, using the keys listed in
ftp://ftp.exim.org/pub/exim/Exim-Maintainers-Keyring.asc. This adds
Heiko Schlittermann's key.
* Bump exim4-config Breaks to exim4-daemon-* (<< 4.87~RC5). Closes: #816790
exim4 (4.87~RC5-1) experimental; urgency=medium
* exim4-config.postinst: Test for existence of /etc/inetd.conf before trying
to grep in it. Closes: #814998
* New upstream version, includes the patch for CVE-2016-1531. (Local root
exploit).
* Add macros MAIN_KEEP_ENVIRONMENT and MAIN_ADD_ENVIRONMENT to set the new
options. If neither is used we use add_environment to set a minimal
PATH=/bin:/usr/bin to avoid a runtime warning.
exim4 (4.87~RC3-2) experimental; urgency=medium
* README.Debian: Refer to Exim specification by chapter name instead of
chapter number. Closes: #813351
* Fix some spelling errors found by lintian.
* Minor debian/rules cleanup:
+ Restore originally intended behavior, upstream changelog is only
shipped in exim4-base, symlinks to it elsewhere.
+ Drop workaround for #347577, fixed in debhelper 5.0.15.
+ Use "dh binary-arch" and "dh binary-indep" and a bunch of override
targets instead of listing all dh-commands. While this is uglier and
slows things down a bit it shortens debian/rules by 40 lines and has the
huge benefit that we automatically use all suggested helpers in correct
order.
+ Drop unused variables combinedidbgpackage/dhcombinedidbgpackage.
+ Delete unused, commented code.
+ Drop (exported) variable MTACONFLICTS, used only once.
* Bugfix: Stop build if generation of EDITME.exim4-heavy fails.
* Refresh debian/EDITME.*, -heavy was missing ldap and sql support.
exim4 (4.87~RC3-1) experimental; urgency=medium
* Move Vcs-* from git/http to https.
* [lintian] README.Debian: s/desireable/desirable/.
* [lintian] README.Debian: Fix grammar error "allow + infinitive".
* [lintian] exim4-config.postinst: Use which foo > /dev/null
instead of [ -x /path/to/foo ].
* Update list of patches in debian/README.Debian.xml
* Drop 66_enlarge-dh-parameters-size.dpatch: It does not have any effect
with GnuTLS >= 2.12 and even stable has GnuTLS 3.x.
* New upstream version.
+ Upstream's default rcpt ACL now requires that a HELO/EHLO was accepted,
merge this change and drop CHECK_MAIL_HELO_ISSUED macro.
exim4 (4.87~RC2-1) experimental; urgency=medium
* New upstream version.
exim4 (4.87~RC1-1) experimental; urgency=medium
* New upstream version.
+ Refresh patches.
+ Drop debian/patches/75_00xx*.patch from exim-4_86+fixes branch.
+ Sync with upstream default configuration: Check maximum (physical, i.e.
before unfolding) line length in default spec file data ACL and smtp
transport. Bug 1684 Closes: #797919
+ HS/02 Add the Exim version string to the process info. This way exiwhat
gives some more detail about the running daemon. Closes: #240883
* Override upstream's new default of tls_advertise_hosts = * if
MAIN_TLS_ENABLE is not set.
exim4 (4.86.2-2) unstable; urgency=high
* Bump exim4-config Breaks to exim4-daemon-* (<< 4.86.2). Closes: #816790
exim4 (4.86.2-1) unstable; urgency=high
* Pull 75_0012_Cutthrough-Fix-bug-with-dot-only-line.patch from upstream
4.86+fixes branch.
* New upstream security release for CVE-2016-1531.
+ New options keep_environment/add_environment which are empty by default,
i.e. any subprocesses start in a clean (empty) environment.
+ -C requires an absolute path.
+ Exim changes it's working directory to / right after startup.
* Add macros MAIN_KEEP_ENVIRONMENT and MAIN_ADD_ENVIRONMENT to set the new
options. If neither is used we use add_environment to set a minimal
PATH=/bin:/usr/bin to avoid a runtime warning.
exim4 (4.86-7) unstable; urgency=medium
* Allow arch-indep build (dpkg-buildpackage -A). Closes: #806023
* 75_0011_MIME-fix-crash-on-filenames-having-null-charset.-Bug.patch from
exim-4_86+fixes branch fixes another MIME ACL related crash.
https://bugs.exim.org/show_bug.cgi?id=1730
exim4 (4.86-6) unstable; urgency=medium
* Cleanup (actual patch is identical): Use
75_0009_Avoid-misaligned-access-in-cached-lookup.-Bug-1708.patch from
exim-4_86+fixes branch instad of
76_Avoid-misaligned-access-in-cached-lookup.-Bug-1708.patch.
* Pull 75_0010_DKIM-ignore-space-tab-embedded-in-base64-during-deco.patch,
DKIM: ignore space & tab embedded in base64 during decode. Bug 1700
exim4 (4.86-5) unstable; urgency=high
* Pull 76_Avoid-misaligned-access-in-cached-lookup.-Bug-1708.patch from GIT
head to avoid misaligned access in cached lookup. Closes: #803255
exim4 (4.86-4) unstable; urgency=medium
* Fix documentation of lowuid_aliases router, exceptions are in
CONFDIR/lowuid-aliases not CONFDIR/lowuid_aliases. (Thanks, Tim Krah)
Closes: #799672
* fcron has been removed from Debian in 2011, stop listing it as an
alternative dependency of exim4-base (Thanks, Alexandre Detiste).
