Bug#862784: unblock: debian-edu-config/1.927

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#862784: unblock: debian-edu-config/1.927
From: Holger Levsen <holger@debian.org>
Date: Tue, 16 May 2017 23:28:27 +0200
Message-id: <[🔎] 20170516212827.GA4299@layer-acht.org>
Reply-to: Holger Levsen <holger@debian.org>, 862784@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
x-debbugs-cc: debian-edu@lists.debian.org

Please unblock package debian-edu-config to fix the serious bug #862652 which
is a broken exim4 configuration due the security update for CVE-2016-151 in
exim4. Additional changes are minor cleanups to our testsuite.

unblock debian-edu-config/1.927

The full changelog is:

debian-edu-config (1.927) unstable; urgency=medium

  [ Wolfgang Schweer ]
  * Fix broken exim4 configuration, enable security. (Closes: #862652).
    - Add usr/share/debian-edu-config/tools/exim4-create-cert.
    - Add usr/share/debian-edu-config/tools/exim4-create-environment.
    - Adjust cf/cf.exim to use both scripts.
    - Adjust etc/exim4/exim-ldap-server-v4.conf.
      + Make it work after the exim4 security fix for CVE-2016-1531.
      + Improve security: create certificate to enable TLS, re-enable
        identity check via Kerberos; now only system mail to postmaster
        is enabled unconditionally; see #794602.
  * Fix typo in testsuite/network to use the correct LTSP-Server profile name.
  * Drop ddcprobe and ddccontrol related code from testsuite/hardware.
    - ddcprobe is part of the package xresprobe, not available in stretch.
    - ddccontrol belongs to package ddccontrol (monitor database unmaintained
      since > 10 years) which isn't installed by default.

 -- Holger Levsen <holger@debian.org>  Mon, 15 May 2017 18:15:45 +0200

$ debdiff debian-edu-config_1.926.dsc debian-edu-config_1.927.dsc|diffstat
 cf/cf.exim                                             |    5 +++
 debian/changelog                                       |   20 ++++++++++++++
 etc/exim4/exim-ldap-server-v4.conf                     |   17 +++++++++++-
 share/debian-edu-config/tools/exim4-create-cert        |   23 +++++++++++++++++
 share/debian-edu-config/tools/exim4-create-environment |   18 +++++++++++++
 testsuite/hardware                                     |    8 -----
 testsuite/network                                      |    2 -
 7 files changed, 82 insertions(+), 11 deletions(-)

The full debdiff is attached.

Thanks for your work on Stretch!


-- 
cheers,
	Holger

diff -Nru debian-edu-config-1.926/cf/cf.exim debian-edu-config-1.927/cf/cf.exim
--- debian-edu-config-1.926/cf/cf.exim	2017-01-13 13:11:08.000000000 +0100
+++ debian-edu-config-1.927/cf/cf.exim	2017-05-15 12:24:33.000000000 +0200
@@ -16,6 +16,11 @@
 shellcommands:
 
 
+  debian.server.installation::
+
+  "/usr/share/debian-edu-config/tools/exim4-create-cert"
+  "/usr/share/debian-edu-config/tools/exim4-create-environment"
+
   debian.installation::
 
