Your message dated Thu, 9 May 2019 11:12:11 +0200 with message-id <de9b7205-25bd-22ff-f7db-012833c78083@debian.org> and subject line Re: unblock: exim4/4.92-5 has caused the Debian Bug report #926878, regarding unblock: exim4/4.92-5 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 926878: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926878 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: exim4/4.92-5
- From: Andreas Metzler <ametzler@bebt.de>
- Date: Thu, 11 Apr 2019 19:51:16 +0200
- Message-id: <20190411175116.GA32497@argenau.bebt.de>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package exim4: In the first place it pulls multiple upgrades from upstream's exim-4.92+fixes branch where important post-release fixes are published. The second notable change is related to sa-exim. Exim in Debian was patched to allow dlopening a localscan() module. The single consumer of this patch in Debian is sa-exim. (The patch also originates there.) The patch in Debian has been nonfunctional in unstable for quite some time (4.92~RC2-1/experimental/18 Dec, 4.92~RC3-1 unstable/26 Dec and buster/03 Jan). The issue only popped up end of March on the upstream user support ML. Looking at the state of sa-exim (dead upstream since 2006 and buggy: https://lists.exim.org/lurker/message/20180726.113354.6d03efde.en.html #879687) we have decided stop patching exim, which resulted in 4.92-5, which - improves the example/docs for content-scanning in exim without sa-exim - drops the abovementioned patch and the virtual Provides for exim4-localscanapi-2.0 and also drops the exim-dev packages (only needed for sa-exim). Exim now also Conflicts with sa-exim. unblock exim4/4.92-5 cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'[The following lists of changes regard files as different if they have different names, permissions or owners.] Files in second .changes but not in first ----------------------------------------- -rw-r--r-- root/root /usr/lib/debug/.build-id/45/59933d7d0e4800a65884d62d6506ce390b4f07.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/59/55fdc7b64bc2f31b1e0b63c762a57924c2516e.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/5e/f1dbf7d44b659418b55dd4a173cda74ecad278.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/9b/6cfa23511aa8ae2305e45f556cd5238b07f495.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/bb/23e5a1a9f351c2a608d482dfc1e00d9998c629.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/bc/986da4b151ecfa52558aa9c20d03614d31dd25.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/bd/894614600fc329441d05ceb08017719b489417.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/ca/a4ade19a8e042ebf7f9f22782142cbd56bcd2b.debug Files in first .changes but not in second ----------------------------------------- -rw-r--r-- root/root /usr/include/exim4/config.h -rw-r--r-- root/root /usr/include/exim4/local_scan.h -rw-r--r-- root/root /usr/include/exim4/mytypes.h -rw-r--r-- root/root /usr/include/exim4/store.h -rw-r--r-- root/root /usr/lib/debug/.build-id/1f/9c1ede6c32409686b1de89bb598ff598b0ee4f.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/23/c3c5b57e50336cc82bb3a27f46b9b354ccb3e6.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/50/c2969f4b54bc47c33c513e27a89cd4a09d728d.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/51/279c0f518a9e2a849c64a89ff8eaadcabe26fa.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/9c/50ed18cc20fbffb26032ecebab97af806afdd3.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/a3/1149847f6ae982b262e6aec59d3afa2e9ae841.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/ef/6c35ac2c5dc055ab4c3a7d10302123129f10b8.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/f2/12c147800e2c7a02151217960981dcaa2d4f6c.debug -rw-r--r-- root/root /usr/share/doc/exim4-dev/NEWS.Debian.gz -rw-r--r-- root/root /usr/share/doc/exim4-dev/changelog.Debian.gz -rw-r--r-- root/root /usr/share/doc/exim4-dev/copyright -rw-r--r-- root/root /usr/share/man/man1/exim4-localscan-plugin-config.1.gz -rwxr-xr-x root/root /usr/bin/exim4-localscan-plugin-config lrwxrwxrwx root/root /usr/share/doc/exim4-dev/README.Debian.gz -> ../exim4-base/README.Debian.gz lrwxrwxrwx root/root /usr/share/doc/exim4-dev/changelog.gz -> ../exim4-base/changelog.gz Control files of package exim4: lines which differ (wdiff format) ----------------------------------------------------------------- Depends: debconf (>= 1.4.69) | cdebconf (>= 0.39), exim4-base (<< [-4.92-2.1),-] {+4.92-5.1),+} exim4-base (>= [-4.92-2),-] {+4.92-5),+} exim4-daemon-light | exim4-daemon-heavy | exim4-daemon-custom, debconf (>= 0.5) | debconf-2.0 Version: [-4.92-2-] {+4.92-5+} Control files of package exim4-base: lines which differ (wdiff format) ---------------------------------------------------------------------- Installed-Size: [-1621-] {+1623+} Version: [-4.92-2-] {+4.92-5+} Control files of package exim4-base-dbgsym: lines which differ (wdiff format) ----------------------------------------------------------------------------- Build-Ids: [-1f9c1ede6c32409686b1de89bb598ff598b0ee4f 23c3c5b57e50336cc82bb3a27f46b9b354ccb3e6 9c50ed18cc20fbffb26032ecebab97af806afdd3 ef6c35ac2c5dc055ab4c3a7d10302123129f10b8 f212c147800e2c7a02151217960981dcaa2d4f6c-] {+4559933d7d0e4800a65884d62d6506ce390b4f07 5955fdc7b64bc2f31b1e0b63c762a57924c2516e 9b6cfa23511aa8ae2305e45f556cd5238b07f495 bb23e5a1a9f351c2a608d482dfc1e00d9998c629 bc986da4b151ecfa52558aa9c20d03614d31dd25+} Depends: exim4-base (= [-4.92-2)-] {+4.92-5)+} Version: [-4.92-2-] {+4.92-5+} Control files of package exim4-config: lines which differ (wdiff format) ------------------------------------------------------------------------ Installed-Size: [-983-] {+985+} Version: [-4.92-2-] {+4.92-5+} Control files of package exim4-daemon-heavy: lines which differ (wdiff format) ------------------------------------------------------------------------------ Conflicts: [-mail-transport-agent-] {+mail-transport-agent, sa-exim+} Installed-Size: [-1477-] {+1537+} Provides: [-exim4-localscanapi-2.0,-] mail-transport-agent Version: [-4.92-2-] {+4.92-5+} Control files of package exim4-daemon-heavy-dbgsym: lines which differ (wdiff format) ------------------------------------------------------------------------------------- Build-Ids: [-50c2969f4b54bc47c33c513e27a89cd4a09d728d-] {+bd894614600fc329441d05ceb08017719b489417+} Depends: exim4-daemon-heavy (= [-4.92-2)-] {+4.92-5)+} Installed-Size: [-2646-] {+2631+} Version: [-4.92-2-] {+4.92-5+} Control files of package exim4-daemon-light: lines which differ (wdiff format) ------------------------------------------------------------------------------ Conflicts: [-mail-transport-agent-] {+mail-transport-agent, sa-exim+} Installed-Size: [-1332-] {+1324+} Provides: default-mta, [-exim4-localscanapi-2.0,-] mail-transport-agent Version: [-4.92-2-] {+4.92-5+} Control files of package exim4-daemon-light-dbgsym: lines which differ (wdiff format) ------------------------------------------------------------------------------------- Build-Ids: [-51279c0f518a9e2a849c64a89ff8eaadcabe26fa-] {+caa4ade19a8e042ebf7f9f22782142cbd56bcd2b+} Depends: exim4-daemon-light (= [-4.92-2)-] {+4.92-5)+} Installed-Size: [-2260-] {+2247+} Version: [-4.92-2-] {+4.92-5+} Control files of package eximon4: lines which differ (wdiff format) ------------------------------------------------------------------- Installed-Size: [-212-] {+216+} Version: [-4.92-2-] {+4.92-5+} Control files of package eximon4-dbgsym: lines which differ (wdiff format) -------------------------------------------------------------------------- Build-Ids: [-a31149847f6ae982b262e6aec59d3afa2e9ae841-] {+5ef1dbf7d44b659418b55dd4a173cda74ecad278+} Depends: eximon4 (= [-4.92-2)-] {+4.92-5)+} Version: [-4.92-2-] {+4.92-5+} diff -Nru exim4-4.92/debian/changelog exim4-4.92/debian/changelog --- exim4-4.92/debian/changelog 2019-02-20 19:23:11.000000000 +0100 +++ exim4-4.92/debian/changelog 2019-04-07 13:39:31.000000000 +0200 @@ -1,3 +1,33 @@ +exim4 (4.92-5) unstable; urgency=medium + + * Improved spam-scanning example with accompaning information in + README.Debian. Explicitly warn about adding the default SpamAssassin + report in a header, which Closes: #774553 + * Drop 90_localscan_dlopen.dpatch. (It has been non-functional for a couple + of months.) Closes: #925982 Add a Conflicts for sa-exim, which relied on + the (working) version of the patch. Drop exim4-dev package. Add a NEWS + entry for this change. + + -- Andreas Metzler <ametzler@debian.org> Sun, 07 Apr 2019 13:39:31 +0200 + +exim4 (4.92-4) unstable; urgency=medium + + * Another patch from exim-4.92+fixes branch: + 75_10-Harden-plaintext-authenticator.patch + + -- Andreas Metzler <ametzler@debian.org> Fri, 22 Mar 2019 07:15:20 +0100 + +exim4 (4.92-3) unstable; urgency=medium + + * Pull fixes from exim-4.92+fixes branch. + + 75_05-Fix-expansions-for-RFC-822-addresses-having-comments.patch + + 75_06-Docs-Add-note-on-lsearch-for-IPv4-mapped-IPv6-addres.patch + + 75_07-Fix-crash-from-SRV-lookup-hitting-a-CNAME.patch + + 75_08-Logging-fix-initial-listening-on-log-line.patch + + 75_09-OpenSSL-Fix-aggregation-of-messages.patch + + -- Andreas Metzler <ametzler@debian.org> Wed, 20 Mar 2019 17:01:29 +0100 + exim4 (4.92-2) unstable; urgency=medium * Upload to unstable. diff -Nru exim4-4.92/debian/control exim4-4.92/debian/control --- exim4-4.92/debian/control 2019-02-17 13:13:18.000000000 +0100 +++ exim4-4.92/debian/control 2019-04-07 13:39:31.000000000 +0200 @@ -138,10 +138,9 @@ Architecture: any Priority: optional Provides: - exim4-localscanapi-2.0, mail-transport-agent, ${dist:Provides:exim4-daemon-light} -Conflicts: mail-transport-agent +Conflicts: mail-transport-agent, sa-exim Replaces: exim4-base (<= 4.61-1), mail-transport-agent Depends: exim4-base (>= ${Upstream-Version}), @@ -202,8 +201,8 @@ Package: exim4-daemon-heavy Architecture: any Priority: optional -Provides: exim4-localscanapi-2.0, mail-transport-agent -Conflicts: mail-transport-agent +Provides: mail-transport-agent +Conflicts: mail-transport-agent, sa-exim Replaces: exim4-base (<= 4.61-1), mail-transport-agent Depends: exim4-base (>= ${Upstream-Version}), @@ -238,8 +237,8 @@ #Package: exim4-daemon-custom #Architecture: any #Priority: optional -#Provides: exim4-localscanapi-2.0, mail-transport-agent -#Conflicts: mail-transport-agent +#Provides: mail-transport-agent +#Conflicts: mail-transport-agent, sa-exim #Replaces: exim4-base (<= 4.61-1), mail-transport-agent #Depends: # exim4-base (>= ${Upstream-Version}), @@ -279,28 +278,3 @@ administrators to view the mail queue and logs, and perform a variety of actions on queued messages, such as freezing, bouncing and thawing messages. - -Package: exim4-dev -Architecture: any -Priority: optional -Depends: ${misc:Depends} -Description: header files for the Exim MTA (v4) packages - Exim (v4) is a mail transport agent. This package contains header - files that can be used to compile code that is then dynamically linked - to exim's local_scan interface. - . - The Debian exim4 packages have their own web page, - http://wiki.debian.org/PkgExim4. There is also a Debian-specific - FAQ list. Information about the way the Debian packages are - configured can be found in - /usr/share/doc/exim4-base/README.Debian.gz, which additionally contains - information about the way the Debian binary packages are built. The - very extensive upstream documentation is shipped in - /usr/share/doc/exim4-base/spec.txt.gz. To repeat the debconf-driven - configuration process in a standard setup, invoke dpkg-reconfigure - exim4-config. There is a Debian-centered mailing list, - pkg-exim4-users@lists.alioth.debian.org. Please ask Debian-specific - questions there, and only write to the upstream exim-users mailing - list if you are sure that your question is not Debian-specific. You - can find the subscription web page on - http://lists.alioth.debian.org/mailman/listinfo/pkg-exim4-users diff -Nru exim4-4.92/debian/copyright exim4-4.92/debian/copyright --- exim4-4.92/debian/copyright 2018-12-15 16:02:45.000000000 +0100 +++ exim4-4.92/debian/copyright 2019-04-07 13:39:31.000000000 +0200 @@ -38,10 +38,6 @@ The following people helped in preparing the exim4 packages and gave important feedback: -- Marc Merlin provides the dlopen patch, making it possible to load - local_scan-routines for a external shared object. - The original patch was written by David Woodhouse, it was modified first - by Derrick 'dman' Hudson and afterwards by Marc Merlin. - Sander Smeenk provided the TLS-docs and the script to generate the self-signed certificates. - The people on the exim4debian list that submitted bug-reports and -fixes, diff -Nru exim4-4.92/debian/debconf/conf.d/acl/40_exim4-config_check_data exim4-4.92/debian/debconf/conf.d/acl/40_exim4-config_check_data --- exim4-4.92/debian/debconf/conf.d/acl/40_exim4-config_check_data 2018-08-25 13:41:00.000000000 +0200 +++ exim4-4.92/debian/debconf/conf.d/acl/40_exim4-config_check_data 2019-04-07 13:39:31.000000000 +0200 @@ -50,25 +50,36 @@ # Add headers to a message if it is judged to be spam. Before enabling this, - # you must install SpamAssassin. You also need to set the spamd_address + # you must install SpamAssassin. You may also need to set the spamd_address # option in the main configuration. # # exim4-daemon-heavy must be used for this section to work. # - # Please note that this is only suiteable as an example. There are - # multiple issues with this configuration method. For example, if you go - # this way, you'll give your spamassassin daemon write access to the - # entire exim spool which might be a security issue in case of a - # spamassassin exploit. + # Please note that this is only suiteable as an example. See + # /usr/share/doc/exim4-base/README.Debian.gz # # See the exim docs and the exim wiki for more suitable examples. # + # # Remove internal headers # warn - # spam = Debian-exim:true - # add_header = X-Spam_score: $spam_score\n\ - # X-Spam_score_int: $spam_score_int\n\ - # X-Spam_bar: $spam_bar\n\ - # X-Spam_report: $spam_report + # remove_header = X-Spam_score: X-Spam_score_int : X-Spam_bar : \ + # X-Spam_report + # + # warn + # condition = ${if <{$message_size}{120k}{1}{0}} + # # ":true" to add headers/acl variables even if not spam + # spam = nobody:true + # add_header = X-Spam_score: $spam_score + # add_header = X-Spam_bar: $spam_bar + # # Do not enable this unless you have shorted SpamAssassin's report + # #add_header = X-Spam_report: $spam_report + # + # Reject spam messages (score >15.0). + # This breaks mailing list and forward messages. + # deny + # message = Classified as spam (score $spam_score) + # condition = ${if <{$message_size}{120k}{1}{0}} + # condition = ${if >{$spam_score_int}{150}{true}{false}} # This hook allows you to hook in your own ACLs without having to diff -Nru