switch build configuration from a modified static copy of a file from
exim distribution in files/ to copying and patching the actual file from
the distribution, this was badly out of sync with upstream. done by me
based on Renaud's partial update.
"Using a handcrafted message, remote code execution seems to be possible"
thanks to whichever of the distributions that was under embargo and
released early, as this means that the fix was made available sooner
than it would have otherwise been.
and CVE-2017-16944, and other fixes.
Alternative workaround for these two CVEs: disable the SMTP CHUNKING extension
by adding "chunking_advertise_hosts =" to the main configuration section (empty
right-hand-side).
https://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.htmlhttps://bugs.exim.org/show_bug.cgi?id=2199
There is also another issue which is at least a DoS,
https://bugs.exim.org/show_bug.cgi?id=2201 that is *not* patched yet.
The workaround below would help both cases.
From upstream:
"With immediate effect, please apply this workaround: if you are running
Exim 4.88 or newer (4.89 is current, 4.90 is upcoming) then in the main
section of your Exim configuration, set:
chunking_advertise_hosts =
That's an empty value, nothing on the right of the equals. This
disables advertising the ESMTP CHUNKING extension, making the BDAT verb
unavailable and avoids letting an attacker apply the logic. "
JH/27 Fix a possible security hole, wherein a process operating with the Exim
UID can gain a root shell. Credit to http://www.halfdog.net/ for
discovery and writeup. Ubuntu bug 1580454; no bug raised against Exim
itself :(
JH/34 SECURITY: Use proper copy of DATA command in error message.
Could leak key material. Remotely explaoitable. CVE-2016-9963.
whoever decided to have an embargo period ending on 25 December: this was
not a particularly good idea
"Any user who can start an instance of Exim (and this is normally *any* user)
can gain root privileges. If you do not use 'perl_startup' you *should* be
safe." CVE-2016-1531
a new libmysqlclient non-blocking API which utilizes co-routines. The X86
specific GCC ASM co-routine support hid the fact that there was an issue.
The only fallback code so far is POSIX user contexts which OpenBSD does not
support.
Input from and Ok sthen@ jasper@
Workaround: "You are not vulnerable if <...> you put this at the start
of an ACL plumbed into acl_smtp_connect or acl_smtp_rcpt:
warn control = dkim_disable_verify"
This is backported from the diff between exim 4.80 and 4.80.1
(not updating fully to 4.80.1 yet as this small diff is safer to commit)
same diff rpointel@
parameter to daemonize, move the parameter from daemon to daemon_flags,
so that the user cannot inadvertently prevent it from daemonizing by
adjusting the flags.
Discussed with ajacoutot and schwarze, this method was suggested
by schwarze@ as a simpler alternative to my diff. ok aja@
PLIST and delete everything under the @sample'd directory instead of the
directory itself to prevent a warning from pkg_delete(1) trying to
remove a non existing directory and to help preventing left-over files
and directories.
ok aja@
While this resolves CVE-2010-4344 and CVE-2010-4345, the first was
actually fixed in exim 4.70 and the latter is a no-issue on OpenBSD
due to it always being built with ALT_CONFIG_ROOT_ONLY.
with input from Andreas Voegele
ok sthen@, jasper@
