Fallout stems from the removal of the gpgme-pthread shared object.
Initial diff by me, refreshed diff from jca@.
Tested in a bulk by ajacoutot@.
OK jca@, ajacoutot@. Thanks.
and CVE-2017-16944, and other fixes.
Alternative workaround for these two CVEs: disable the SMTP CHUNKING extension
by adding "chunking_advertise_hosts =" to the main configuration section (empty
right-hand-side).
https://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.htmlhttps://bugs.exim.org/show_bug.cgi?id=2199
There is also another issue which is at least a DoS,
https://bugs.exim.org/show_bug.cgi?id=2201 that is *not* patched yet.
The workaround below would help both cases.
From upstream:
"With immediate effect, please apply this workaround: if you are running
Exim 4.88 or newer (4.89 is current, 4.90 is upcoming) then in the main
section of your Exim configuration, set:
chunking_advertise_hosts =
That's an empty value, nothing on the right of the equals. This
disables advertising the ESMTP CHUNKING extension, making the BDAT verb
unavailable and avoids letting an attacker apply the logic. "
unneeded softokn3, sometimes replace it by nssutil3) - note that there
might be more WANTLIB to fix/remove from those ports, but i only
concentrated on the changes related to nss.
"Apparently this zero-day exploit is already being used by hackers to
read Roundcube’s configuration files. It requires a valid
username/password as the exploit only works with a valid session. More
details will be published soon under CVE-2017-16651.
In order to check whether your Roundcube installation has been
compromised check the access logs for requests like
?_task=settings&_action=upload-display&_from=timezone
As mentioned above, the file disclosure only works for authenticated
users and by finding such requests in the logs you should also be able
to identify the account used for this unauthorized access. For
mitigation we recommend to change the all credentials to external
services like database or LDAP address books and preferably also the
'des_key' option in your config."
- doveadm: Fix crash in proxying (or dsync replication) if remote is
running older than v2.2.33
- auth: Fix memory leak in %{ldap_dn}
- dict-sql: Fix data types to work correctly with Cassandra