exim4-4.92/debian/exim4-dev.install exim4-4.92/debian/exim4-dev.install --- exim4-4.92/debian/exim4-dev.install 2018-12-15 16:02:45.000000000 +0100 +++ exim4-4.92/debian/exim4-dev.install 1970-01-01 01:00:00.000000000 +0100 @@ -1,4 +0,0 @@ -b-exim4-daemon-light/src/local_scan.h usr/include/exim4 -b-exim4-daemon-light/src/mytypes.h usr/include/exim4 -b-exim4-daemon-light/src/store.h usr/include/exim4 -debian/exim4-localscan-plugin-config usr/bin diff -Nru exim4-4.92/debian/exim4-dev.links exim4-4.92/debian/exim4-dev.links --- exim4-4.92/debian/exim4-dev.links 2018-12-15 16:02:45.000000000 +0100 +++ exim4-4.92/debian/exim4-dev.links 1970-01-01 01:00:00.000000000 +0100 @@ -1,2 +0,0 @@ -usr/share/doc/exim4-base/README.Debian.gz usr/share/doc/exim4-dev/README.Debian.gz -usr/share/doc/exim4-base/changelog.gz usr/share/doc/exim4-dev/changelog.gz diff -Nru exim4-4.92/debian/exim4-dev.manpages exim4-4.92/debian/exim4-dev.manpages --- exim4-4.92/debian/exim4-dev.manpages 2018-01-28 15:23:43.000000000 +0100 +++ exim4-4.92/debian/exim4-dev.manpages 1970-01-01 01:00:00.000000000 +0100 @@ -1 +0,0 @@ -debian/exim4-localscan-plugin-config.1 diff -Nru exim4-4.92/debian/exim4-localscan-plugin-config exim4-4.92/debian/exim4-localscan-plugin-config --- exim4-4.92/debian/exim4-localscan-plugin-config 2018-01-28 15:23:43.000000000 +0100 +++ exim4-4.92/debian/exim4-localscan-plugin-config 1970-01-01 01:00:00.000000000 +0100 @@ -1,12 +0,0 @@ -#!/bin/sh - -case "$1" in - --localscan-apiversion) - sed -rn 's/#define LOCAL_SCAN_ABI_VERSION_(MAJOR|MINOR) *([0-9]+).*/\2/p' \ - /usr/include/exim4/local_scan.h \ - | (read MAJOR; read MINOR; echo ${MAJOR}.${MINOR}) - ;; - *) - echo Usage: $0 --localscan-apiversion - ;; -esac diff -Nru exim4-4.92/debian/exim4-localscan-plugin-config.1 exim4-4.92/debian/exim4-localscan-plugin-config.1 --- exim4-4.92/debian/exim4-localscan-plugin-config.1 2018-01-28 15:23:43.000000000 +0100 +++ exim4-4.92/debian/exim4-localscan-plugin-config.1 1970-01-01 01:00:00.000000000 +0100 @@ -1,40 +0,0 @@ -.\" Title: EXIM4-LOCALSCAN-PLUGIN-CONFIG -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.72.0 <http://docbook.sf.net/> -.\" Date: 2007-06-08 -.\" Manual: -.\" Source: exim4 -.\" -.TH "EXIM4\-LOCALSCAN\-PLUGIN\-CONFIG" "1" "2007\-06\-08" "exim4" "" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -exim4\-localscan\-plugin\-config \- get information necessary to build and package exim4 plugins -.SH "SYNOPSIS" -.HP 13 -\fBexim4\-localscan\-plugin\-config\fR \fB\-\-localscan\-abiversion\fR -.SH "DESCRIPTION" -.PP -\fBexim4\-localscan\-plugin\-config\fR -is a tool that is used to determine various things needed to build plugins (shared libraries) for the Exim MTA. Currently there is one such plugin API \- the -\fBlocal_scan\fR -API. In addition to local_scan plugins, this API is also available to shared libraries used with the ${dlfunc ...} expansion item. -.SH "OPTIONS" -.PP -Since -\fBexim4\-localscan\-plugin\-config\fR -is -Debian(TM)\-specific, it currently takes a single mandatory option parameter, -\fB\-\-localscan\-apiversion\fR, outputting the API/ABI version (\fIver\fR). Packages containing local_scan plugins should depend on exim4\-localscanapi\-\fIver\fR -.SH "SEE ALSO" -\fBexim4\fR(8), Chapter 42 of the Exim specification -.SH "COPYRIGHT" -Copyright \(co 2007 Magnus Holmgren -.br -.PP -This manual page was written by Magnus Holmgren for the -Debian(TM) -system (but may be used by others). Permission is granted to copy, distribute and/or modify this document without any restrictions whatsoever. -.br diff -Nru exim4-4.92/debian/exim4-localscan-plugin-config.1.xml exim4-4.92/debian/exim4-localscan-plugin-config.1.xml --- exim4-4.92/debian/exim4-localscan-plugin-config.1.xml 2018-01-28 15:23:43.000000000 +0100 +++ exim4-4.92/debian/exim4-localscan-plugin-config.1.xml 1970-01-01 01:00:00.000000000 +0100 @@ -1,82 +0,0 @@ -<?xml version='1.0' encoding='ISO-8859-1'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" -"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"; [ - - <!ENTITY dhfirstname "<firstname>Magnus</firstname>"> - <!ENTITY dhsurname "<surname>Holmgren</surname>"> - <!-- Please adjust the date whenever revising the manpage. --> - <!ENTITY dhdate "<date>2007-06-08</date>"> - <!ENTITY dhsection "<manvolnum>1</manvolnum>"> - <!ENTITY dhemail "<email>magnus@kibibyte.se</email>"> - <!ENTITY dhusername "Magnus Holmgren"> - <!ENTITY dhucpackage "<refentrytitle>EXIM4-LOCALSCAN-PLUGIN-CONFIG</refentrytitle>"> - <!ENTITY dhpackage "exim4-localscan-plugin-config"> - - <!ENTITY debian "<productname>Debian</productname>"> -]> - -<refentry> - <refentryinfo> - <productname>exim4</productname> - <address> - &dhemail; - </address> - <copyright> - <year>2007</year> - <holder>&dhusername;</holder> - </copyright> - <legalnotice> - <para> - This manual page was written by &dhusername; for - the &debian; system (but may be used by others). Permission is - granted to copy, distribute and/or modify this document without - any restrictions whatsoever. - </para> - </legalnotice> - &dhdate; - </refentryinfo> - <refmeta> - &dhucpackage; - &dhsection; - </refmeta> - <refnamediv> - <refname>&dhpackage;</refname> - <refpurpose>get information necessary to build and package exim4 - plugins</refpurpose> - </refnamediv> - <refsynopsisdiv> - <cmdsynopsis> - <command>&dhpackage;</command> - <arg choice="plain"><option>--localscan-abiversion</option></arg> - </cmdsynopsis> - </refsynopsisdiv> - <refsect1> - <title>Description</title> - - <para><command>&dhpackage;</command> is a tool that is used to determine - various things needed to build plugins (shared libraries) for the - Exim MTA. Currently there is one such plugin API - the - <function>local_scan</function> API. In addition to local_scan plugins, - this API is also available to shared libraries used with the - ${dlfunc ...} expansion item.</para> - </refsect1> - <refsect1> - <title>Options</title> - <para>Since <command>&dhpackage;</command> is &debian;-specific, - it currently takes a single mandatory option parameter, - <option>--localscan-apiversion</option>, outputting the API/ABI - version (<replaceable role="variable">ver</replaceable>). - Packages containing local_scan plugins should depend on - exim4-localscanapi-<replaceable role="variable">ver</replaceable></para> - </refsect1> - <refsect1> - <title>See also</title> - <simplelist type="inline"> - <member><citerefentry> - <refentrytitle>exim4</refentrytitle> - <manvolnum>8</manvolnum> - </citerefentry></member> - <member>Chapter 42 of the Exim specification</member> - </simplelist> - </refsect1> -</refentry> diff -Nru exim4-4.92/debian/NEWS exim4-4.92/debian/NEWS --- exim4-4.92/debian/NEWS 2018-02-15 17:33:44.000000000 +0100 +++ exim4-4.92/debian/NEWS 2019-04-07 13:39:31.000000000 +0200 @@ -1,3 +1,12 @@ +exim4 (4.92-5) unstable; urgency=medium + + The patch for dlopening local_scan has been dropped. sa-exim which has been + dead upstream for more than 10 years is not supported anymore. Exim's + spam=... condition can be used as replacement. The exim4-dev package served + no purpose anymore and was therefore dropped, too. + + -- Andreas Metzler <ametzler@debian.org> Sun, 07 Apr 2019 13:39:31 +0200 + exim4 (4.87-3) unstable; urgency=medium Starting with 4.87~RC1-1 exim will not accept or send out messages with diff -Nru exim4-4.92/debian/patches/75_05-Fix-expansions-for-RFC-822-addresses-having-comments.patch