Closes: #798236
* Update to upstream exim-4_86+fixes branch:
+ Drop 75_Fix-ESMTP-MAIL-command-option-processing.patch,
76_Fix-post-transport-crash.patch,
77_Fix-post-transport-crash-safeguard-for-missing-spool.patch,
78_Close-logs-after-daemon-process-exceptional-write.patch.
+ Add 75_0001-Fix-post-transport-crash.patch
75_0002-Fix-post-transport-crash-safeguard-for-missing-spool.patch
75_0003-Fix-ESMTP-MAIL-command-option-processing.patch
75_0005-Close-logs-after-daemon-process-exceptional-write.-B.patch
75_0007-DNS-time-limit-cached-returns-using-TTL.-Bug-1395.patch
75_0008-Retry-always-use-interface-if-set-for-retry-DB-key.-.patch
* Use dh v9.
exim4 (4.86-3) unstable; urgency=medium
* Pull three patches from upstream git:
+ 75_Fix-ESMTP-MAIL-command-option-processing.patch:
Corrects handling of mail-addresses with whitespace.
<http://article.gmane.org/gmane.mail.exim.user/97069>
+ 76_Fix-post-transport-crash.patch
77_Fix-post-transport-crash-safeguard-for-missing-spool.patch
<https://bugs.exim.org/show_bug.cgi?id=1671>
* Fix spelling error in copyright file. (Thanks, lintian)
* Pull 77_Fix-post-transport-crash-safeguard-for-missing-spool.patch from
upstream git, exim was keeping logfiles open after after a "too many
connections" event. Closes: #796524, #476958 (Thanks to Andreas Pflug for
chasing this.)
* When saving the berkeley DB version at build-time pass -P option to cpp,
to prevent linebreaks.
exim4 (4.86-2) unstable; urgency=high
* Update exim4-config Breaks, PRDR support is was moved from being
Experimental into the mainline with 4.83.
Closes: #794320
exim4 (4.86-1) unstable; urgency=medium
* New upstream version, identical to RC5 (except for the version string).
exim4 (4.86~RC5-1) unstable; urgency=medium
* New upstream version.
+ Drop 75_Bump-LOCAL_SCAN_ABI_VERSION.patch.
exim4 (4.86~RC4-2) unstable; urgency=medium
* Drop libmysqlclient15-dev alternative build-dependency. Closes: #790463
* Update list of upstream gpg-keys (0x4D1E900E14C1CC04 Phil Pennock,
0x85AB833FDDC03262 Nigel Metheringham, 0xFFC0F14C84C71B6E Tony Finch,
0xC4F4F94804D29EBA Todd Lyons, 0xBCE58C8CE41F32DF Jeremy Harris,
0x63762CDA67E2F359 David Woodhouse, 0xAD5EDBB793EC57E4 Graeme Fowler),
transition from debian/upstream-signing-key.pgp to
debian/upstream/signing-key.asc.
* Pull 75_Bump-LOCAL_SCAN_ABI_VERSION.patch from upstream GIT and update
exim4-localscanapi-x.y provides to 2.0. A binNMU of sa-exim will then
properly fix the issue. Closes: #790616
exim4 (4.86~RC4-1) unstable; urgency=medium
* unexport/undefine TZ in debian/rules for reproducible build. It would be
used as default value for TIMEZONE_DEFAULT.
* New upstream version.
+ Unfuzz 31_eximmanpage.dpatch.
exim4 (4.86~RC3-2) unstable; urgency=medium
* Upload to unstable.
exim4 (4.86~RC3-1) experimental; urgency=medium
* Don't provide default-mta on Ubuntu and Ubuntu-derivatives. See LP-bug
1166671.
* New upstream version.
exim4 (4.86~RC2-1) experimental; urgency=medium
* Drop nowadays unneeded XS-Testsuite: autopkgtest in debian/control
(Thanks, lintian).
* New upstream version:
+Drop included patches.
(-72_0001-Guard-routing-against-a-null-deref.-Bug-1639.patch,
72_0002-Spamd-add-missing-initialiser.-Rspamd-mode-was-incor.patch,
72_0003-DSN-fix-null-deref-when-bounce-is-due-to-conn-timeou.patch,
72_0004-Content-scan-Use-ETIMEDOUT-not-ETIME-as-having-bette.patch)
* Sync Debian config with upstream default config:
+ Set prdr_enable.
+ Add +smtp_protocol_error +smtp_syntax_error +tls_certificate_verified to
log_selector option value.
exim4 (4.86~RC1-3) experimental; urgency=medium
* Get time and date of latest debian/changelog entry and patch exim(on) to
use these instead of __DATE__ and __TIME__.
* Pull 72_0004-Content-scan-Use-ETIMEDOUT-not-ETIME-as-having-bette.patch
from GIT to fix FTBFS on kfreebsd.
exim4 (4.86~RC1-2) experimental; urgency=medium
* Pull three post-release fixes from upstream GIT. (null pointer
derefencing, and spam scanning defaulting to rspam mode)
+ 72_0001-Guard-routing-against-a-null-deref.-Bug-1639.patch
+ 72_0002-Spamd-add-missing-initialiser.-Rspamd-mode-was-incor.patch
+ 72_0003-DSN-fix-null-deref-when-bounce-is-due-to-conn-timeou.patch
exim4 (4.86~RC1-1) experimental; urgency=medium
* New upstream release.
