2021-05-04 22:29:39 by David Brownlee | Files touched by this commit (2) |
Log message:
Updated mail/exim to 4.94.2
This includes a number of serious security fixes (one of which was
included in a now obsoleted pkgsrc patch)
CVE-2020-28016
CVE-2020-BDATA
CVE-2020-EXOPT
CVE-2020-PFPSN
CVE-2020-RCPTL
CVE-2020-SLCWD
CVE-2020-SPRSS
Since Exim version 4.94
-----------------------
JH/02 Bug 2587: Fix pam expansion condition. Tainted values are commonly used
as arguments, so an implementation trying to copy these into a local
buffer was taking a taint-enforcement trap. Fix by using dynamically
created buffers. Similar fix for radius expansion condition.
JH/03 Bug 2586: Fix listcount expansion operator. Using tainted arguments is
reasonable, eg. to count headers. Fix by using dynamically created
buffers rather than a local. Do similar fixes for ACL actions "dcc",
"log_reject_target", "malware" and "spam"; \
the arguments are expanded
so could be handling tainted values.
JH/04 Bug 2590: Fix -bi (newaliases). A previous code rearrangement had
broken the (no-op) support for this sendmail command. Restore it
to doing nothing, silently, and returning good status.
JH/05 Bug 2593: Fix "vacation" in Exim filter. Previously, when a \
"once"
record path was given (or the default used) without a leading directory
path, an error occurred on trying to open it. Use the transport's working
directory.
JH/06 Bug 2594: Change the name used for certificate name checks in the smtp
transport. Previously it was the name on the DNS A-record; use instead
the head of the CNAME chain leading there (if there is one). This seems
to align better with RFC 6125.
JH/07 Bug 2597: Fix a resource leak. Using a lookup in obtaining a value for
smtp_accept_max_per_host allocated resources which were not released
when the limit was exceeded. This eventually crashed the daemon. Fix
by adding a relase action in that path.
JH/08 Bug 2598: Fix verify ACL condition. The options for the condition are
expanded; previously using tainted values was rejected. Fix by using
dynamically-created buffers.
JH/10 Bug 2603: Fix coding of string copying to only evaluate arguments once.
Previously a macro used one argument twice; when called with the
argument as an expression having side-effects, incorrect operation
resulted. Use an inlineable function.
JH/11 Bug 2604: Fix request to cutthrough-deliver when a connection is already
held open for a verify callout. Previously this wan not accounted for
and a corrupt onward SMTP conversation resulted.
JH/13 Fix dsearch "subdir" filter to ignore ".". Previously \
only ".." was
excluded, not matching the documentation.
JH/14 Bug 2606: Fix a segfault in sqlite lookups. When no, or a bad, filename
was given for the sqlite_dbfile a trap resulted.
JH/15 Bug 2620: Fix "spam" ACL condition. Previously, tainted values \
for the
"name" argument resulted in a trap. There is no reason to \
disallow such;
this was a coding error.
JH/16 Bug 2615: Fix pause during message reception, on systems that have been
suspended/resumed. The Linux CLOCK_MONOTONIC does not account for time
spent suspended, ignoring the Posix definition. Previously we assumed
it did and a constant offset from real time could be used as a correction.
Change to using the same clock source for the start-of-message and the
post-message next-tick-wait. Also change to using CLOCK_BOOTTIME if it
exists, just to get a clock slightly more aligned to reality.
JH/17 Bug 2295: Fix DKIM signing to always semicolon-terminate. Although the
RFC says it is optional some validators care. The missing char was not
intended but triggered by a line-wrap alignement. Discovery and fix by
Guillaume Outters, hacked on by JH.
JH/18 Bug 2617: Fix a taint trap in parse_fix_phrase(). Previously when the
name being quoted was tainted a trap would be taken. Fix by using
dynamicaly created buffers. The routine could have been called by a
rewrite with the "h" flag, by using the "-F" \
command-line option, or
by using a "name=" option on a control=submission ACL modifier.
JH/21 Bug 2630: Fix eol-replacement string for the ${readsocket } expansion.
Previously when a whitespace character was specified it was not inserted
after removing the newline.
JH/24 Bug 2634: Fix a taint trap seen on NetBSD: the testing coded for
is_tainted() had an off-by-one error in the overenthusiastic direction.
Find and fix by Gavan. Although NetBSD is not a supported platform for
4.94 this bug could affect other platforms.
JH/24 Bug 2634: Fix a taint trap seen on NetBSD: the testing coded for
is_tainted() had an off-by-one error in the overenthusiastic direction.
Find and fix by Gavan. Although NetBSD is not a supported platform for
4.94 this bug could affect other platforms.
