Your message dated Wed, 17 May 2017 05:45:00 +0000 with message-id <04bf09a8-2c2a-7b0a-ba2b-0850a34385dd@thykier.net> and subject line Re: Bug#862784: unblock: debian-edu-config/1.927 has caused the Debian Bug report #862784, regarding unblock: debian-edu-config/1.927 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 862784: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862784 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: debian-edu-config/1.927
- From: Holger Levsen <holger@debian.org>
- Date: Tue, 16 May 2017 23:28:27 +0200
- Message-id: <[🔎] 20170516212827.GA4299@layer-acht.org>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock x-debbugs-cc: debian-edu@lists.debian.org Please unblock package debian-edu-config to fix the serious bug #862652 which is a broken exim4 configuration due the security update for CVE-2016-151 in exim4. Additional changes are minor cleanups to our testsuite. unblock debian-edu-config/1.927 The full changelog is: debian-edu-config (1.927) unstable; urgency=medium [ Wolfgang Schweer ] * Fix broken exim4 configuration, enable security. (Closes: #862652). - Add usr/share/debian-edu-config/tools/exim4-create-cert. - Add usr/share/debian-edu-config/tools/exim4-create-environment. - Adjust cf/cf.exim to use both scripts. - Adjust etc/exim4/exim-ldap-server-v4.conf. + Make it work after the exim4 security fix for CVE-2016-1531. + Improve security: create certificate to enable TLS, re-enable identity check via Kerberos; now only system mail to postmaster is enabled unconditionally; see #794602. * Fix typo in testsuite/network to use the correct LTSP-Server profile name. * Drop ddcprobe and ddccontrol related code from testsuite/hardware. - ddcprobe is part of the package xresprobe, not available in stretch. - ddccontrol belongs to package ddccontrol (monitor database unmaintained since > 10 years) which isn't installed by default. -- Holger Levsen <holger@debian.org> Mon, 15 May 2017 18:15:45 +0200 $ debdiff debian-edu-config_1.926.dsc debian-edu-config_1.927.dsc|diffstat cf/cf.exim | 5 +++ debian/changelog | 20 ++++++++++++++ etc/exim4/exim-ldap-server-v4.conf | 17 +++++++++++- share/debian-edu-config/tools/exim4-create-cert | 23 +++++++++++++++++ share/debian-edu-config/tools/exim4-create-environment | 18 +++++++++++++ testsuite/hardware | 8 ----- testsuite/network | 2 - 7 files changed, 82 insertions(+), 11 deletions(-) The full debdiff is attached. Thanks for your work on Stretch! -- cheers, Holgerdiff -Nru debian-edu-config-1.926/cf/cf.exim debian-edu-config-1.927/cf/cf.exim --- debian-edu-config-1.926/cf/cf.exim 2017-01-13 13:11:08.000000000 +0100 +++ debian-edu-config-1.927/cf/cf.exim 2017-05-15 12:24:33.000000000 +0200 @@ -16,6 +16,11 @@ shellcommands: + debian.server.installation:: + + "/usr/share/debian-edu-config/tools/exim4-create-cert" + "/usr/share/debian-edu-config/tools/exim4-create-environment" + debian.installation:: "/usr/sbin/exim4 -qff" diff -Nru debian-edu-config-1.926/debian/changelog debian-edu-config-1.927/debian/changelog --- debian-edu-config-1.926/debian/changelog 2017-04-27 19:23:11.000000000 +0200 +++ debian-edu-config-1.927/debian/changelog 2017-05-15 18:15:45.000000000 +0200 @@ -1,3 +1,23 @@ +debian-edu-config (1.927) unstable; urgency=medium + + [ Wolfgang Schweer ] + * Fix broken exim4 configuration, enable security. (Closes: #862652). + - Add usr/share/debian-edu-config/tools/exim4-create-cert. + - Add