+ Drop 84_Fix-truncation-of-items-in-headers_remove-lists-this.patch,
refresh patches.
+ Update EDITME*, enable AUTH_TLS for -heavy.
+ Sync Debian config with upstream default config, rfc1413 calls are now
disabled by default.
+ Uses MIME format bounce messages (RFC 3461). Closes: #230284,#400741
+ The spamd_address main option now supports an optional timeout value per
server (tmo=timespec), it defaults two 2 minutes. Closes: #297915
+ spamd_address also accepts hostnames and IPv6 addresses. Closes: #751687
+ log reason for defer, on a hostlist dns-lookup temporary error.
Closes: #670035
exim4 (4.85-3) unstable; urgency=medium
* Upload to unstable.
exim4 (4.85-2) experimental; urgency=medium
* Merge from unstable 4.84-8.
+ Tighten dependency of exim4 on exim4-base to (>= ${source:Version}) and
(<< ${source:Version}.1), at least source version, but not the next
sourceful upload. Closes: #777246
+ Pull 84_Fix-truncation-of-items-in-headers_remove-lists-this.patch from
upstream GIT which fixes breakage of string-expansion in headers_remove
commands. (Thanks Gordon Dickens, for the pointer.) -
83_Remove-limit-on-remove_headers-item-size.-Bug-1533.patch not added
here since it already part of 4.85.
exim4 (4.85-1) experimental; urgency=medium
* exim4-config_files.5: Escape dots in regex. (Thanks, ael)
* New upstream version.
exim4 (4.85~RC4-1) experimental; urgency=medium
* update-exim4.conf:
+ Drop unused variable UPEX4C_internal_tmp.
+ Use tempfile(1) if the generated file will not be written to
/var/lib/exim4/.
+ Add --check option.
* init-script: On restart use update-exim4.conf --check before stopping the
daemon. (This is a no-op with systemd since its sysv compat layer
translates "foo restart" into "foo stop" "foo start" instead of using the
init scripts restart target.)
* Handle _RC in watchfile with uversionmangle.
* New upstream version.
+ Stop repacking source, rfcs have been dropped.
exim4 (4.85~RC3+dfsg-1) experimental; urgency=medium
* New upstream version.
exim4 (4.85~RC2+dfsg-1) experimental; urgency=medium
* New upstream version.
* Unfuzz patches: 50_localscan_dlopen.dpatch 67_unnecessaryCopt.diff
70_remove_exim-users_references.dpatch.
exim4 (4.85~RC1+dfsg-1) experimental; urgency=medium
* Unset message_prefix/message_sufix in maildrop_pipe transport. Maildrop
neither expects a mbox-style From nor an empty line add the end. (Thanks,
Edward Betts) Closes: #769396
* Change the init script's restart order from { regenerate_config; stop;
start ; } to { stop; regenerate_config; start ; }. (Thanks, Jakub Warmuz)
Closes: #768874
* New upstream version.
+ Unfuzz 66_enlarge-dh-parameters-size.dpatch
+ Drop 80_mime_empty_charset.diff.
* Remove rfc from upstream source and repack it.
Clinton Ebadi [Sun, 22 Apr 2018 05:15:11 +0000 (01:15 -0400)]
Merge branch 'debian' into hcoop_489_stretch
Salvatore Bonaccorso [Sat, 10 Feb 2018 08:26:05 +0000 (09:26 +0100)]
Import Debian changes 4.89-2+deb9u3
exim4 (4.89-2+deb9u3) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
* Fix base64d() buffer size (CVE-2018-6789) (Closes: #890000)
Clinton Ebadi [Fri, 23 Mar 2018 03:28:38 +0000 (23:28 -0400)]
release
Clinton Ebadi [Fri, 23 Mar 2018 03:25:15 +0000 (23:25 -0400)]
Merge branch 'debian' into hcoop_489
Clinton Ebadi [Fri, 23 Mar 2018 03:22:44 +0000 (23:22 -0400)]
Import Upstream version 4.89
Andreas Metzler [Sun, 25 Feb 2018 14:26:27 +0000 (15:26 +0100)]
Import Debian changes 4.89-2+deb9u3~bpo8+1
exim4 (4.89-2+deb9u3~bpo8+1) jessie-backports; urgency=medium
* Rebuild for jessie-backports.
* b-d on libmysqlclient-dev | libmysqlclient15-dev instead of
default-libmysqlclient-dev.
exim4 (4.89-2+deb9u3) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
* Fix base64d() buffer size (CVE-2018-6789) (Closes: #890000)
exim4 (4.89-2+deb9u2) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
* Avoid release of store if there have been later allocations
(CVE-2017-16943) (Closes: #882648)
* Chunking: do not treat the first lonely dot special (CVE-2017-16944)
(Closes: #882671)
exim4 (4.89-2+deb9u1) stretch-security; urgency=medium
* CVE-2017-100369
exim4 (4.89-2) unstable; urgency=medium
* Revert addition of header "# pidfile: /var/run/exim4/exim.pid" to
initscript (#844178). It breaks when the initscript does not start a
daemon but only runs update-exim4.conf. (inetd or QUEUERUNNER='nodaemon').
Closes: #860317
* When reporting bugs also attach /etc/default/exim4 by default.
exim4 (4.89-1) unstable; urgency=medium
* Enable inbound (server-side) proxying for -heavy. Closes: #856712
* New upstream release, source identical to RC7.
exim4 (4.89~RC7-1) unstable; urgency=medium
* New upstream version.
exim4 (4.89~RC6-1) unstable; urgency=medium
* Document E4BCD_PANICLOG_LINES in README.Debian.
