Your message dated Sat, 29 Jan 2011 16:13:50 +0000 with message-id <1296317630.3206.2188.camel@hathi.jungle.funky-badger.org> and subject line Re: Bug#611446: unblock: exim4/4.72-5 has caused the Debian Bug report #611446, regarding unblock: exim4/4.72-5 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 611446: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611446 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: exim4/4.72-5
- From: Andreas Metzler <ametzler@downhill.at.eu.org>
- Date: Sat, 29 Jan 2011 14:57:51 +0100
- Message-id: <[🔎] 20110129135751.GA15504@downhill.g.la>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: freeze-exception Please unblock package exim4 This release fixes a a single bug: PP/06 Bugzilla 1071: fix delivery logging with untrusted macros. If dropping privileges for untrusted macros, we disabled normal logging on the basis that it would fail; for the Exim run-time user, this is not the case, and it resulted in successful deliveries going unlogged. http://bugs.debian.org/610611 Thanks in advance. cu andreas unblock exim4/4.72-5diff -Nru exim4-4.72/debian/changelog exim4-4.72/debian/changelog --- exim4-4.72/debian/changelog 2011-01-22 17:48:25.000000000 +0100 +++ exim4-4.72/debian/changelog 2011-01-29 14:33:59.000000000 +0100 @@ -1,3 +1,13 @@ +exim4 (4.72-5) unstable; urgency=medium + + * 80_4.74_deliverylogging.patch (Pulled from upstream git): If a non-debug + daemon was invoked with a non-whitelisted macro, then logs from after + attempting delivery would be silently lost, including for successful + delivery. This log-loss bug was introduced as part of the security + lockdown for fixing CVE-2010-4345. Closes: #610611 + + -- Andreas Metzler <ametzler@debian.org> Sat, 29 Jan 2011 14:33:36 +0100 + exim4 (4.72-4) unstable; urgency=medium * In spf example use spf-tools-perl's spfquery instead of the one from diff -Nru exim4-4.72/debian/patches/80_4.74_deliverylogging.patch exim4-4.72/debian/patches/80_4.74_deliverylogging.patch --- exim4-4.72/debian/patches/80_4.74_deliverylogging.patch 1970-01-01 01:00:00.000000000 +0100 +++ exim4-4.72/debian/patches/80_4.74_deliverylogging.patch 2011-01-29 14:23:38.000000000 +0100 @@ -0,0 +1,29 @@ +From b7487bcec431809cb7fc3c2b42fcd607e43d37e7 Mon Sep 17 00:00:00 2001 +From: Phil Pennock <pdp@exim.org> +Date: Sun, 23 Jan 2011 05:44:45 -0500 +Subject: [PATCH 1/2] Bug 1071: fix delivery logging with untrusted macros. + +If dropping privileges for untrusted macros, we disabled normal logging +on the basis that it would fail; for the Exim run-time user, this is not +the case, and it resulted in successful deliveries going unlogged. + + +diff -NurBbp a/src/exim.c b/src/exim.c +--- a/src/exim.c 2011-01-29 14:20:00.000000000 +0100 ++++ b/src/exim.c 2011-01-29 14:20:37.000000000 +0100 +@@ -3426,9 +3426,13 @@ if (( + and should be used for any logging information because attempts to write + to the log will usually fail. To arrange this, we unset really_exim. However, + if no stderr is available there is no point - we might as well have a go +- at the log (if it fails, syslog will be written). */ ++ at the log (if it fails, syslog will be written). + +- if (log_stderr != NULL) really_exim = FALSE; ++ Note that if the invoker is Exim, the logs remain available. Messing with ++ this causes unlogged successful deliveries. */ ++ ++ if ((log_stderr != NULL) && (real_uid != exim_uid)) ++ really_exim = FALSE; + } + + /* Privilege is to be retained for the moment. It may be dropped later, diff -Nru exim4-4.72/debian/patches/series exim4-4.72/debian/patches/series --- exim4-4.72/debian/patches/series 2011-01-21 19:35:49.000000000 +0100 +++ exim4-4.72/debian/patches/series 2011-01-29 14:24:25.000000000 +0100 @@ -19,3 +19,4 @@ 80_4.73rc1_7_filter_D_option.patch 80_4.73rc1_8_updatedocumentation.patch 80_4.74_CVE-2011-0017.patch +80_4.74_deliverylogging.patchAttachment: signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
- To: Andreas Metzler <ametzler@downhill.at.eu.org>, 611446-done@bugs.debian.org
- Subject: Re: Bug#611446: unblock: exim4/4.72-5
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 29 Jan 2011 16:13:50 +0000
- Message-id: <1296317630.3206.2188.camel@hathi.jungle.funky-badger.org>
- In-reply-to: <[🔎] 20110129135751.GA15504@downhill.g.la>
- References: <[🔎] 20110129135751.GA15504@downhill.g.la>
On Sat, 2011-01-29 at 14:57 +0100, Andreas Metzler wrote: > Please unblock package exim4 > > This release fixes a a single bug: > PP/06 Bugzilla 1071: fix delivery logging with untrusted macros. > If dropping privileges for untrusted macros, we disabled normal logging > on the basis that it would fail; for the Exim run-time user, this is not > the case, and it resulted in successful deliveries going unlogged. Unblocked, and aged; thanks. Regards, Adam
--- End Message ---