usr/share/debian-edu-config/tools/exim4-create-environment. + - Adjust cf/cf.exim to use both scripts. + - Adjust etc/exim4/exim-ldap-server-v4.conf. + + Make it work after the exim4 security fix for CVE-2016-1531. + + Improve security: create certificate to enable TLS, re-enable + identity check via Kerberos; now only system mail to postmaster + is enabled unconditionally; see #794602. + * Fix typo in testsuite/network to use the correct LTSP-Server profile name. + * Drop ddcprobe and ddccontrol related code from testsuite/hardware. + - ddcprobe is part of the package xresprobe, not available in stretch. + - ddccontrol belongs to package ddccontrol (monitor database unmaintained + since > 10 years) which isn't installed by default. + + -- Holger Levsen <holger@debian.org> Mon, 15 May 2017 18:15:45 +0200 + debian-edu-config (1.926) unstable; urgency=medium [ Holger Levsen ] diff -Nru debian-edu-config-1.926/etc/exim4/exim-ldap-server-v4.conf debian-edu-config-1.927/etc/exim4/exim-ldap-server-v4.conf --- debian-edu-config-1.926/etc/exim4/exim-ldap-server-v4.conf 2016-05-18 19:44:48.000000000 +0200 +++ debian-edu-config-1.927/etc/exim4/exim-ldap-server-v4.conf 2017-05-15 12:54:29.000000000 +0200 @@ -7,8 +7,20 @@ # Upgrade from v3 version by Maximilian Wilhelm <max@rfc2324.org> # -- Sat, 11 Jun 2005 02:44:08 +0200 # +# Adjusted to work after the exim4 security fix for CVE-2016-1531. +# Also improve security some more: enable TLS, re-enable identity check; +# only system mail to postmaster is enabled unconditionally; see #794602. +# -- Wolfgang Schweer <wschweer@arcor.de>, 2017-05-13. ## +keep_environment = KRB5_KTNAME : PWD : ^LDAP +tls_advertise_hosts = * +tls_certificate = /etc/exim4/exim.crt +tls_privatekey = /etc/exim4/exim.key +daemon_smtp_ports = 25 : 587 + +KRB5_KTNAME= /etc/krb5.keytab.smtp + # LDAP Server info LDAPBASE = dc=skole,dc=skolelinux,dc=no LDAPSERVER = ldap @@ -185,6 +197,7 @@ # ACL that is used after the RCPT command acl_check_rcpt: + accept local_parts = postmaster # Exim 3 had no checking on -bs messages, so for compatibility # we accept if the source is local SMTP (i.e. not over TCP/IP). # We do this by testing for an empty sending host field. @@ -192,15 +205,15 @@ # Make sure users can not fake sender address vis SMTP. Reject # unauthenticated connections and check that the sender is the same # as the Kerberos ID. - accept hosts = : - accept hosts = +relay_hosts deny !authenticated = * message = SMTP server requires authentication. Check your SMTP client configuration. deny condition = ${if eq{$authenticated_id}{$sender_address_local_part@INTERN}{false}{true}} message = Sender address $sender_address conflicts with authentication $authenticated_id. + accept hosts = : accept domains = +local_domains + accept hosts = +relay_hosts deny message = relay not permitted # ACL that is used after the DATA command diff -Nru debian-edu-config-1.926/share/debian-edu-config/tools/exim4-create-cert debian-edu-config-1.927/share/debian-edu-config/tools/exim4-create-cert --- debian-edu-config-1.926/share/debian-edu-config/tools/exim4-create-cert 1970-01-01 01:00:00.000000000 +0100 +++ debian-edu-config-1.927/share/debian-edu-config/tools/exim4-create-cert 2017-05-15 12:54:29.000000000 +0200 @@ -0,0 +1,23 @@ +#!