* New upstream version.
exim4 (4.89~RC5-1) unstable; urgency=medium
* New upstream version.
exim4 (4.89~RC4-1) unstable; urgency=medium
* New upstream version.
+ Drop 92_CVE-2016-1238.diff.
* Use /run/exim4/ instead of legacy directory /var/run/exim4 for pidfile
while we are changing the init script.
exim4 (4.89~RC3-1) unstable; urgency=medium
* New upstream version.
+ Unfuzz 92_CVE-2016-1238.diff.
* init file:
+ Source /etc/default/exim4 *before* defining the shell
variables holding the pidfilenames. Overriding these via
/etc/default/exim4 is not supported.
+ Add missing support for reload when QUEUERUNNER='queueonly'.
+ For QUEUERUNNER='queueonly' use $PIDFILE instead of $QRPIDFILE. This way
$PIDFILE is used for the main exim process for all available QUEUERUNNER
choices.
+ Add header "# pidfile: /var/run/exim4/exim.pid" for improved systemd
interaction. systemd-sysv-generator uses this pseudoheader to set
PIDFile in the generated service file and it also sets
RemainAfterExit=no instead of yes if it is present. Thanks, Michael
Biebl for suggestion and explanation. Closes: #844178
exim4 (4.89~RC2-1) unstable; urgency=medium
* New upstream version.
+ Drop 75_add_bak_spec.txt.diff.
exim4 (4.89~RC1-1) unstable; urgency=low
* Refresh debian/upstream/signing-key.asc.
* New upstream bugfix release.
+ Drop superfluous patches.
75_00_DKIM-More-validation-of-DNS-key-record.-Bug-1926.patch
75_01_DKIM-Under-debug-when-signing-do-an-extra-check-on-t.patch
75_02_Do-not-call-ldap_start_tls_s-on-ldapi-connections.patch
75_03_PROXY-fix-v2-protocol-decode.-Bugs-2003-1747.patch
75_04_CHUNKING-fix-non-pipelined-synch-checks.-Bug-2004.patch
+ Unfuzz 31_eximmanpage.dpatch and
78_Disable-chunking-BDAT-by-default.patch.
+ Add 75_add_bak_spec.txt.diff - spec.txt and filter.txt missing in rc
tarball.
+ Unfuzz debian/EDITME.exim4-*.
+ Update debian/example.conf.md5. - Upstream typo fix.
exim4 (4.88-5) unstable; urgency=medium
* 78_Disable-chunking-BDAT-by-default.patch: Change default value of main
option chunking_advertise_hosts and smtp transport option
hosts_try_chunking from "*" to empty.
This is a Debian specific change, we are right before the freeze and BDAT
needs a little time.
exim4 (4.88-4) unstable; urgency=medium
* Upload to unstable.
exim4 (4.88-3) experimental; urgency=medium
* Pull multiple patches from upstream GIT:
+ 75_00_DKIM-More-validation-of-DNS-key-record.-Bug-1926.patch,
75_01_DKIM-Under-debug-when-signing-do-an-extra-check-on-t.patch
+ 75_02_Do-not-call-ldap_start_tls_s-on-ldapi-connections.patch
+ 75_03_PROXY-fix-v2-protocol-decode.-Bugs-2003-1747.patch
+ 75_04_CHUNKING-fix-non-pipelined-synch-checks.-Bug-2004.patch
(Thanks, Bart Noordervliet for the pointer) Closes: #850175
exim4 (4.88-2) unstable; urgency=medium
* Upload to unstable.
exim4 (4.88-1) experimental; urgency=medium
* New upstream version.
* Upload to experimental, let (almost identical) 4.88~RC6-2 propagate to
testing.
* Drop 75_Fix-DKIM-information-leakage.patch.
exim4 (4.88~RC6-2) unstable; urgency=high
* Add macro IGNORE_SMTP_LINE_LENGTH_LIMIT to allow disabling the SMTP DATA
physical line limit check for both for SMTP DATA ACL and remote_smtp*
transports. Closes: #828801
Also update corresponding NEWS entry.
* [lintian] debian/changelog: s/lenght/length/
* Pull 75_Fix-DKIM-information-leakage.patch from upstream GIT, fixing DKIM
information leakage issue CVE-2016-9963.
exim4 (4.88~RC6-1) unstable; urgency=low
* New upstream version.
exim4 (4.88~RC5-1) unstable; urgency=low
* New upstream version.
+ Drop 75_01-Ensure-socket-is-nonblocking-before-draining.diff.
exim4 (4.88~RC4-2) unstable; urgency=low
* Pull 75_01-Ensure-socket-is-nonblocking-before-draining.diff from upstream
GIT to fix exim bug 1914 (exim doesn't close connection after quit.
* Upload to unstable.
exim4 (4.88~RC4-1) experimental; urgency=low
* New upstream version.
exim4 (4.88~RC3-1) experimental; urgency=medium
* New upstream version.
Drop 75_01-Fix-check-for-commandline-macro-definition.patch
75_02_Fix-bug-with-aborted-server-TLS-connection-under-Gnu.patch.
exim4 (4.88~RC2-3) experimental; urgency=medium
* Fix thinko in exim4-daemon-*.postinst. Do not regenerate gnutls params on
every upgrade.