     "/usr/sbin/exim4 -qff"
diff -Nru debian-edu-config-1.926/debian/changelog debian-edu-config-1.927/debian/changelog
--- debian-edu-config-1.926/debian/changelog	2017-04-27 19:23:11.000000000 +0200
+++ debian-edu-config-1.927/debian/changelog	2017-05-15 18:15:45.000000000 +0200
@@ -1,3 +1,23 @@
+debian-edu-config (1.927) unstable; urgency=medium
+
+  [ Wolfgang Schweer ]
+  * Fix broken exim4 configuration, enable security. (Closes: #862652).
+    - Add usr/share/debian-edu-config/tools/exim4-create-cert.
+    - Add usr/share/debian-edu-config/tools/exim4-create-environment.
+    - Adjust cf/cf.exim to use both scripts.
+    - Adjust etc/exim4/exim-ldap-server-v4.conf.
+      + Make it work after the exim4 security fix for CVE-2016-1531.
+      + Improve security: create certificate to enable TLS, re-enable
+        identity check via Kerberos; now only system mail to postmaster
+        is enabled unconditionally; see #794602.
+  * Fix typo in testsuite/network to use the correct LTSP-Server profile name.
+  * Drop ddcprobe and ddccontrol related code from testsuite/hardware.
+    - ddcprobe is part of the package xresprobe, not available in stretch.
+    - ddccontrol belongs to package ddccontrol (monitor database unmaintained
+      since > 10 years) which isn't installed by default.
+
+ -- Holger Levsen <holger@debian.org>  Mon, 15 May 2017 18:15:45 +0200
+
 debian-edu-config (1.926) unstable; urgency=medium
 
   [ Holger Levsen ]
diff -Nru debian-edu-config-1.926/etc/exim4/exim-ldap-server-v4.conf debian-edu-config-1.927/etc/exim4/exim-ldap-server-v4.conf
--- debian-edu-config-1.926/etc/exim4/exim-ldap-server-v4.conf	2016-05-18 19:44:48.000000000 +0200
+++ debian-edu-config-1.927/etc/exim4/exim-ldap-server-v4.conf	2017-05-15 12:54:29.000000000 +0200
@@ -7,8 +7,20 @@
 # Upgrade from v3 version by Maximilian Wilhelm <max@rfc2324.org>
 #  -- Sat, 11 Jun 2005 02:44:08 +0200
 #
+# Adjusted to work after the exim4 security fix for CVE-2016-1531.
+# Also improve security some more: enable TLS, re-enable identity check;
+# only system mail to postmaster is enabled unconditionally; see #794602.
+# -- Wolfgang Schweer <wschweer@arcor.de>, 2017-05-13.
 
 ##
+keep_environment = KRB5_KTNAME : PWD : ^LDAP
+tls_advertise_hosts = *
+tls_certificate = /etc/exim4/exim.crt
+tls_privatekey = /etc/exim4/exim.key
+daemon_smtp_ports = 25 : 587
+
+KRB5_KTNAME= /etc/krb5.keytab.smtp
+
 # LDAP Server info
 LDAPBASE = dc=skole,dc=skolelinux,dc=no
 LDAPSERVER = ldap
@@ -185,6 +197,7 @@
 
 # ACL that is used after the RCPT command
 acl_check_rcpt:
+  accept local_parts = postmaster
   # Exim 3 had no checking on -bs messages, so for compatibility
   # we accept if the source is local SMTP (i.e. not over TCP/IP).
   # We do this by testing for an empty sending host field.
@@ -192,15 +205,15 @@
   # Make sure users can not fake sender address vis SMTP.  Reject
   # unauthenticated connections and check that the sender is the same
   # as the Kerberos ID.
-  accept  hosts = :
-  accept  hosts = +relay_hosts
 
   deny  !authenticated = *
         message = SMTP server requires authentication. Check your SMTP client configuration.
   deny condition = ${if eq{$authenticated_id}{$sender_address_local_part@INTERN}{false}{true}}
         message = Sender address $sender_address conflicts with authentication $authenticated_id.
 
+  accept  hosts = :
   accept  domains = +local_domains
+  accept  hosts = +relay_hosts
   deny    message = relay not permitted
 
