JH/27 Fix a possible security hole, wherein a process operating with the Exim
UID can gain a root shell. Credit to http://www.halfdog.net/ for
discovery and writeup. Ubuntu bug 1580454; no bug raised against Exim
itself :(
JH/34 SECURITY: Use proper copy of DATA command in error message.
Could leak key material. Remotely explaoitable. CVE-2016-9963.
whoever decided to have an embargo period ending on 25 December: this was
not a particularly good idea
"Any user who can start an instance of Exim (and this is normally *any* user)
can gain root privileges. If you do not use 'perl_startup' you *should* be
safe." CVE-2016-1531
a new libmysqlclient non-blocking API which utilizes co-routines. The X86
specific GCC ASM co-routine support hid the fact that there was an issue.
The only fallback code so far is POSIX user contexts which OpenBSD does not
support.
Input from and Ok sthen@ jasper@
Workaround: "You are not vulnerable if <...> you put this at the start
of an ACL plumbed into acl_smtp_connect or acl_smtp_rcpt:
warn control = dkim_disable_verify"
This is backported from the diff between exim 4.80 and 4.80.1
(not updating fully to 4.80.1 yet as this small diff is safer to commit)
same diff rpointel@
parameter to daemonize, move the parameter from daemon to daemon_flags,
so that the user cannot inadvertently prevent it from daemonizing by
adjusting the flags.
Discussed with ajacoutot and schwarze, this method was suggested
by schwarze@ as a simpler alternative to my diff. ok aja@
PLIST and delete everything under the @sample'd directory instead of the
directory itself to prevent a warning from pkg_delete(1) trying to
remove a non existing directory and to help preventing left-over files
and directories.
ok aja@
While this resolves CVE-2010-4344 and CVE-2010-4345, the first was
actually fixed in exim 4.70 and the latter is a no-issue on OpenBSD
due to it always being built with ALT_CONFIG_ROOT_ONLY.
with input from Andreas Voegele
ok sthen@, jasper@
flavors. This is actually the case, but the eximon LIB_DEPENDS are
wrong (they pick up sqlite... as main should have them).
Fix the LIB_DEPENDS, bump the eximon packagename, and that's it.
- tweak MESSAGE/DESCR
- drop no_x11 flavour in favour of an -eximon subpackage and a
pseudo-flavour to disable it
- use iconv by default rather than as a flavour
- drop no_exiscan flavour
from bernd@, Bjorn Ketelaars and myself; ok fkr@ bernd@