* 75_02_Fix-bug-with-aborted-server-TLS-connection-under-Gnu.patch: Fix
longstanding bug with aborted TLS server connection handling. Under
GnuTLS, when a session startup failed (eg because the client
disconnected) Exim did stdio operations after fclose. This was exposed by
a recent change which nulled out the file handle after the fclose.
exim4 (4.88~RC2-2) experimental; urgency=medium
* 75_01-Fix-check-for-commandline-macro-definition.patch - Fix permission
problems on commandline mail submission. Closes: #840355
exim4 (4.88~RC2-1) experimental; urgency=low
* New upstream version.
+ Changed default Diffie-Hellman parameters to be Exim-specific, created
by Phil Pennock. Added RFC7919 DH primes as an alternative.
Closes: #839978
* Set tls_dhparam = historic to use site-specific DH parameters.
* Again, ship /usr/share/exim4/exim4_refresh_gnutls-params, use it in
-daemon postinst.
* Initialize /var/spool/exim4/gnutls-params-2048 at daemon install, either
by running certtool or by installing
/usr/share/exim4/gnutls-params-2048. Do not try to use
openssl dhparam, it takes too long.
exim4 (4.88~RC1-1) experimental; urgency=low
* Drop reference to removed (in 4.80-7) "what"-option in init script usage
message. (Thanks, Calum Mackay!) Closes: #823855
* 92_CVE-2016-1238.diff: eximstats: Remove . from @INC [CVE-2016-1238]
Closes: #832442
* [lintian] update-exim4.conf.8 - fix typo.
* [lintian] Drop unused override binaries-have-file-conflict.
* B-d on default-libmysqlclient-dev.
* New upstream version.
+ Refresh patches: 31_eximmanpage.dpatch 32_exim4.dpatch 35_install.dpatch
50_localscan_dlopen.dpatch
+ Drop superfluous patches.
71_01_configure.default-nice-message-for-overlong-lines-Bu.patch
71_02_Delivery-quieten-smtp-transport-conn-reuse-vs.-deliv.patch
71_03_Avoid-exposing-passwords-in-log-on-failing-ldap-look.patch
71_04_Avoid-exposing-passwords-in-log-on-failing-ldap-look.patch
+ Fix crash in VRFY handling when handed an unqualified name
(lacking @domain). Apply the same qualification processing as RCPT.
Closes: #834699
+ Fix a possible security hole, wherein a process operating with the Exim
UID can gain a root shell. Credit to http://www.halfdog.net/ for
discovery and writeup. LP: #
1580454
* [lintian] exim4-config_files.5 - fix typo.
exim4 (4.87-3) unstable; urgency=medium
* Pull multiple patches from upstream GIT:
+ 71_01_configure.default-nice-message-for-overlong-lines-Bu.patch
Improved message on overlong lines in example config.
+ 71_02_Delivery-quieten-smtp-transport-conn-reuse-vs.-deliv.patch
Fix race condition related to connection reuse.
https://bugs.exim.org/show_bug.cgi?id=1810
+ 71_03_Avoid-exposing-passwords-in-log-on-failing-ldap-look.patch
71_04_Avoid-exposing-passwords-in-log-on-failing-ldap-look.patch
Avoid exposing passwords in log on failing ldap lookup
expansion. https://bugs.exim.org/show_bug.cgi?id=165
* Copy information message on rejecting overlong lines in data ACL from
upstream example configuration. Closes: #823418
* Add NEWS entry on line-length-limit introduced in 4.87~RC1-1.
Closes: 821830
exim4 (4.87-2) unstable; urgency=medium
* Fix reference to README.Debian in 01_exim4-config_listmacrosdefs.
(Thanks, L. Guruprasad!) Closes: #821416
* Add REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS macro to enforce TLS
connections (hosts_require_tls option) in remote_smtp_smarthost
transport. Closes: #822174
* exim4-daemon-heavy: Disable WITH_OLD_DEMIME ("demime" ACL condition). It
is deprecated and will be removed in 4.88.
* README.Debian*: Fix minor issues found by lintian.
* Fix reference to spec.txt in 30_exim4-config_check_rcpt. Closes: #665399
* Drop exim4-base Recommends on perl-modules. This had been unnecessary
since 4.80~rc6-1 which dropped /usr/share/exim4/timeout.pl.
exim4 (4.87-1) unstable; urgency=medium
* Fix comment in
conf.d/transport/30_exim4-config_remote_smtp_smarthost. (Thanks,
Jörg-Volker Peetz!) Closes: #819780
* New upstream release.
exim4 (4.87~RC7-1) unstable; urgency=low
* Enable SOCKS support in both -light and -heavy. Closes: #818091
* Fix typos in configuration. (Thanks, Vincent Lefevre!) Closes: #819482
* New upstream version.
+ Drop 74_Store-the-initial-working-directory.diff,
75_String-expansions-fix-extract.patch,
76_only_warn_on_nonempty_environment.diff.
+ Update debian/example.conf.md5.
exim4 (4.87~RC6-3) unstable; urgency=medium
* Merge changelog entries for 4.86.2-1 and -2.
* Upload to unstable.
* Add link to CVE details to latest NEWS entry and bump its version and date
to match this upload. Closes: #818349, #817244
exim4 (4.87~RC6-2) experimental; urgency=medium
* 74_Store-the-initial-working-directory.diff,
76_only_warn_on_nonempty_environment.diff: Upstream followups on the
CVE fix (Thanks, Heiko Schlittermann!):
+ Runtime warning is only generated if (and only if) keep_environment
is unset and environment is nonempty.