exim4-4.92/debian/patches/75_05-Fix-expansions-for-RFC-822-addresses-having-comments.patch --- exim4-4.92/debian/patches/75_05-Fix-expansions-for-RFC-822-addresses-having-comments.patch 1970-01-01 01:00:00.000000000 +0100 +++ exim4-4.92/debian/patches/75_05-Fix-expansions-for-RFC-822-addresses-having-comments.patch 2019-03-20 16:49:39.000000000 +0100 @@ -0,0 +1,91 @@ +From f634b80846cc7ffcab65c9855bcb35312f0232e8 Mon Sep 17 00:00:00 2001 +From: Jasen Betts <jasen@xnet.co.nz> +Date: Mon, 18 Feb 2019 13:52:16 +0000 +Subject: [PATCH 1/5] Fix expansions for RFC 822 addresses having comments in + local-part and/or domain. Bug 2375 + +(cherry picked from commit e2ff8e24f41caca3623228b1ec66a3f3961ecad6) +--- + doc/ChangeLog | 3 +++ + src/expand.c | 19 +++++++------------ + test/scripts/0000-Basic/0002 | 7 +++++++ + test/stdout/0002 | 7 +++++++ + 4 files changed, 24 insertions(+), 12 deletions(-) + +diff --git a/doc/ChangeLog b/doc/ChangeLog +index 867a1d8a..9659da32 100644 +--- a/doc/ChangeLog ++++ b/doc/ChangeLog +@@ -16,10 +16,13 @@ JH/07 GnuTLS: Our use of late (post-handshake) certificate verification, under + to the client until the first read of encrypted data (typically the + response to EHLO). Add detection for that case and treat it as a failed + TLS connection attempt, so that the normal retry-in-clear can work (if + suitably configured). + ++JB/01 BZg 2375: fix expansions of 822 addresses having comments in local-part ++ and/or domain. Found and fixed by Jason Betts. ++ + + Exim version 4.92 + ----------------- + + JH/01 Remove code calling the customisable local_scan function, unless a new +diff --git a/src/expand.c b/src/expand.c +index 2c290251..35ede718 100644 +--- a/src/expand.c ++++ b/src/expand.c +@@ -7071,20 +7071,15 @@ while (*s != 0) + uschar * error; + int start, end, domain; + uschar * t = parse_extract_address(sub, &error, &start, &end, &domain, + FALSE); + if (t) +- if (c != EOP_DOMAIN) +- { +- if (c == EOP_LOCAL_PART && domain != 0) end = start + domain - 1; +- yield = string_catn(yield, sub+start, end-start); +- } +- else if (domain != 0) +- { +- domain += start; +- yield = string_catn(yield, sub+domain, end-domain); +- } ++ yield = c == EOP_DOMAIN ++ ? string_cat(yield, t + domain) ++ : c == EOP_LOCAL_PART && domain > 0 ++ ? string_catn(yield, t, domain - 1 ) ++ : string_cat(yield, t); + continue; + } + + case EOP_ADDRESSES: + { +@@ -7104,11 +7099,11 @@ while (*s != 0) + } + f.parse_allow_group = TRUE; + + for (;;) + { +- uschar *p = parse_find_address_end(sub, FALSE); ++ uschar * p = parse_find_address_end(sub, FALSE); + uschar saveend = *p; + *p = '\0'; + address = parse_extract_address(sub, &error, &start, &end, &domain, + FALSE); + *p = saveend; +@@ -7117,11 +7112,11 @@ while (*s != 0) + done in chunks by searching for the separator character. At the + start, unless we are dealing with the first address of the output + list, add in a space if the new address begins with the separator + character, or is an empty string. */ + +- if (address != NULL) ++ if (address) + { + if (yield->ptr != save_ptr && address[0] == *outsep) + yield = string_catn(yield, US" ", 1); + + for (;;) +-- +2.20.1 + diff -Nru exim4-4.92/debian/patches/75_06-Docs-Add-note-on-lsearch-for-IPv4-mapped-IPv6-addres.patch exim4-4.92/debian/patches/75_06-Docs-Add-note-on-lsearch-for-IPv4-mapped-IPv6-addres.patch --- exim4-4.92/debian/patches/75_06-Docs-Add-note-on-lsearch-for-IPv4-mapped-IPv6-addres.patch 1970-01-01 01:00:00.000000000 +0100 +++ exim4-4.92/debian/patches/75_06-Docs-Add-note-on-lsearch-for-IPv4-mapped-IPv6-addres.patch 2019-03-20 16:58:06.000000000 +0100 @@ -0,0 +1,48 @@ +From 8dde16b89efe2138f92cbfa6c59fb31dc80ec22a Mon Sep 17 00:00:00 2001 +From: Jeremy Harris <jgh146exb@wizmail.org> +Date: Tue, 19 Feb 2019 14:45:27 +0000 +Subject: [PATCH 2/5] Docs: Add note on lsearch for IPv4-mapped IPv6 addresses + +Cherry-picked from: 52af443324, c77d3d85fe +--- + doc/doc-docbook/spec.xfpt | 11 ++++++++++- + doc/ChangeLog | 2 +- + 2 files changed, 11 insertions(+), 2 deletions(-) + +--- a/doc/ChangeLog ++++ b/doc/ChangeLog +@@ -18,7 +18,7 @@ JH/07 GnuTLS: Our use of late (post-hand + TLS connection attempt, so that the normal retry-in-clear can work (if + suitably configured). + +-JB/01 BZg 2375: fix expansions of 822 addresses having comments in local-part ++JB/01 Bug 2375: fix expansions of 822 addresses having comments in local-part + and/or domain. Found and fixed by Jason Betts. + + +--- a/doc/spec.txt ++++ b/doc/spec.txt +@@ -6302,6 +6302,10 @@ The following single-key lookup types ar + implicit key is the host's IP address rather than its name (see section + 10.12). + ++ Warning 3: Do not use an IPv4-mapped IPv6 address for a key; use the ++ IPv4, in dotted-quad form. (Exim converts IPv4-mapped IPv6 addresses to ++ this notation before executing the lookup.) ++ + * lsearch: The given file is a text file that is searched linearly for a line + beginning with the search key, terminated by a colon or white space or the + end of the line. The search is case-insensitive; that is, upper and lower +@@ -8003,7 +8007,11 @@ quote keys was made available in lsearch + implemented iplsearch files do require colons in IPv6 keys (notated using the + quoting facility) so as to distinguish them from IPv4 keys. For this reason, + when the lookup type is iplsearch, IPv6 addresses are converted using colons +-and not dots. In all cases, full, unabbreviated IPv6 addresses are always used. ++and not dots. ++ ++In all cases except IPv4-mapped IPv6, full, unabbreviated IPv6 addresses ++are always used. The latter are converted to IPv4 addresses, in dotted-quad ++form. + + Ideally, it would be nice to tidy up this anomalous situation by changing to + colons in all cases, given that quoting is now available for lsearch. However, diff -Nru exim4-4.92/debian/patches/75_07-Fix-crash-from-SRV-lookup-hitting-a-CNAME.patch exim4-4.92/debian/patches/75_07-Fix-crash-from-SRV-lookup-hitting-a-CNAME.patch --- exim4-4.92/debian/patches/75_07-Fix-crash-from-SRV-lookup-hitting-a-CNAME.patch 1970-01-01 01:00:00.000000000 +0100 +++ exim4-4.92/debian/patches/75_07-Fix-crash-from-SRV-lookup-hitting-a-CNAME.patch 2019-03-20 16:49:39.000000000 +0100 @@ -0,0 +1,69 @@ +From 09720dd9506176294154dad7152f5f40554046a4 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris <jgh146exb@wizmail.org> +Date: Thu, 14 Mar 2019 12:26:34 +0000 +Subject: [PATCH 3/5] Fix crash from SRV lookup hitting a CNAME + +(cherry picked from commit 14bc9cf085aff7bd5147881e5b7068769a29b026) +--- + doc/ChangeLog | 4 ++++ + src/dns.c | 10 +++++++--- + 2 files changed, 11 insertions(+), 3 deletions(-) + +diff --git a/doc/ChangeLog b/doc/ChangeLog +index 419c1061..0f8d05b2 100644 +--- a/doc/ChangeLog ++++ b/doc/ChangeLog +@@ -19,10 +19,14 @@ JH/07 GnuTLS: Our use of late (post-handshake) certificate verification, under + suitably configured). + + JB/01 Bug 2375: fix expansions of 822 addresses having comments in local-part + and/or domain. Found and fixed by Jason Betts. + ++JH/08 Add hardening against SRV & TLSA lookups the hit CNAMEs (a nonvalid ++ configuration). If a CNAME target was not a wellformed name pattern, a ++ crash could result. ++ + + Exim version 4.92 + ----------------- + + JH/01 Remove code calling the customisable local_scan function, unless a new +diff --git a/src/dns.c b/src/dns.c +index 0f0b435d..b7978c52 100644 +--- a/src/dns.c ++++ b/src/dns.c +@@ -714,11 +714,15 @@ regex has substrings that are used - the default uses a conditional. + This test is omitted for PTR records. These occur only in calls from the dnsdb + lookup, which constructs the names itself, so they should be OK. Besides, + bitstring labels don't conform to normal name syntax. (But the aren't used any + more.) + +-For SRV records, we omit the initial _smtp._tcp. components at the start. */ ++For SRV records, we omit the initial _smtp._tcp. components at the start. ++The check has been seen to bite on the destination of a SRV lookup that ++initiall hit a CNAME, for which the next name had only two components. ++RFC2782 makes no mention of the possibiility of CNAMES, but the Wikipedia ++article on SRV says they are not a valid configuration. */ + + #ifndef STAND_ALONE /* Omit this for stand-alone tests */ + + if (check_dns_names_pattern[0] != 0 && type != T_PTR && type != T_TXT) + { +@@ -730,12 +734,12 @@ if (check_dns_names_pattern[0] != 0 && type != T_PTR && type != T_TXT) + /* For an SRV lookup, skip over the first two components (the service and + protocol names, which both start with an underscore). */ + + if (type == T_SRV || type == T_TLSA) + { +- while (*checkname++ != '.'); +- while (*checkname++ != '.'); ++ while (*checkname && *checkname++ != '.') ; ++ while (*checkname && *checkname++ != '.') ; + } + + if (pcre_exec(regex_check_dns_names, NULL, CCS checkname, Ustrlen(checkname), + 0, PCRE_EOPT, ovector, nelem(ovector)) < 0) + { +-- +2.20.1 + diff -Nru exim4-4.92/debian/patches/75_08-Logging-fix-initial-listening-on-log-line.patch exim4-4.92/debian/patches/75_08-Logging-fix-initial-listening-on-log-line.patch --- exim4-4.92/debian/patches/75_08-Logging-fix-initial-listening-on-log-line.patch 1970-01-01 01:00:00.000000000 +0100 +++ exim4-4.92/debian/patches/75_08-Logging-fix-initial-listening-on-log-line.patch 2019-03-20 16:49:39.000000000 +0100 @@ -0,0 +1,206 @@ +From e5be948a65fe601024e5d4256f64efbfed3dd72e Mon Sep 17 00:00:00 2001 +From: Jeremy Harris <jgh146exb@wizmail.org> +Date: Mon, 18 Mar 2019 00:31:43 +0000 +Subject: [PATCH 4/5] Logging: fix initial listening-on log line + +(cherry picked from commit 254f38d1c5ada5e4df0bccb385dc466549620c71) +--- + doc/ChangeLog | 4 +++ + src/daemon.c | 73 +++++++++++++++++++++++++++---------------- + src/host.c | 1 + + src/structs.h | 1 + + test/confs/0282 | 2 +- + test/log/0282 | 2 +- + 6 files changed, 54 insertions(+), 29 deletions(-) + +diff --git a/doc/ChangeLog b/doc/ChangeLog +index 0f8d05b2..3c0ffbf0 100644 +--- a/doc/ChangeLog ++++ b/doc/ChangeLog +@@ -23,10 +23,14 @@ JB/01 Bug 2375: fix expansions of 822 addresses having comments in local-part + + JH/08 Add hardening against SRV & TLSA lookups the hit CNAMEs (a nonvalid + configuration). If a CNAME target was not a wellformed name pattern, a + crash could result. + ++JH/09 Logging: Fix initial listening-on line for multiple ports for an IP when ++ the OS reports them interleaved with other addresses. ++ ++ + + Exim version 4.92 + ----------------- + + JH/01 Remove code calling the customisable local_scan function, unless a new +diff --git a/src/daemon.c b/src/daemon.c +index a852192e..01da3936 100644 +--- a/src/daemon.c ++++ b/src/daemon.c +@@ -1625,12 +1625,12 @@ if (f.inetd_wait_mode) + else if (f.daemon_listen) + { + int i, j; + int smtp_ports = 0; + int smtps_ports = 0; +- ip_address_item * ipa, * i2; +- uschar * p = big_buffer; ++ ip_address_item * ipa; ++ uschar * p; + uschar * qinfo = queue_interval > 0 + ? string_sprintf("-q%s", readconf_printtime(queue_interval)) + : US"no queue runs"; + + /* Build a list of listening addresses in big_buffer, but limit it to 10 +@@ -1638,73 +1638,92 @@ else if (f.daemon_listen) + + It is now possible to have some ports listening for SMTPS (the old, + deprecated protocol that starts TLS without using STARTTLS), and others + listening for standard SMTP. Keep their listings separate. */ + +- for (j = 0; j < 2; j++) ++ for (int j = 0, i; j < 2; j++) + { + for (i = 0, ipa = addresses; i < 10 && ipa; i++, ipa = ipa->next) + { + /* First time round, look for SMTP ports; second time round, look for +- SMTPS ports. For the first one of each, insert leading text. */ ++ SMTPS ports. Build IP+port strings. */ + + if (host_is_tls_on_connect_port(ipa->port) == (j > 0)) + { + if (j == 0) +- { +- if (smtp_ports++ == 0) +- { +- memcpy(p, "SMTP on", 8); +- p += 7; +- } +- } ++ smtp_ports++; + else +- if (smtps_ports++ == 0) +- p += sprintf(CS p, "%sSMTPS on", +- smtp_ports == 0 ? "" : " and for "); ++ smtps_ports++; + + /* Now the information about the port (and sometimes interface) */ + + if (ipa->address[0] == ':' && ipa->address[1] == 0) + { /* v6 wildcard */ + if (ipa->next && ipa->next->address[0] == 0 && + ipa->next->port == ipa->port) + { +- p += sprintf(CS p, " port %d (IPv6 and IPv4)", ipa->port); +- ipa = ipa->next; ++ ipa->log = string_sprintf(" port %d (IPv6 and IPv4)", ipa->port); ++ (ipa = ipa->next)->log = NULL; + } + else if (ipa->v6_include_v4) +- p += sprintf(CS p, " port %d (IPv6 with IPv4)", ipa->port); ++ ipa->log = string_sprintf(" port %d (IPv6 with IPv4)", ipa->port); + else +- p += sprintf(CS p, " port %d (IPv6)", ipa->port); ++ ipa->log = string_sprintf(" port %d (IPv6)", ipa->port); + } + else if (ipa->address[0] == 0) /* v4 wildcard */ +- p += sprintf(CS p, " port %d (IPv4)", ipa->port); ++ ipa->log = string_sprintf(" port %d (IPv4)", ipa->port); + else /* check for previously-seen IP */ + { ++ ip_address_item * i2; + for (i2 = addresses; i2 != ipa; i2 = i2->next) + if ( host_is_tls_on_connect_port(i2->port) == (j > 0) + && Ustrcmp(ipa->address, i2->address) == 0 + ) + { /* found; append port to list */ +- if (p[-1] == '}') p--; +- while (isdigit(*--p)) ; +- p += 1 + sprintf(CS p+1, "%s%d,%d}", *p == ',' ? "" : "{", +- i2->port, ipa->port); ++ for (p = i2->log; *p; ) p++; /* end of existing string */ ++ if (*--p == '}') *p = '\0'; /* drop EOL */ ++ while (isdigit(*--p)) ; /* char before port */ ++ ++ i2->log = *p == ':' /* no list yet? */ ++ ? string_sprintf("%.*s{%s,%d}", ++ (int)(p - i2->log + 1), i2->log, p+1, ipa->port) ++ : string_sprintf("%s,%d}", i2->log, ipa->port); ++ ipa->log = NULL; + break; + } + if (i2 == ipa) /* first-time IP */ +- p += sprintf(CS p, " [%s]:%d", ipa->address, ipa->port); ++ ipa->log = string_sprintf(" [%s]:%d", ipa->address, ipa->port); + } + } + } ++ } + +- if (ipa) ++ p = big_buffer; ++ for (int j = 0, i; j < 2; j++) ++ { ++ /* First time round, look for SMTP ports; second time round, look for ++ SMTPS ports. For the first one of each, insert leading text. */ ++ ++ if (j == 0) + { +- memcpy(p, " ...", 5); +- p += 4; ++ if (smtp_ports > 0) ++ p += sprintf(CS p, "SMTP on"); + } ++ else ++ if (smtps_ports > 0) ++ p += sprintf(CS p, "%sSMTPS on", ++ smtp_ports == 0 ? "" : " and for "); ++ ++ /* Now the information about the port (and sometimes interface) */ ++ ++ for (i = 0, ipa = addresses; i < 10 && ipa; i++, ipa = ipa->next) ++ if (host_is_tls_on_connect_port(ipa->port) == (j > 0)) ++ if (ipa->log) ++ p += sprintf(CS p, "%s", ipa->log); ++ ++ if (ipa) ++ p += sprintf(CS p, " ..."); + } + + log_write(0, LOG_MAIN, + "exim %s daemon started: pid=%d, %s, listening for %s", + version_string, getpid(), qinfo, big_buffer); +diff --git a/src/host.c b/src/host.c +index 29c977fe..a3b0977b 100644 +--- a/src/host.c ++++ b/src/host.c +@@ -757,10 +757,11 @@ while ((s = string_nextinlist(&list, &sep, NULL, 0))) + next = store_get(sizeof(ip_address_item)); + next->next = NULL; + Ustrcpy(next->address, s); + next->port = port; + next->v6_include_v4 = FALSE; ++ next->log = NULL; + + if (!yield) + yield = last = next; + else + { +diff --git a/src/structs.h b/src/structs.h +index 20db0e5f..1e63d752 100644 +--- a/src/structs.h ++++ b/src/structs.h +@@ -442,10 +442,11 @@ hold an IPv6 address. */ + typedef struct ip_address_item { + struct ip_address_item *next; + int port; + BOOL v6_include_v4; /* Used in the daemon */ + uschar address[46]; ++ uschar * log; /* portion of "listening on" log line */ + } ip_address_item; + + /* Structure for chaining together arbitrary strings. */ + + typedef struct string_item { +-- +2.20.1 + diff -Nru exim4-4.92/debian/patches/75_09-OpenSSL-Fix-aggregation-of-messages.patch exim4-4.92/debian/patches/75_09-OpenSSL-Fix-aggregation-of-messages.patch --- exim4-4.92/debian/patches/75_09-OpenSSL-Fix-aggregation-of-messages.patch 1970-01-01 01:00:00.000000000 +0100 +++ exim4-4.92/debian/patches/75_09-OpenSSL-Fix-aggregation-of-messages.patch 2019-03-20 16:49:39.000000000 +0100 @@ -0,0 +1,127 @@ +From 332ebeaf8139b2b75f475880fc14b63c7c45c706 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris <jgh146exb@wizmail.org> +Date: Tue, 19 Mar 2019 15:33:31 +0000 +Subject: [PATCH 5/5] OpenSSL: Fix aggregation of messages. + +Broken-by: a5ffa9b475 +(cherry picked from commit c09dbcfb71f4b9a42cbfd8a20e0be6bfa1b12488) +--- + doc/ChangeLog | 5 +++ + src/tls-openssl.c | 24 ++++++++++---- + test/confs/2152 | 76 +++++++++++++++++++++++++++++++++++++++++++ + test/log/2152 | 9 +++++ + 4 files changed, 108 insertions(+), 6 deletions(-) + create mode 100644 test/confs/2152 + create mode 100644 test/log/2152 + +diff --git a/doc/ChangeLog b/doc/ChangeLog +index 3c0ffbf0..3d63725f 100644 +--- a/doc/ChangeLog ++++ b/doc/ChangeLog +@@ -26,10 +26,15 @@ JH/08 Add hardening against SRV & TLSA lookups the hit CNAMEs (a nonvalid + crash could result. + + JH/09 Logging: Fix initial listening-on line for multiple ports for an IP when + the OS reports them interleaved with other addresses. + ++JH/10 OpenSSL: Fix aggregation of messages. Previously, when PIPELINING was ++ used both for input and for a verify callout, both encrypted, SMTP ++ responses being sent by the server could be lost. This resulted in ++ dropped connections and sometimes bounces generated by a peer sending ++ to this system. + + + Exim version 4.92 + ----------------- + +diff --git a/src/tls-openssl.c b/src/tls-openssl.c +index 8f4cf4d8..cc0ead02 100644 +--- a/src/tls-openssl.c ++++ b/src/tls-openssl.c +@@ -272,10 +272,11 @@ Server: + */ + + typedef struct { + SSL_CTX * ctx; + SSL * ssl; ++ gstring * corked; + } exim_openssl_client_tls_ctx; + + static SSL_CTX *server_ctx = NULL; + static SSL *server_ssl = NULL; + +@@ -2471,10 +2472,11 @@ BOOL require_ocsp = FALSE; + #endif + + rc = store_pool; + store_pool = POOL_PERM; + exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx)); ++exim_client_ctx->corked = NULL; + store_pool = rc; + + #ifdef SUPPORT_DANE + tlsp->tlsa_usage = 0; + #endif +@@ -2906,22 +2908,29 @@ Used by both server-side and client-side TLS. + + int + tls_write(void * ct_ctx, const uschar *buff, size_t len, BOOL more) + { + int outbytes, error, left; +-SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl; +-static gstring * corked = NULL; ++SSL * ssl = ct_ctx ++ ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl; ++static gstring * server_corked = NULL; ++gstring ** corkedp = ct_ctx ++ ? &((exim_openssl_client_tls_ctx *)ct_ctx)->corked : &server_corked; ++gstring * corked = *corkedp; + + DEBUG(D_tls) debug_printf("%s(%p, %lu%s)\n", __FUNCTION__, + buff, (unsigned long)len, more ? ", more" : ""); + + /* Lacking a CORK or MSG_MORE facility (such as GnuTLS has) we copy data when + "more" is notified. This hack is only ok if small amounts are involved AND only + one stream does it, in one context (i.e. no store reset). Currently it is used +-for the responses to the received SMTP MAIL , RCPT, DATA sequence, only. */ +-/*XXX + if PIPE_COMMAND, banner & ehlo-resp for smmtp-on-connect. Suspect there's +-a store reset there. */ ++for the responses to the received SMTP MAIL , RCPT, DATA sequence, only. ++We support callouts done by the server process by using a separate client ++context for the stashed information. */ ++/* + if PIPE_COMMAND, banner & ehlo-resp for smmtp-on-connect. Suspect there's ++a store reset there, so use POOL_PERM. */ ++/* + if CHUNKING, cmds EHLO,MAIL,RCPT(s),BDAT */ + + if (!ct_ctx && (more || corked)) + { + #ifdef EXPERIMENTAL_PIPE_CONNECT + int save_pool = store_pool; +@@ -2933,14 +2942,17 @@ if (!ct_ctx && (more || corked)) + #ifdef EXPERIMENTAL_PIPE_CONNECT + store_pool = save_pool; + #endif + + if (more) ++ { ++ *corkedp = corked; + return len; ++ } + buff = CUS corked->s; + len = corked->ptr; +- corked = NULL; ++ *corkedp = NULL; + } + + for (left = len; left > 0;) + { + DEBUG(D_tls) debug_printf("SSL_write(%p, %p, %d)\n", ssl, buff, left); +diff --git a/test/confs/2152 b/test/confs/2152 +new file mode 100644 +index 00000000..f783192b +diff --git a/test/log/2152 b/test/log/2152 +new file mode 100644 +index 00000000..720200be +-- +2.20.1 + diff -Nru exim4-4.92/debian/patches/75_10-Harden-plaintext-authenticator.patch exim4-4.92/debian/patches/75_10-Harden-plaintext-authenticator.patch --- exim4-4.92/debian/patches/75_10-Harden-plaintext-authenticator.patch 1970-01-01 01:00:00.000000000 +0100 +++ exim4-4.92/debian/patches/75_10-Harden-plaintext-authenticator.patch 2019-03-22 07:14:00.000000000 +0100 @@ -0,0 +1,55 @@ +From e5b942ae007d0533fbd599c64d550f3a8355b940 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris <jgh146exb@wizmail.org> +Date: Thu, 21 Mar 2019 20:01:03 +0000 +Subject: [PATCH] Harden plaintext authenticator + +Cherry-picked from: f9fc942757 +--- + doc/ChangeLog | 5 +++++ + src/auths/plaintext.c | 6 +----- + 2 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/doc/ChangeLog b/doc/ChangeLog +index 3d63725f..c34e60d1 100644 +--- a/doc/ChangeLog ++++ b/doc/ChangeLog +@@ -32,10 +32,15 @@ JH/10 OpenSSL: Fix aggregation of messages. Previously, when PIPELINING was + used both for input and for a verify callout, both encrypted, SMTP + responses being sent by the server could be lost. This resulted in + dropped connections and sometimes bounces generated by a peer sending + to this system. + ++JH/11 Harden plaintext authenticator against a badly misconfigured client-send ++ string. Previously it was possible to cause undefined behaviour in a ++ library routine (usually a crash). Found by "zerons". ++ ++ + + Exim version 4.92 + ----------------- + + JH/01 Remove code calling the customisable local_scan function, unless a new +diff --git a/src/auths/plaintext.c b/src/auths/plaintext.c +index 7a0f7885..fa05b0ad 100644 +--- a/src/auths/plaintext.c ++++ b/src/auths/plaintext.c +@@ -221,15 +221,11 @@ while ((s = string_nextinlist(&text, &sep, big_buffer, big_buffer_size))) + for (i = 0; i < len; i++) + if (ss[i] == '^') + if (ss[i+1] != '^') + ss[i] = 0; + else +- { +- i++; +- len--; +- memmove(ss + i, ss + i + 1, len - i); +- } ++ if (--len > ++i) memmove(ss + i, ss + i + 1, len - i); + + /* The first string is attached to the AUTH command; others are sent + unembellished. */ + + if (first) +-- +2.20.1 + diff -Nru