Your message dated Sun, 23 May 2021 07:12:20 +0200 with message-id <6593c42b-f379-0d8e-3caa-aee3f9bbcc13@debian.org> and subject line Re: Bug#988078: release-notes: add information regarding exim4 and 'tainted data' issue has caused the Debian Bug report #988078, regarding release-notes: add information regarding exim4 and 'tainted data' issue to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 988078: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988078 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: release-notes: add information regarding exim4 and 'tainted data' issue
- From: Paul Muster <paul@muster.net>
- Date: Wed, 05 May 2021 06:09:32 +0200
- Message-id: <[🔎] 162018777293.11323.400628536970258468.reportbug@localhost>
Package: release-notes Severity: normal Hi, please add a new paragraph 5.1.13 (and move existing 5.1.14 to .14) regarding exim and the new 'tainted data' issue. Text copied from NEWS.Debian file: --- Please consider exim 4.93/4.94 a *major* exim upgrade. It introduces the concept of tainted data read from untrusted sources, like e.g. message sender or recipient. This tainted data (e.g. $local_part or $domain) cannot be used among other things as a file or directory name or command name. This WILL BREAK configurations which are not updated accordingly. Old Debian exim configuration files also will not work unmodified, the new configuration needs to be installed with local modifications merged in. Typical nonworking examples include: * Delivery to /var/mail/$local_part. Use $local_part_data in combination with check_local_user. * Using data = ${lookup{$local_part}lsearch{/some/path/$domain/aliases}} instead of data = ${lookup{$local_part}lsearch{/some/path/$domain_data/aliases}} for a virtual domain alias file. The basic strategy for dealing with this change is to use the result of a lookup in further processing instead of the original (remote provided) value. To ease upgrading there is a new main configuration option to temporarily downgrade taint errors to warnings, letting the old configuration work with the newer exim. To make use of this feature add .ifdef _OPT_MAIN_ALLOW_INSECURE_TAINTED_DATA allow_insecure_tainted_data = yes .endif to the exim configuration (e.g. to /etc/exim4/exim4.conf.localmacros) *before* upgrading to exim 4.93/4.94 and check the logfile for taint warnings. This is a temporary workaround which will stop working in 4.95. --- See also: https://bugs.debian.org/987133 https://bugs.debian.org/987924 Thanks, Paul
--- End Message ---
--- Begin Message ---
- To: Andreas Metzler <ametzler@bebt.de>, 988078-done@bugs.debian.org, Paul Muster <paul@muster.net>
- Subject: Re: Bug#988078: release-notes: add information regarding exim4 and 'tainted data' issue
- From: Paul Gevers <elbrus@debian.org>
- Date: Sun, 23 May 2021 07:12:20 +0200
- Message-id: <6593c42b-f379-0d8e-3caa-aee3f9bbcc13@debian.org>
- In-reply-to: <YJ4eGB04iITAr/N1@argenau.bebt.de>
- References: <[🔎] 162018777293.11323.400628536970258468.reportbug@localhost> <[🔎] 162018777293.11323.400628536970258468.reportbug@localhost> <YJgKpyk2hSB/bUyr@argenau.bebt.de> <[🔎] 162018777293.11323.400628536970258468.reportbug@localhost> <[🔎] 20210510035832.GA2402@jbr.me.uk> <[🔎] e3a9a14d-ff37-6228-cb60-6ddbb0472f4a@debian.org> <[🔎] 162018777293.11323.400628536970258468.reportbug@localhost> <YJ4eGB04iITAr/N1@argenau.bebt.de>
Hi On 14-05-2021 08:52, Andreas Metzler wrote: > On 2021-05-13 Paul Gevers <elbrus@debian.org> wrote: >> On 10-05-2021 05:58, Justin B Rye wrote: >>> (Is it possible we could shorten this by pointing to some external >>> reference here?) > >> I'd like this too. > > Hello Paul, > > sadly I am not aware of an authoritative source which sums it up > nicely. The exim specification documents what tainted data is, but it is > not the howto one would like to link to but a reference documentation. > >>> So if I'm getting this formatting right it would be: > >> There was one bug, and I improved the display of the programlistings a >> bit (we reserve <screen> for the command window). Attached my local >> commit, ready to push if no updates arrive. > > Thank you. Looks good to me. Ok, pushed the change. PaulAttachment: OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---