+ Store the initial working directory and make it available in the new
expansion variable $initial_cwd.
* Merge all NEWS.Debian files into a single one, identical for all binary
packages. - Different NEWS files built from a single source package is not
and has not ever been supported by apt-listchanges which is the most
important frontend.
* Add a NEWS entry about the environment related runtime warning.
exim4 (4.87~RC6-1) experimental; urgency=medium
* New upstream version.
* Add 75_String-expansions-fix-extract.patch from upstream GIT, fixing
${extract } string expansion for the numeric/3-string case. (Bug was
introduced in 4.85.)
* Set keep_environment to empty value instead of setting a minimal PATH in
add_environment.
exim4 (4.87~RC5-2) experimental; urgency=medium
* Update debian/upstream/signing-key.asc, using the keys listed in
ftp://ftp.exim.org/pub/exim/Exim-Maintainers-Keyring.asc. This adds
Heiko Schlittermann's key.
* Bump exim4-config Breaks to exim4-daemon-* (<< 4.87~RC5). Closes: #816790
exim4 (4.87~RC5-1) experimental; urgency=medium
* exim4-config.postinst: Test for existence of /etc/inetd.conf before trying
to grep in it. Closes: #814998
* New upstream version, includes the patch for CVE-2016-1531. (Local root
exploit).
* Add macros MAIN_KEEP_ENVIRONMENT and MAIN_ADD_ENVIRONMENT to set the new
options. If neither is used we use add_environment to set a minimal
PATH=/bin:/usr/bin to avoid a runtime warning.
exim4 (4.87~RC3-2) experimental; urgency=medium
* README.Debian: Refer to Exim specification by chapter name instead of
chapter number. Closes: #813351
* Fix some spelling errors found by lintian.
* Minor debian/rules cleanup:
+ Restore originally intended behavior, upstream changelog is only
shipped in exim4-base, symlinks to it elsewhere.
+ Drop workaround for #347577, fixed in debhelper 5.0.15.
+ Use "dh binary-arch" and "dh binary-indep" and a bunch of override
targets instead of listing all dh-commands. While this is uglier and
slows things down a bit it shortens debian/rules by 40 lines and has the
huge benefit that we automatically use all suggested helpers in correct
order.
+ Drop unused variables combinedidbgpackage/dhcombinedidbgpackage.
+ Delete unused, commented code.
+ Drop (exported) variable MTACONFLICTS, used only once.
* Bugfix: Stop build if generation of EDITME.exim4-heavy fails.
* Refresh debian/EDITME.*, -heavy was missing ldap and sql support.
exim4 (4.87~RC3-1) experimental; urgency=medium
* Move Vcs-* from git/http to https.
* [lintian] README.Debian: s/desireable/desirable/.
* [lintian] README.Debian: Fix grammar error "allow + infinitive".
* [lintian] exim4-config.postinst: Use which foo > /dev/null
instead of [ -x /path/to/foo ].
* Update list of patches in debian/README.Debian.xml
* Drop 66_enlarge-dh-parameters-size.dpatch: It does not have any effect
with GnuTLS >= 2.12 and even stable has GnuTLS 3.x.
* New upstream version.
+ Upstream's default rcpt ACL now requires that a HELO/EHLO was accepted,
merge this change and drop CHECK_MAIL_HELO_ISSUED macro.
exim4 (4.87~RC2-1) experimental; urgency=medium
* New upstream version.
exim4 (4.87~RC1-1) experimental; urgency=medium
* New upstream version.
+ Refresh patches.
+ Drop debian/patches/75_00xx*.patch from exim-4_86+fixes branch.
+ Sync with upstream default configuration: Check maximum (physical, i.e.
before unfolding) line length in default spec file data ACL and smtp
transport. Bug 1684 Closes: #797919
+ HS/02 Add the Exim version string to the process info. This way exiwhat
gives some more detail about the running daemon. Closes: #240883
* Override upstream's new default of tls_advertise_hosts = * if
MAIN_TLS_ENABLE is not set.
exim4 (4.86.2-2) unstable; urgency=high
* Bump exim4-config Breaks to exim4-daemon-* (<< 4.86.2). Closes: #816790
exim4 (4.86.2-1) unstable; urgency=high
* Pull 75_0012_Cutthrough-Fix-bug-with-dot-only-line.patch from upstream
4.86+fixes branch.
* New upstream security release for CVE-2016-1531.
+ New options keep_environment/add_environment which are empty by default,
i.e. any subprocesses start in a clean (empty) environment.
+ -C requires an absolute path.
+ Exim changes it's working directory to / right after startup.
* Add macros MAIN_KEEP_ENVIRONMENT and MAIN_ADD_ENVIRONMENT to set the new
options. If neither is used we use add_environment to set a minimal
PATH=/bin:/usr/bin to avoid a runtime warning.
exim4 (4.86-7) unstable; urgency=medium
* Allow arch-indep build (dpkg-buildpackage -A). Closes: #806023
* 75_0011_MIME-fix-crash-on-filenames-having-null-charset.-Bug.patch from
exim-4_86+fixes branch fixes another MIME ACL related crash.
https://bugs.exim.org/show_bug.cgi?id=1730
exim4 (4.86-6) unstable; urgency=medium
* Cleanup (actual patch is identical): Use
75_0009_Avoid-misaligned-access-in-cached-lookup.-Bug-1708.patch from
exim-4_86+fixes branch instad of
76_Avoid-misaligned-access-in-cached-lookup.-Bug-1708.patch.