JH/21 Bug 2630: Fix eol-replacement string for the ${readsocket } expansion.
Previously when a whitespace character was specified it was not inserted
after removing the newline.
JH/22 Bug 2265: Force SNI usage for smtp transport DANE'd connections, to be
the domain part of the recipient address. This overrides any tls_sni
option set, which was previously used.
JH/23 Logging: with the +tls_sni log_selector, do not wrap the received SNI
in quotes.
JH/26 Bug 2646: fix a memory usage issue in ldap lookups. Previously, when more
than one server was defined and depending on the platform memory layout
details, an internal consistency trap could be hit while walking the list
of servers.
JH/27 Bug 2648: fix the passing of an authenticator public-name through spool
files. The value is used by the authresults expansion item. Previously
if this was used in a router or transport, a crash could result.
JH/30 Bug 2677: fix matching of long addresses. Since 4.93 a limit of 256 was
applied. This resulted, if any header-line rewrite rules were configured,
in a panic-log trigerrable by sending a message with a long address in
a header. Fix by increaing the arbitrary limit to larger than a single
(dewrapped) 5322 header line maximum size.
JH/31 The ESMTP option name advertised for the SUPPORT_EARLY_PIPE build option
is changed from X_PIPE_CONNECT to PIPE_CONNECT. This is in line with
RFC 6648 which deprecates X- options in protocols as a general practice.
Changeover between the implementations is handled by the mechanisms
alrready coded.
JH/32 Bug 2599: fix delay of delivery to a local address where there is also
a remote which uses callout/hold. Previously the local was queued.
JH/33 Fix a taint trap in the ${listextract } expansion when the source data
was tainted.
JH/35 Bug 2343: Harden exim_tidydb against corrupt wait- files.
JH/36 Bug 2687: Fix interpretation of multiple ^ chars in a plaintext
authenticator client_send option. Previously the next char, after a pair
was collapsed, was taken verbatim (so ^^^foo became ^^foo; ^^^^foo became
^^\x00foo). Fixed to get ^\x00foo and ^^foo respectively to match the
documentation. There is still no way to get a leading ^ immediately
after a NUL (ie. for the password of a PLAIN method authenticator.
JH/39 Bug 2691: fix $local_part_data. When the matching list element
referred to a file, bad data was returned. This likely also affected
$domain_part_data.
JH/41 Fix daemon SIGHUP on FreeBSD. Previously, a named socket for IPC was
left undeleted; the attempt to re-create it then failed - resulting in
the usual "SIGHUP tp have daemon reload configuration" to not work.
This affected any platform not supporting "abstract" Unix-domain
sockets (i.e. not Linux).
JH/42 Bug 2692: Harden against a peer which reneges on a 452 "too many
recipients" response to RCPT in a later response, with a 250. The
previous coding assumed this would not happen, and under PIPELINING
would result in both lost and duplicate recipients for a message.
JH/43 Bug 2694: Fix weighted distribution of work to multiple spamd servers.
Previously the weighting was incorrectly applied. Similar fix for socks
proxies. Found and fixed by Heiko Schlichting.
JH/44 Bug 2701: Fix list-expansion of dns_ipv4_lookup. Previously, it did
not handle sub-lists included using the +namedlist syntax. While
investigating, the same found for dns_trust_aa, dns_again_means_nonexist,
dnssec_require_domains, dnssec_request_domains, srv_fail_domains,
mx_fail_domains.
HS/01 Enforce absolute PID file path name.
HS/02 Handle SIGINT as we handle SIGTERM: terminate the Exim process.
PP/01 Add a too-many-bad-recipients guard to the default config's RCPT ACL.
PP/02 Bug 2643: Correct TLS DH constants.
A missing NUL termination in our code-generation tool had led to some
incorrect Diffie-Hellman constants in the Exim source.
Reported by kylon94, code-gen tool fix by Simon Arlott.
PP/03 Impose security length checks on various command-line options.
Fixes CVE-2020-SPRSS reported by Qualys.
PP/04 Fix Linux security issue CVE-2020-SLCWD and guard against PATH_MAX
better. Reported by Qualys.
PP/05 Fix security issue CVE-2020-PFPSN and guard against cmdline invoker
providing a particularly obnoxious sender full name.
Reported by Qualys.
PP/06 Fix CVE-2020-28016 (PFPZA): Heap out-of-bounds write in parse_fix_phrase()
PP/07 Refuse to allocate too little memory, block negative/zero allocations.
Security guard.
PP/08 Change default for recipients_max from unlimited to 50,000.