 # ACL that is used after the DATA command
diff -Nru debian-edu-config-1.926/share/debian-edu-config/tools/exim4-create-cert debian-edu-config-1.927/share/debian-edu-config/tools/exim4-create-cert
--- debian-edu-config-1.926/share/debian-edu-config/tools/exim4-create-cert	1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-1.927/share/debian-edu-config/tools/exim4-create-cert	2017-05-15 12:54:29.000000000 +0200
@@ -0,0 +1,23 @@
+#!/bin/bash
+#
+# Create a self-signed certificate.
+# Taken in parts from a script by Andreas B. Mundt <andi@debian.org>.
+
+set -e
+
+TEMPLATE="/usr/share/ssl-cert/ssleay.cnf"
+CONF=$(mktemp)
+CERT="/etc/exim4/exim.crt"
+KEY="/etc/exim4/exim.key"
+
+if [ ! -f $CERT ] || [ ! -f $KEY ]; then
+    sed -e s#@HostName@#"postoffice.intern"# $TEMPLATE > $CONF
+    echo "subjectAltName=DNS:postoffice.intern,DNS:postoffice.intern" >> $CONF
+    openssl req -config $CONF -new -x509 -days 7000 -nodes -out $CERT -keyout $KEY
+    chmod 640 $KEY $CERT $CONF
+    chown root:Debian-exim $KEY $CERT
+else
+    echo "$CERT and $KEY already exist, skipping!"
+fi
+
+rm $CONF
diff -Nru debian-edu-config-1.926/share/debian-edu-config/tools/exim4-create-environment debian-edu-config-1.927/share/debian-edu-config/tools/exim4-create-environment
--- debian-edu-config-1.926/share/debian-edu-config/tools/exim4-create-environment	1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-1.927/share/debian-edu-config/tools/exim4-create-environment	2017-05-15 12:24:33.000000000 +0200
@@ -0,0 +1,18 @@
+#!/bin/bash
+#
+# Create Kerberos environment for exim4 chroot. This is needed
+# to cope with the exim4 security fix for CVE-2016-1531. 
+
+set -e
+
+DIR="/var/lib/exim4/etc"
+FILE="krb5.keytab.smtp"
+
+if [ ! -f $DIR/$FILE ]; then
+    if [ ! -d $DIR ] ; then
+	mkdir $DIR
+    fi
+fi
+cp /etc/$FILE $DIR
+chown Debian-exim:Debian-exim $DIR/$FILE
+echo "Successfully created the Exim4 environment."
diff -Nru debian-edu-config-1.926/testsuite/hardware debian-edu-config-1.927/testsuite/hardware
--- debian-edu-config-1.926/testsuite/hardware	2016-08-03 18:30:12.000000000 +0200
+++ debian-edu-config-1.927/testsuite/hardware	2017-05-14 10:42:56.000000000 +0200
@@ -44,13 +44,5 @@
     echo "error: $0: Unable to find /usr/sbin/dmidecode"
 fi
 
-if [ -x /usr/sbin/ddcprobe ] ; then
-    ddcprobe | sed "s%^%info: $0: ddcprobe: %"
-elif [ -x /usr/bin/ddccontrol ] ; then
-    ddccontrol -c -p | sed "s%^%info: $0: ddccontrol: %"
-else
-    echo "error: $0: Unable to find /usr/sbin/ddcprobe and /usr/bin/ddccontrol"
-fi
-
 isenkram-lookup | sed "s%^%info: $0: isenkram-lookup: %"
 isenkram-autoinstall-firmware -l | sed "s%^%info: $0: isenkram-autoinstall-firmware: %"
diff -Nru debian-edu-config-1.926/testsuite/network debian-edu-config-1.927/testsuite/network
--- debian-edu-config-1.926/testsuite/network	2017-01-13 13:11:08.000000000 +0100
+++ debian-edu-config-1.927/testsuite/network	2017-05-14 10:42:56.000000000 +0200
@@ -78,7 +78,7 @@
         networked=true
         workstation=true
         ;;
-      LTSP-server)
+      LTSP-Server)
         networked=true
         workstation=true
         ltspserver=true

Attachment: signature.asc
Description: Digital signature

Reply to:

Prev by Date: debian-edu-config_1.927_source.changes ACCEPTED into unstable
Next by Date: Re: Exim configuration in Stretch
Previous by thread: debian-edu-config_1.927_source.changes ACCEPTED into unstable
Next by thread: Processed: Bug#862652 marked as pending
Index(es):
- Date
- Thread