* Pull 75_0010_DKIM-ignore-space-tab-embedded-in-base64-during-deco.patch,
DKIM: ignore space & tab embedded in base64 during decode. Bug 1700
exim4 (4.86-5) unstable; urgency=high
* Pull 76_Avoid-misaligned-access-in-cached-lookup.-Bug-1708.patch from GIT
head to avoid misaligned access in cached lookup. Closes: #803255
exim4 (4.86-4) unstable; urgency=medium
* Fix documentation of lowuid_aliases router, exceptions are in
CONFDIR/lowuid-aliases not CONFDIR/lowuid_aliases. (Thanks, Tim Krah)
Closes: #799672
* fcron has been removed from Debian in 2011, stop listing it as an
alternative dependency of exim4-base (Thanks, Alexandre Detiste).
Closes: #798236
* Update to upstream exim-4_86+fixes branch:
+ Drop 75_Fix-ESMTP-MAIL-command-option-processing.patch,
76_Fix-post-transport-crash.patch,
77_Fix-post-transport-crash-safeguard-for-missing-spool.patch,
78_Close-logs-after-daemon-process-exceptional-write.patch.
+ Add 75_0001-Fix-post-transport-crash.patch
75_0002-Fix-post-transport-crash-safeguard-for-missing-spool.patch
75_0003-Fix-ESMTP-MAIL-command-option-processing.patch
75_0005-Close-logs-after-daemon-process-exceptional-write.-B.patch
75_0007-DNS-time-limit-cached-returns-using-TTL.-Bug-1395.patch
75_0008-Retry-always-use-interface-if-set-for-retry-DB-key.-.patch
* Use dh v9.
exim4 (4.86-3) unstable; urgency=medium
* Pull three patches from upstream git:
+ 75_Fix-ESMTP-MAIL-command-option-processing.patch:
Corrects handling of mail-addresses with whitespace.
<http://article.gmane.org/gmane.mail.exim.user/97069>
+ 76_Fix-post-transport-crash.patch
77_Fix-post-transport-crash-safeguard-for-missing-spool.patch
<https://bugs.exim.org/show_bug.cgi?id=1671>
* Fix spelling error in copyright file. (Thanks, lintian)
* Pull 77_Fix-post-transport-crash-safeguard-for-missing-spool.patch from
upstream git, exim was keeping logfiles open after after a "too many
connections" event. Closes: #796524, #476958 (Thanks to Andreas Pflug for
chasing this.)
* When saving the berkeley DB version at build-time pass -P option to cpp,
to prevent linebreaks.
exim4 (4.86-2) unstable; urgency=high
* Update exim4-config Breaks, PRDR support is was moved from being
Experimental into the mainline with 4.83.
Closes: #794320
exim4 (4.86-1) unstable; urgency=medium
* New upstream version, identical to RC5 (except for the version string).
exim4 (4.86~RC5-1) unstable; urgency=medium
* New upstream version.
+ Drop 75_Bump-LOCAL_SCAN_ABI_VERSION.patch.
exim4 (4.86~RC4-2) unstable; urgency=medium
* Drop libmysqlclient15-dev alternative build-dependency. Closes: #790463
* Update list of upstream gpg-keys (0x4D1E900E14C1CC04 Phil Pennock,
0x85AB833FDDC03262 Nigel Metheringham, 0xFFC0F14C84C71B6E Tony Finch,
0xC4F4F94804D29EBA Todd Lyons, 0xBCE58C8CE41F32DF Jeremy Harris,
0x63762CDA67E2F359 David Woodhouse, 0xAD5EDBB793EC57E4 Graeme Fowler),
transition from debian/upstream-signing-key.pgp to
debian/upstream/signing-key.asc.
* Pull 75_Bump-LOCAL_SCAN_ABI_VERSION.patch from upstream GIT and update
exim4-localscanapi-x.y provides to 2.0. A binNMU of sa-exim will then
properly fix the issue. Closes: #790616
exim4 (4.86~RC4-1) unstable; urgency=medium
* unexport/undefine TZ in debian/rules for reproducible build. It would be
used as default value for TIMEZONE_DEFAULT.
* New upstream version.
+ Unfuzz 31_eximmanpage.dpatch.
exim4 (4.86~RC3-2) unstable; urgency=medium
* Upload to unstable.
exim4 (4.86~RC3-1) experimental; urgency=medium
* Don't provide default-mta on Ubuntu and Ubuntu-derivatives. See LP-bug
1166671.
* New upstream version.
exim4 (4.86~RC2-1) experimental; urgency=medium
* Drop nowadays unneeded XS-Testsuite: autopkgtest in debian/control
(Thanks, lintian).
* New upstream version:
+Drop included patches.
(-72_0001-Guard-routing-against-a-null-deref.-Bug-1639.patch,
72_0002-Spamd-add-missing-initialiser.-Rspamd-mode-was-incor.patch,
72_0003-DSN-fix-null-deref-when-bounce-is-due-to-conn-timeou.patch,
72_0004-Content-scan-Use-ETIMEDOUT-not-ETIME-as-having-bette.patch)
* Sync Debian config with upstream default config:
+ Set prdr_enable.
+ Add +smtp_protocol_error +smtp_syntax_error +tls_certificate_verified to
log_selector option value.
exim4 (4.86~RC1-3) experimental; urgency=medium
* Get time and date of latest debian/changelog entry and patch exim(on) to
use these instead of __DATE__ and __TIME__.
