Hello, I would like to push this change to stable: |------------------------------------------ | http://git.exim.org/exim.git/commit/3f1df0e341c4ddc4add38fa97d9d34972655a6c7 | | Dovecot: robustness; better msg on missing mech. | | If the dovecot protocol response doesn't include the MECH message for | the SMTP AUTH protocol the client has requested, that's not a protocol | failure, don't log it as such. Instead, explicitly log that it didn't | advertise the mechanism we're looking for. This lets administrators | fix either their Exim or their Dovecot configurations. | | Also: make the Dovecot handling more resistant to bad data from the | auth server; handle too many fields with debug-log message to explain | what's going on, permit lines of 8192 length per spec and detect if | the line is too long, so that we can fail auth instead of becoming | unsynchronised. | | Stop using the CUID from the server as the AUTH id counter. They're | different, by my reading of the spec. |------------------------------------------ This fixes an exim segfault when accessing a malicious dovecot AUTH server. I have already talked with the security team, Moritz agrees that this should be fixed in a point release. Testing already has the fix since 4.80-6. On top of this I would like to discuss whether it is acceptable to fix http://bugs.debian.org/697057 in stable, too. [ I definitily want o get the fix into testing - #697444.] The Debian configuration optionally allows to use spfquery to run SPF-checks on incoming mail. Due to insufficient quoting it is possible to pass on arbitrary arguments to spfquery and therefore bypass SPF checks. The fix is not invasive, but it changes dpkg conffiles. ------------------------------- diff --git a/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt b/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt index ac347aa..4949587 100644 --- a/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt +++ b/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt @@ -265,10 +265,10 @@ acl_check_rcpt: log_message = SPF check failed. !acl = acl_local_deny_exceptions condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \ - \"$sender_host_address\" --identity \ + ${quote:$sender_host_address} --identity \ ${if def:sender_address_domain \ - {--scope mfrom --identity \"$sender_address\"}\ - {--scope helo --identity \"$sender_helo_name\"}}}\ + {--scope mfrom --identity ${quote:$sender_address}}\ + {--scope helo --identity ${quote:$sender_helo_name}}}}\ {no}{${if eq {$runrc}{1}{yes}{no}}}} defer ------------------------------- thanks, cu andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Attachment:
signature.asc
Description: Digital signature