exim4-4.92/debian/patches/90_localscan_dlopen.dpatch exim4-4.92/debian/patches/90_localscan_dlopen.dpatch --- exim4-4.92/debian/patches/90_localscan_dlopen.dpatch 2018-12-31 12:56:11.000000000 +0100 +++ exim4-4.92/debian/patches/90_localscan_dlopen.dpatch 1970-01-01 01:00:00.000000000 +0100 @@ -1,281 +0,0 @@ -Description: Allow one to use and switch between different local_scan functions - without recompiling exim. - http://marc.merlins.org/linux/exim/files/sa-exim-current/ Original patch from - David Woodhouse, modified first by Derrick 'dman' Hudson and then by Marc - MERLIN for SA-Exim and minor/major API version tracking -Author: David Woodhouse, Derrick 'dman' Hudson, Marc MERLIN -Origin: other, http://marc.merlins.org/linux/exim/files/sa-exim-current/ -Forwarded: no -Last-Update: 2018-12-12 - ---- a/src/EDITME -+++ b/src/EDITME -@@ -824,6 +824,21 @@ HEADERS_CHARSET="ISO-8859-1" - - - #------------------------------------------------------------------------------ -+# On systems which support dynamic loading of shared libraries, Exim can -+# load a local_scan function specified in its config file instead of having -+# to be recompiled with the desired local_scan function. For a full -+# description of the API to this function, see the Exim specification. -+ -+DLOPEN_LOCAL_SCAN=yes -+ -+# If you set DLOPEN_LOCAL_SCAN, then you need to include -rdynamic in the -+# linker flags. Without it, the loaded .so won't be able to access any -+# functions from exim. -+ -+LDFLAGS += -rdynamic -+CFLAGS += -fvisibility=hidden -+ -+#------------------------------------------------------------------------------ - # The default distribution of Exim contains only the plain text form of the - # documentation. Other forms are available separately. If you want to install - # the documentation in "info" format, first fetch the Texinfo documentation ---- a/src/config.h.defaults -+++ b/src/config.h.defaults -@@ -32,6 +32,8 @@ Do not put spaces between # and the 'def - - #define AUTH_VARS 3 - -+#define DLOPEN_LOCAL_SCAN -+ - #define BIN_DIRECTORY - - #define CONFIGURE_FILE ---- a/src/globals.c -+++ b/src/globals.c -@@ -141,6 +141,10 @@ int dsn_ret = 0; - const pcre *regex_DSN = NULL; - uschar *dsn_advertise_hosts = NULL; - -+#ifdef DLOPEN_LOCAL_SCAN -+uschar *local_scan_path = NULL; -+#endif -+ - #ifdef SUPPORT_TLS - BOOL gnutls_compat_mode = FALSE; - BOOL gnutls_allow_auto_pkcs11 = FALSE; ---- a/src/globals.h -+++ b/src/globals.h -@@ -138,6 +138,9 @@ extern int dsn_ret; / - extern const pcre *regex_DSN; /* For recognizing DSN settings */ - extern uschar *dsn_advertise_hosts; /* host for which TLS is advertised */ - -+#ifdef DLOPEN_LOCAL_SCAN -+extern uschar *local_scan_path; /* Path to local_scan() library */ -+#endif - /* Input-reading functions for messages, so we can use special ones for - incoming TCP/IP. */ - ---- a/src/local_scan.c -+++ b/src/local_scan.c -@@ -5,61 +5,131 @@ - /* Copyright (c) University of Cambridge 1995 - 2009 */ - /* See the file NOTICE for conditions of use and distribution. */ - -+#include "exim.h" - --/****************************************************************************** --This file contains a template local_scan() function that just returns ACCEPT. --If you want to implement your own version, you should copy this file to, say --Local/local_scan.c, and edit the copy. To use your version instead of the --default, you must set -- --HAVE_LOCAL_SCAN=yes --LOCAL_SCAN_SOURCE=Local/local_scan.c -- --in your Local/Makefile. This makes it easy to copy your version for use with --subsequent Exim releases. -- --For a full description of the API to this function, see the Exim specification. --******************************************************************************/ -- -- --/* This is the only Exim header that you should include. The effect of --including any other Exim header is not defined, and may change from release to --release. Use only the documented interface! */ -- --#include "local_scan.h" -- -- --/* This is a "do-nothing" version of a local_scan() function. The arguments --are: -- -- fd The file descriptor of the open -D file, which contains the -- body of the message. The file is open for reading and -- writing, but modifying it is dangerous and not recommended. -- -- return_text A pointer to an unsigned char* variable which you can set in -- order to return a text string. It is initialized to NULL. -- --The return values of this function are: -- -- LOCAL_SCAN_ACCEPT -- The message is to be accepted. The return_text argument is -- saved in $local_scan_data. -- -- LOCAL_SCAN_REJECT -- The message is to be rejected. The returned text is used -- in the rejection message. -- -- LOCAL_SCAN_TEMPREJECT -- This specifies a temporary rejection. The returned text -- is used in the rejection message. --*/ -+#ifdef DLOPEN_LOCAL_SCAN -+#include <dlfcn.h> -+static int (*local_scan_fn)(int fd, uschar **return_text) = NULL; -+static int load_local_scan_library(void); -+#endif - - int - local_scan(int fd, uschar **return_text) - { - fd = fd; /* Keep picky compilers happy */ - return_text = return_text; --return LOCAL_SCAN_ACCEPT; -+#ifdef DLOPEN_LOCAL_SCAN -+/* local_scan_path is defined AND not the empty string */ -+if (local_scan_path && *local_scan_path) -+ { -+ if (!local_scan_fn) -+ { -+ if (!load_local_scan_library()) -+ { -+ char *base_msg , *error_msg , *final_msg ; -+ int final_length = -1 ; -+ -+ base_msg=US"Local configuration error - local_scan() library failure\n"; -+ error_msg = dlerror() ; -+ -+ final_length = strlen(base_msg) + strlen(error_msg) + 1 ; -+ final_msg = (char*)malloc( final_length*sizeof(char) ) ; -+ *final_msg = '\0' ; -+ -+ strcat( final_msg , base_msg ) ; -+ strcat( final_msg , error_msg ) ; -+ -+ *return_text = final_msg ; -+ return LOCAL_SCAN_TEMPREJECT; -+ } -+ } -+ return local_scan_fn(fd, return_text); -+ } -+else -+#endif -+ return LOCAL_SCAN_ACCEPT; -+} -+ -+#ifdef DLOPEN_LOCAL_SCAN -+ -+static int load_local_scan_library(void) -+{ -+/* No point in keeping local_scan_lib since we'll never dlclose() anyway */ -+void *local_scan_lib = NULL; -+int (*local_scan_version_fn)(void); -+int vers_maj; -+int vers_min; -+ -+local_scan_lib = dlopen(local_scan_path, RTLD_NOW); -+if (!local_scan_lib) -+ { -+ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() library open failed - " -+ "message temporarily rejected"); -+ return FALSE; -+ } -+ -+local_scan_version_fn = dlsym(local_scan_lib, "local_scan_version_major"); -+if (!local_scan_version_fn) -+ { -+ dlclose(local_scan_lib); -+ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() library doesn't contain " -+ "local_scan_version_major() function - message temporarily rejected"); -+ return FALSE; -+ } -+ -+/* The major number is increased when the ABI is changed in a non -+ backward compatible way. */ -+vers_maj = local_scan_version_fn(); -+ -+local_scan_version_fn = dlsym(local_scan_lib, "local_scan_version_minor"); -+if (!local_scan_version_fn) -+ { -+ dlclose(local_scan_lib); -+ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() library doesn't contain " -+ "local_scan_version_minor() function - message temporarily rejected"); -+ return FALSE; -+ } -+ -+/* The minor number is increased each time a new feature is added (in a -+ way that doesn't break backward compatibility) -- Marc */ -+vers_min = local_scan_version_fn(); -+ -+ -+if (vers_maj != LOCAL_SCAN_ABI_VERSION_MAJOR) -+ { -+ dlclose(local_scan_lib); -+ local_scan_lib = NULL; -+ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() has an incompatible major" -+ "version number, you need to recompile your module for this version" -+ "of exim (The module was compiled for version %d.