* Pull 72_0004-Content-scan-Use-ETIMEDOUT-not-ETIME-as-having-bette.patch
from GIT to fix FTBFS on kfreebsd.
exim4 (4.86~RC1-2) experimental; urgency=medium
* Pull three post-release fixes from upstream GIT. (null pointer
derefencing, and spam scanning defaulting to rspam mode)
+ 72_0001-Guard-routing-against-a-null-deref.-Bug-1639.patch
+ 72_0002-Spamd-add-missing-initialiser.-Rspamd-mode-was-incor.patch
+ 72_0003-DSN-fix-null-deref-when-bounce-is-due-to-conn-timeou.patch
exim4 (4.86~RC1-1) experimental; urgency=medium
* New upstream release.
+ Drop 84_Fix-truncation-of-items-in-headers_remove-lists-this.patch,
refresh patches.
+ Update EDITME*, enable AUTH_TLS for -heavy.
+ Sync Debian config with upstream default config, rfc1413 calls are now
disabled by default.
+ Uses MIME format bounce messages (RFC 3461). Closes: #230284,#400741
+ The spamd_address main option now supports an optional timeout value per
server (tmo=timespec), it defaults two 2 minutes. Closes: #297915
+ spamd_address also accepts hostnames and IPv6 addresses. Closes: #751687
+ log reason for defer, on a hostlist dns-lookup temporary error.
Closes: #670035
exim4 (4.85-3) unstable; urgency=medium
* Upload to unstable.
exim4 (4.85-2) experimental; urgency=medium
* Merge from unstable 4.84-8.
+ Tighten dependency of exim4 on exim4-base to (>= ${source:Version}) and
(<< ${source:Version}.1), at least source version, but not the next
sourceful upload. Closes: #777246
+ Pull 84_Fix-truncation-of-items-in-headers_remove-lists-this.patch from
upstream GIT which fixes breakage of string-expansion in headers_remove
commands. (Thanks Gordon Dickens, for the pointer.) -
83_Remove-limit-on-remove_headers-item-size.-Bug-1533.patch not added
here since it already part of 4.85.
exim4 (4.85-1) experimental; urgency=medium
* exim4-config_files.5: Escape dots in regex. (Thanks, ael)
* New upstream version.
exim4 (4.85~RC4-1) experimental; urgency=medium
* update-exim4.conf:
+ Drop unused variable UPEX4C_internal_tmp.
+ Use tempfile(1) if the generated file will not be written to
/var/lib/exim4/.
+ Add --check option.
* init-script: On restart use update-exim4.conf --check before stopping the
daemon. (This is a no-op with systemd since its sysv compat layer
translates "foo restart" into "foo stop" "foo start" instead of using the
init scripts restart target.)
* Handle _RC in watchfile with uversionmangle.
* New upstream version.
+ Stop repacking source, rfcs have been dropped.
exim4 (4.85~RC3+dfsg-1) experimental; urgency=medium
* New upstream version.
exim4 (4.85~RC2+dfsg-1) experimental; urgency=medium
* New upstream version.
* Unfuzz patches: 50_localscan_dlopen.dpatch 67_unnecessaryCopt.diff
70_remove_exim-users_references.dpatch.
exim4 (4.85~RC1+dfsg-1) experimental; urgency=medium
* Unset message_prefix/message_sufix in maildrop_pipe transport. Maildrop
neither expects a mbox-style From nor an empty line add the end. (Thanks,
Edward Betts) Closes: #769396
* Change the init script's restart order from { regenerate_config; stop;
start ; } to { stop; regenerate_config; start ; }. (Thanks, Jakub Warmuz)
Closes: #768874
* New upstream version.
+ Unfuzz 66_enlarge-dh-parameters-size.dpatch
+ Drop 80_mime_empty_charset.diff.
* Remove rfc from upstream source and repack it.
Andreas Metzler [Mon, 2 Jan 2017 18:18:05 +0000 (19:18 +0100)]
Import Debian patch 4.84.2-2+deb8u3
Clinton Ebadi [Mon, 30 Jan 2017 22:14:09 +0000 (17:14 -0500)]
Import Upstream version 4.84.2
Clinton Ebadi [Thu, 14 May 2015 05:34:43 +0000 (01:34 -0400)]
skip failed chown check on file before writing
Clinton Ebadi [Thu, 14 May 2015 04:34:01 +0000 (00:34 -0400)]
Actually patch maildir problem
It would help if I patched the maildir in afs issue and not the
mailbox problem... reverting the mailbox case even if it might make
sense, review later.
Clinton Ebadi [Thu, 14 May 2015 03:47:38 +0000 (23:47 -0400)]
change perm change error message for sanity
Clinton Ebadi [Thu, 14 May 2015 03:26:29 +0000 (23:26 -0400)]
Relax chown requirements when check_owner is false
HCoop delivers into /afs, and the chown will always fail since the
effective unix user and openafs role ($user.daemon) are not the
same. This is harmless in afs space, and it seems reasonable enough to
not care about the chown failing in the general case when exim will
ignore the perms afterward / if the file already exists and it is
appending to it.
Andreas Metzler [Tue, 17 Feb 2015 17:00:42 +0000 (18:00 +0100)]
Imported Debian patch 4.84-8
Clinton Ebadi [Thu, 14 May 2015 03:12:14 +0000 (23:12 -0400)]
Imported Upstream version 4.84
HCoop / hcoop / debian / exim4.git / log