/bin/bash +# +# Create a self-signed certificate. +# Taken in parts from a script by Andreas B. Mundt <andi@debian.org>. + +set -e + +TEMPLATE="/usr/share/ssl-cert/ssleay.cnf" +CONF=$(mktemp) +CERT="/etc/exim4/exim.crt" +KEY="/etc/exim4/exim.key" + +if [ ! -f $CERT ] || [ ! -f $KEY ]; then + sed -e s#@HostName@#"postoffice.intern"# $TEMPLATE > $CONF + echo "subjectAltName=DNS:postoffice.intern,DNS:postoffice.intern" >> $CONF + openssl req -config $CONF -new -x509 -days 7000 -nodes -out $CERT -keyout $KEY + chmod 640 $KEY $CERT $CONF + chown root:Debian-exim $KEY $CERT +else + echo "$CERT and $KEY already exist, skipping!" +fi + +rm $CONF diff -Nru debian-edu-config-1.926/share/debian-edu-config/tools/exim4-create-environment debian-edu-config-1.927/share/debian-edu-config/tools/exim4-create-environment --- debian-edu-config-1.926/share/debian-edu-config/tools/exim4-create-environment 1970-01-01 01:00:00.000000000 +0100 +++ debian-edu-config-1.927/share/debian-edu-config/tools/exim4-create-environment 2017-05-15 12:24:33.000000000 +0200 @@ -0,0 +1,18 @@ +#!/bin/bash +# +# Create Kerberos environment for exim4 chroot. This is needed +# to cope with the exim4 security fix for CVE-2016-1531. + +set -e + +DIR="/var/lib/exim4/etc" +FILE="krb5.keytab.smtp" + +if [ ! -f $DIR/$FILE ]; then + if [ ! -d $DIR ] ; then + mkdir $DIR + fi +fi +cp /etc/$FILE $DIR +chown Debian-exim:Debian-exim $DIR/$FILE +echo "Successfully created the Exim4 environment." diff -Nru debian-edu-config-1.926/testsuite/hardware debian-edu-config-1.927/testsuite/hardware --- debian-edu-config-1.926/testsuite/hardware 2016-08-03 18:30:12.000000000 +0200 +++ debian-edu-config-1.927/testsuite/hardware 2017-05-14 10:42:56.000000000 +0200 @@ -44,13 +44,5 @@ echo "error: $0: Unable to find /usr/sbin/dmidecode" fi -if [ -x /usr/sbin/ddcprobe ] ; then - ddcprobe | sed "s%^%info: $0: ddcprobe: %" -elif [ -x /usr/bin/ddccontrol ] ; then - ddccontrol -c -p | sed "s%^%info: $0: ddccontrol: %" -else - echo "error: $0: Unable to find /usr/sbin/ddcprobe and /usr/bin/ddccontrol" -fi - isenkram-lookup | sed "s%^%info: $0: isenkram-lookup: %" isenkram-autoinstall-firmware -l | sed "s%^%info: $0: isenkram-autoinstall-firmware: %" diff -Nru debian-edu-config-1.926/testsuite/network debian-edu-config-1.927/testsuite/network --- debian-edu-config-1.926/testsuite/network 2017-01-13 13:11:08.000000000 +0100 +++ debian-edu-config-1.927/testsuite/network 2017-05-14 10:42:56.000000000 +0200 @@ -78,7 +78,7 @@ networked=true workstation=true ;; - LTSP-server) + LTSP-Server) networked=true workstation=true ltspserver=trueAttachment: signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
- To: Holger Levsen <holger@debian.org>, 862784-done@bugs.debian.org
- Subject: Re: Bug#862784: unblock: debian-edu-config/1.927
- From: Niels Thykier <niels@thykier.net>
- Date: Wed, 17 May 2017 05:45:00 +0000
- Message-id: <04bf09a8-2c2a-7b0a-ba2b-0850a34385dd@thykier.net>
- In-reply-to: <[🔎] 20170516212827.GA4299@layer-acht.org>
- References: <[🔎] 20170516212827.GA4299@layer-acht.org>
Holger Levsen: > Package: release.debian.org > Severity: normal > User: release.debian.org@packages.debian.org > Usertags: unblock > x-debbugs-cc: debian-edu@lists.debian.org > > Please unblock package debian-edu-config to fix the serious bug #862652 which > is a broken exim4 configuration due the security update for CVE-2016-151 in > exim4. Additional changes are minor cleanups to our testsuite. > > unblock debian-edu-config/1.927 > > The full changelog is: > > [...] > > The full debdiff is attached. > > Thanks for your work on Stretch! > > Unblocked, thanks. ~Niels
--- End Message ---