PP/09 Fix security issue with too many recipients on a message (to remove a
known security problem if someone does set recipients_max to unlimited,
or if local additions add to the recipient list).
Fixes CVE-2020-RCPTL reported by Qualys.
PP/10 Fix security issue in SMTP verb option parsing
Fixes CVE-2020-EXOPT reported by Qualys.
PP/11 Fix security issue in BDAT state confusion.
Ensure we reset known-good where we know we need to not be reading BDAT
data, as a general case fix, and move the places where we switch to BDAT
mode until after various protocol state checks.
Fixes CVE-2020-BDATA reported by Qualys.
HS/03 Die on "/../" in msglog file names
QS/01 Creation of (database) files in $spool_dir: only uid=0 or the uid of
the Exim runtime user are allowed to create files.
QS/02 PID file creation/deletion: only possible if uid=0 or uid is the Exim
runtime user.
QS/03 When reading the output from interpreted forward files we do not
pass the pipe between the parent and the interpreting process to
executed child processes (if any).
QS/04 Always die if requested from internal logging, even is logging is
disabled.
|
2021-04-21 13:43:04 by Adam Ciarcinski | Files touched by this commit (1822) |
Log message:
revbump for textproc/icu
|
2020-11-05 10:09:30 by Ryo ONODERA | Files touched by this commit (1814) |
Log message:
*: Recursive revbump from textproc/icu-68.1
|
2020-08-31 20:13:29 by Thomas Klausner | Files touched by this commit (3631) |
Log message:
*: bump PKGREVISION for perl-5.32.
|
2020-08-20 18:40:57 by Gavan Fantom | Files touched by this commit (3) |
Log message:
exim: fix crash on startup if log_buffer is allocated right after taint pool
The check whether a block of memory is tainted erroneously returns true
if the block in question starts the very next byte after a block in the
tainted pool. Depending on the memory allocator, this can cause problems.
For example, on NetBSD/amd64 9.0, this seems to allocate the first tainted
block immediately before log_buffer. This leads to a recursive error in
log_write the first time anything is written to the log, leading to a
segmentation fault when the stack fills up.
|
2020-06-02 10:25:05 by Adam Ciarcinski | Files touched by this commit (1689) |
Log message:
Revbump for icu
|
2020-06-01 21:42:48 by Adam Ciarcinski | Files touched by this commit (5) | |
Log message:
exim exim-html: updated to 4.94
Exim version 4.94
-----------------
JH/01 Avoid costly startup code when not strictly needed. This reduces time
for some exim process initialisations. It does mean that the logging
of TLS configuration problems is only done for the daemon startup.
JH/02 Early-pipelining support code is now included unless disabled in Makefile.
JH/03 DKIM verification defaults no long accept sha1 hashes, to conform to
RFC 8301. They can still be enabled, using the dkim_verify_hashes main
option.
JH/04 Support CHUNKING from an smtp transport using a transport_filter, when
DKIM signing is being done. Previously a transport_filter would always
disable CHUNKING, falling back to traditional DATA.
JH/05 Regard command-line receipients as tainted.
JH/06 Bug 340: Remove the daemon pid file on exit, whe due to SIGTERM.
JH/07 Bug 2489: Fix crash in the "pam" expansion condition. It seems \
that the
PAM library frees one of the arguments given to it, despite the
documentation. Therefore a plain malloc must be used.
JH/08 Bug 2491: Use tainted buffers for the transport smtp context. Previously
on-stack buffers were used, resulting in a taint trap when DSN information
copied from a received message was written into the buffer.
JH/09 Bug 2493: Harden ARC verify against Outlook, whick has been seen to mix
the ordering of its ARC headers. This caused a crash.
JH/10 Bug 2492: Use tainted memory for retry record when needed. Previously when
a new record was being constructed with information from the peer, a trap
was taken.
JH/11 Bug 2494: Unset the default for dmarc_tld_file. Previously a naiive
installation would get error messages from DMARC verify, when it hit the
nonexistent file indicated by the default. Distros wanting DMARC enabled
should both provide the file and set the option.
Also enforce no DMARC verification for command-line sourced messages.
JH/12 Fix an uninitialised flag in early-pipelining. Previously connections
could, depending on the platform, hang at the STARTTLS response.
JH/13 Bug 2498: Reset a counter used for ARC verify before handling another
message on a connection. Previously if one message had ARC headers and
the following one did not, a crash could result when adding an
Authentication-Results: header.
JH/14 Bug 2500: Rewind some of the common-coding in string handling between the
Exim main code and Exim-related utities. The introduction of taint
tracking also did many adjustments to string handling. Since then, eximon
frequently terminated with an assert failure.