%d and this exim provides" -+ "ABI version %d.%d)", vers_maj, vers_min, LOCAL_SCAN_ABI_VERSION_MAJOR, -+ LOCAL_SCAN_ABI_VERSION_MINOR); -+ return FALSE; -+ } -+else if (vers_min > LOCAL_SCAN_ABI_VERSION_MINOR) -+ { -+ dlclose(local_scan_lib); -+ local_scan_lib = NULL; -+ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() has an incompatible minor" -+ "version number, you need to recompile your module for this version" -+ "of exim (The module was compiled for version %d.%d and this exim provides" -+ "ABI version %d.%d)", vers_maj, vers_min, LOCAL_SCAN_ABI_VERSION_MAJOR, -+ LOCAL_SCAN_ABI_VERSION_MINOR); -+ return FALSE; -+ } -+ -+local_scan_fn = dlsym(local_scan_lib, "local_scan"); -+if (!local_scan_fn) -+ { -+ dlclose(local_scan_lib); -+ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() library doesn't contain " -+ "local_scan() function - message temporarily rejected"); -+ return FALSE; -+ } -+ -+return TRUE; - } - -+#endif /* DLOPEN_LOCAL_SCAN */ -+ - /* End of local_scan.c */ ---- a/src/local_scan.h -+++ b/src/local_scan.h -@@ -17,6 +17,7 @@ settings, and the store functions. */ - - #include <stdarg.h> - #include <sys/types.h> -+#pragma GCC visibility push(default) - #include "config.h" - #include "mytypes.h" - #include "store.h" -@@ -192,4 +193,6 @@ extern uschar *string_copy(const uschar - extern uschar *string_copyn(const uschar *, int); - extern uschar *string_sprintf(const char *, ...) ALMOST_PRINTF(1,2); - -+#pragma GCC visibility pop -+ - /* End of local_scan.h */ ---- a/src/readconf.c -+++ b/src/readconf.c -@@ -199,6 +199,9 @@ static optionlist optionlist_config[] = - { "local_from_prefix", opt_stringptr, &local_from_prefix }, - { "local_from_suffix", opt_stringptr, &local_from_suffix }, - { "local_interfaces", opt_stringptr, &local_interfaces }, -+#ifdef DLOPEN_LOCAL_SCAN -+ { "local_scan_path", opt_stringptr, &local_scan_path }, -+#endif - #ifdef HAVE_LOCAL_SCAN - { "local_scan_timeout", opt_time, &local_scan_timeout }, - #endif diff -Nru exim4-4.92/debian/patches/series exim4-4.92/debian/patches/series --- exim4-4.92/debian/patches/series 2019-02-17 13:13:18.000000000 +0100 +++ exim4-4.92/debian/patches/series 2019-04-07 13:39:31.000000000 +0200 @@ -10,4 +10,9 @@ 75_02-Fix-transport-buffer-size-handling.patch 75_03-Fix-info-on-using-local_scan-in-the-default-Makefile.patch 75_04-GnuTLS-Fix-client-detection-of-server-reject-of-clie.patch -90_localscan_dlopen.dpatch +75_05-Fix-expansions-for-RFC-822-addresses-having-comments.patch +75_06-Docs-Add-note-on-lsearch-for-IPv4-mapped-IPv6-addres.patch +75_07-Fix-crash-from-SRV-lookup-hitting-a-CNAME.patch +75_08-Logging-fix-initial-listening-on-log-line.patch +75_09-OpenSSL-Fix-aggregation-of-messages.patch +75_10-Harden-plaintext-authenticator.patch diff -Nru exim4-4.92/debian/README.Debian.xml exim4-4.92/debian/README.Debian.xml --- exim4-4.92/debian/README.Debian.xml 2019-02-17 13:13:18.000000000 +0100 +++ exim4-4.92/debian/README.Debian.xml 2019-04-07 13:39:31.000000000 +0200 @@ -635,7 +635,7 @@ </listitem> <listitem> <simpara> - It allows other packages (e.g. sa-exim) to + It allows other packages to modify Exim's configuration by dropping files into <filename>/etc/exim4/conf.d</filename>. @@ -1716,6 +1716,46 @@ </section> </section> </section> + <section> <title>Notes on running SpamAssassin at SMTP time</title> + <para> + Exim can run + <ulink url="https://spamassassin.apache.org/";> + SpamAssassin</ulink> while receiving a message by SMTP which + allows one to avoid acceptance of spam messages. The Debian + configuration contains some example code for running SpamAssassin, + but like all filtering this needs to be handled carefully. + </para> + <para> + SpamAssassin's default report should not be used in a add_header + statement since it contains empty lines. (This triggers e.g. + Amavis' warning "BAD HEADER SECTION, Improper folded header field + made up entirely of whitespace".) This is a safe, terse alternative: + <programlisting> + clear_report_template + report (_SCORE_ / _REQD_ requ) _TESTSSCORES(,)_ autolearn=_AUTOLEARN_ + </programlisting> + </para> + <para> + Rejecting spam messages: Do not reject spam-messages received on + (non-spam) mailing lists, this can/will cause auto-unsubscription. + This also applies to messages received via forwarding services + (e.g. @debian.org addresses). If theses messages are rejected the + forwarding services will need to send a bounce address to the + spammer and will probably disable the forwarding if it happens all + the time. You will need to have some kind of whitelist to exclude + these hosts. + </para> + <para> + Security considerations: By default <command>spamd</command> + runs as root and changes uid/gid to the requested user to run + SpamAssassin. The example uses SpamAssassin default non-privileged + user (nobody) which prevents use of Bayesian filtering since this + requires persistent storage. You might want to setup a dedicated + user for exim spam scanning and use that one, either for a separate + SpamAssassin user profile or to run SpamAssassin as non-privileged + user. + </para> + </section> </section> <section> <title>Updating from Exim 3</title> @@ -1910,17 +1950,6 @@ </listitem> </itemizedlist> </listitem> - <listitem> - <simpara> - <ulink - url="http://marc.merlins.org/linux/exim/files/sa-exim-current/";>localscan_dlopen.patch</ulink>: - This patch makes it possible to use and switch between - different local_scan - functions without recompiling Exim. Use - local_scan_path = /path/to/sharedobject to utilize - local_scan() in <filename>/path/to/sharedobject</filename>. - </simpara> - </listitem> </itemizedlist> </section> diff -Nru exim4-4.92/debian/rules exim4-4.92/debian/rules --- exim4-4.92/debian/rules 2018-12-15 16:02:45.000000000 +0100 +++ exim4-4.92/debian/rules 2019-04-07 13:39:31.000000000 +0200 @@ -280,13 +280,6 @@ override_dh_installinit: dh_installinit --noscripts --name=exim4 -override_dh_install: - # install config.h from daemon package, but not from exim4-daemon-light - dh_install -p exim4-dev \ - $(shell ls -1 b-exim4-daemon-*/build-$(buildname)/config.h | grep -v ^b-exim4-daemon-light/) \ - usr/include/exim4 - dh_install - override_dh_link: rm -rf debian/exim4/usr/share/doc/exim4 dh_linkAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 926878-done@bugs.debian.org, Andreas Metzler <ametzler@bebt.de>
- Cc: Magnus Holmgren <holmgren@debian.org>
- Subject: Re: unblock: exim4/4.92-5
- From: Paul Gevers <elbrus@debian.org>
- Date: Thu, 9 May 2019 11:12:11 +0200
- Message-id: <de9b7205-25bd-22ff-f7db-012833c78083@debian.org>
- In-reply-to: <20190411175116.GA32497@argenau.bebt.de>
- References: <20190411175116.GA32497@argenau.bebt.de> <20190411175116.GA32497@argenau.bebt.de>
Hi Andreas, On Thu, 11 Apr 2019 19:51:16 +0200 Andreas Metzler <ametzler@bebt.de> wrote: > Please unblock package exim4: > > In the first place it pulls multiple upgrades from upstream's > exim-4.92+fixes branch where important post-release fixes are published. unblocked, thanks. And thanks for the way you handled the sa-exim situation in the end. PaulAttachment: signature.asc
Description: OpenPGP digital signature
--- End Message ---