JH/15 When PIPELINING, synch after every hundred or so RCPT commands sent and
check for 452 responses. This slightly helps the inefficieny of doing
a large alias-expansion into a recipient-limited target. The max_rcpt
transport option still applies (and at the current default, will override
the new feature). The check is done for either cause of synch, and forces
a fast-retry of all 452'd recipients using a new MAIL FROM on the same
connection. The new facility is not tunable at this time.
JH/16 Fix the variables set by the gsasl authenticator. Previously a pointer to
library live data was being used, so the results became garbage. Make
copies while it is still usable.
JH/17 Logging: when the deliver_time selector ise set, include the DT= field
on delivery deferred (==) and failed (**) lines (if a delivery was
attemtped). Previously it was only on completion (=>) lines.
JH/18 Authentication: the gsasl driver not provides the $authN variables in time
for the expansion of the server_scram_iter and server_scram_salt options.
WB/01 SPF: DNS lookups for the obsolete SPF RR type done by the libspf2 library
are now specifically given a NO_DATA response without hitting the system
resolver. The library goes on to do the now-standard TXT lookup.
Use of dnsdb lookups is not affected.
JH/19 Bug 2507: Modules: on handling a dynamic-module (lookups) open failure,
only retrieve the errormessage once. Previously two calls to dlerror()
were used, and the second one (for mainlog/paniclog) retrieved null
information.
JH/20 Taint checking: disallow use of tainted data for
- the appendfile transport file and directory options
- the pipe transport command
- the autoreply transport file, log and once options
- file names used by the redirect router (including filter files)
- named-queue names
- paths used by single-key lookups
Previously this was permitted.
JH/21 Bug 2501: Fix init call in the heimdal authenticator. Previously it
adjusted the size of a major service buffer; this failed because the
buffer was in use at the time. Change to a compile-time increase in the
buffer size, when this authenticator is compiled into exim.
JH/22 Taint-checking: move to safe-mode taint checking on all platforms. The
previous fast-mode was untenable in the face of glibs using mmap to
support larger malloc requests.
PP/01 Update the openssl_options possible values through OpenSSL 1.1.1c.
New values supported, if defined on system where compiled:
allow_no_dhe_kex, cryptopro_tlsext_bug, enable_middlebox_compat,
no_anti_replay, no_encrypt_then_mac, prioritize_chacha, tlsext_padding
JH/23 Performance improvement in the initial phase of a two-pass queue run. By
running a limited number of proceses in parallel, a benefit is gained. The
amount varies with the platform hardware and load. The use of the option
queue_run_in_order means we cannot do this, as ordering becomes
indeterminate.
JH/24 Bug 2524: fix the cyrus_sasl auth driver gssapi usage. A previous fix
had introduced a string-copy (for ensuring NUL-termination) which was not
appropriate for that case, which can include embedded NUL bytes in the
block of data. Investigation showed the copy to actually be needless, the
data being length-specified.
JH/25 Fix use of concurrent TLS connections under GnuTLS. When a callout was
done during a receiving connection, and both used TLS, global info was
used rather than per-connection info for tracking the state of data
queued for transmission. This could result in a connection hang.
JH/26 Fix use of the SIZE parameter on MAIL commands, on continued connections.
Previously, when delivering serveral messages down a single connection
only the first would provide a SIZE. This was due to the size information
not being properly tracked.
JH/27 Bug 2530: When operating in a timezone with sub-minute offset, such as
TAI (at 37 seconds currently), pretend to be in UTC for time-related
expansion and logging. Previously, spurious values such as a future
minute could be seen.
JH/28 Bug 2533: Fix expansion of ${tr } item. When called in some situations
it could crash from a null-deref. This could also affect the
${addresses: } operator and ${readsock } item.
JH/29 Bug 2537: Fix $mime_part_count. When a single connection had a non-mime
message following a mime one, the variable was not reset.
JH/30 When an pipelined-connect fails at the first response, assume incorrect
cached capability (perhaps the peer reneged?) and immediately retry in
non-pipelined mode.
JH/31 Fix spurious detection of timeout while writing to transport filter.
JH/32 Bug 2541: Fix segfault on bad cmdline -f (sender) argument. Previously
an attempt to copy the string was made before checking it.
JH/33 Fix the dsearch lookup to return an untainted result. Previously the
taint of the lookup key was maintained; we now regard the presence in the
filesystem as sufficient validation.
JH/34 Fix the readsocket expansion to not segfault when an empty "options"
argument is supplied.
JH/35 The dsearch lookup now requires that the directory is an absolute path.
Previously this was not checked, and nonempty relative paths made an
access under Exim's current working directory.
JH/36 Bug 2554: Fix msg:defer event for the hosts_max_try_hardlimit case.
Previously no event was raised.
JH/37 Bug 2552: Fix the check on spool space during reception to use the SIZE
parameter supplied by the sender MAIL FROM command. Previously it was
ignored, and only the check_spool_space option value for the required
leeway checked.
JH/38 Fix $dkim_key_length. This should, after a DKIM verification, present
the size of the signing public-key. Previously it was instead giving
the size of the signature hash.
JH/39 DKIM verification: the RFC 8301 restriction on sizes of RSA keys is now
the default. See the (new) dkim_verify_min_keysizes option.
JH/40 Fix a memory-handling bug: when a connection carried multiple messages
and an ACL use a lookup for checking either the local_part or domain,
stale data could be accessed. Ensure that variable references are
dropped between messages.
JH/41 Bug 2571: Fix SPA authenticator. Running as a server, an offset supplied
by the client was not checked as pointing within response data before
being used. A malicious client could thus cause an out-of-bounds read and
possibly gain authentication. Fix by adding the check.
JH/42 Internationalisation: change the default for downconversion in the smtp
transport to be "if needed". Previously it was "as \
previously set" for
the message, which usually meant "if needed" for \
message-submission but
"no" for everything else. However, MTAs have been seen using \
SMTPUTF8
even when the envelope addresses did not need it, resulting in forwarding
failures to non-supporting MTAs. A downconvert in such cases will be
a no-op on the addresses, merely dropping the use of SMTPUTF8 by the
transport. The change does mean that addresses needing conversion will
be converted when previously a delivery failure would occur.
JH/43 Fix possible long line in DSN. Previously when a very long SMTP error
response was received it would be used unchecked in a fail-DSN, violating
standards on line-length limits. Truncate if needed.
HS/01 Remove parameters of the link to www.open-spf.org. The linked form
doesn't work. (Additionally add a new main config option to configure the
spf_smtp_comment)
|
2020-04-25 14:48:57 by Gavan Fantom | Files touched by this commit (3) |
Log message:
Patch exicyclog to work when commands have spaces in them
By default, pkgsrc uses 'mv -f' as MV_COMMAND. exicyclog is not resilient
to this, and breaks as a result. This patch quotes the command names
that are substituted into this script.
|
2020-04-14 21:34:39 by Thomas Klausner | Files touched by this commit (2) | |
Log message:
exim: update to 4.93.0.4.
Based on patch provided by Mike Pumford on pkgsrc-users.
Exim version 4.93+fixes
-----------------------
This is not an official release. It is just a branch, collecting
proposed bugfixes. Depending on your environment the fixes may be
necessary to build and/or run Exim successfully.
JH/05 Regard command-line receipients as tainted.
JH/07 Bug 2489: Fix crash in the "pam" expansion condition. It seems \
that the
PAM library frees one of the arguments given to it, despite the
documentation. Therefore a plain malloc must be used.
JH/08 Bug 2491: Use tainted buffers for the transport smtp context. Previously
on-stack buffers were used, resulting in a taint trap when DSN information
copied from a received message was written into the buffer.
JH/09 Bug 2493: Harden ARC verify against Outlook, whick has been seen to mix
the ordering of its ARC headers. This caused a crash.
JH/10 Bug 2492: Use tainted memory for retry record when needed. Previously when
a new record was being constructed with information from the peer, a trap
was taken.
JH/11 Bug 2494: Unset the default for dmarc_tld_file. Previously a naiive
installation would get error messages from DMARC verify, when it hit the
nonexistent file indicated by the default. Distros wanting DMARC enabled
should both provide the file and set the option.
Also enforce no DMARC verification for command-line sourced messages.
JH/12 Fix an uninitialised flag in early-pipelining. Previously connections
could, depending on the platform, hang at the STARTTLS response.
JH/13 Bug 2498: Reset a counter used for ARC verify before handling another
message on a connection. Previously if one message had ARC headers and
the following one did not, a crash could result when adding an
Authentication-Results: header.
JH/14 Bug 2500: Rewind some of the common-coding in string handling between the
Exim main code and Exim-related utities. The introduction of taint
tracking also did many adjustments to string handling. Since then, eximon
frequently terminated with an assert failure.
JH/16 Fix the variables set by the gsasl authenticator. Previously a pointer to
library live data was being used, so the results became garbage. Make
copies while it is still usable.
|
2020-04-12 10:29:21 by Adam Ciarcinski | Files touched by this commit (956) | |
Log message:
Recursive revision bump after textproc/icu update
|