Ubuntu
exim4 package

Merge exim4 4.73~rc1-1 (main) from Debian experimental (main)

Bug #697934 reported by Artur Rona
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
exim4 (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: exim4

exim4 (4.73~rc1-1) experimental; urgency=low

  * New upstream release candidate.
  * Drop included patches. 80_4.73rc1_*, 40_dkimnotinpaniclog.diff.
  * Update 31_eximmanpage.dpatch.
  * exim4 now uses INSTREAM (added in clamav 0.95) instead of STREAM when
    talking to clamav. exim4-daemon-heavy therefore Breaks: clamav-daemon
    (<< 0.95).
  * Unfuzz EDITME*diff.
  * Dependency changes:
    + Drop exim4-config's conflicts with bash (<< 2.05). This was relevant
      pre-sarge.
    + Drop exim4-daemon-* dependency on exim4-base (>> 4.71-2). This one is
      superfluous because of of the dependency on
      exim4-base (>= ${Upstream-Version}).
    + exim4-config breaks instead of conflicts with pre-DKIM (i.e. << 4.69.1)
      exim4-daemon.
    + exim4-base breaks instead of conflicts with <<${Upstream-Version} daemon
      packages.
   * Add Vcs-Svn and Vcs-Browser fields to debian/control.
   * Build depend on libmysqlclient-dev | libmysqlclient15-dev instead of
     libmysqlclient15-dev. libmysqlclient-dev is not a virtual package
     anymore. Closes: #590218
   * Use db_settitle unconditionally, even etch supports this. Drop unneeded
     lintian override exim4-config: settitle-requires-versioned-depends.

 -- Andreas Metzler <email address hidden> Mon, 27 Dec 2010 19:48:19 +0100

exim4 (4.72-3) unstable; urgency=low

  * [README.Debian*] Correct command for manual paniclog rotation. (Thanks,
    Jörg Sommer) Closes: #602188
  * 67_unnecessaryCopt.diff: Do not use exim's -C option in utility scripts.
    This would not work with ALT_CONFIG_PREFIX.
  * Pull changes related to fixing CVE-2010-4345 from exim 4.73 rc1.
    Closes: #606527
    + 1_cfile_norw_eximuid: Don't allow a configure file which is writeable by
      the Exim user or group.
    + 2_permcheck_configurefile: Check configure file permissions even for
      non-default files if still privileged.
    + 3_remove_ALT_CONFIG_ROOT_ONLY: Remove ALT_CONFIG_ROOT_ONLY build option,
      effectively making it always true.
    + 4_FD_CLOEXEC: Set FD_CLOEXEC on SMTP sockets after forking in the
      daemon, to ensure that rogue child processes cannot use them.
    + 5_TRUSTED_CONFIG_LIST: Add TRUSTED_CONFIG_LIST compile option.
    + 6_nonroot_system_filter_user: If the system filter needs to be run as
      root, let that be explicitly configured. The default is now the Exim
      run-time user.
    + 7_filter_D_option: Add a (compiletime) whitelist of acceptable values
      for the -D option.
    + 8_updatedocumentation: Update documentation to reflect the changes.
  * Build with WHITELIST_D_MACROS=OUTGOING. Post patch 7_filter_D_option exim
    will not regain root privileges (usually necessary for local delivery) if
    the -D option was used. Macro identifiers listed in WHITELIST_D_MACROS are
    exempted from this restriction. mailscanner (4.79.11-2.2) uses -DOUTGOING.
  * Build with TRUSTED_CONFIG_LIST=/etc/exim4/trusted_configs. Post patch
    3_remove_ALT_CONFIG_ROOT_ONLY exim will not re-gain root privileges
    (usually necessary for local delivery) if the -C option was used. This
    makes it impossible to start a fully functional damon with an alternate
    configuration file. /etc/exim4/trusted_configs (can) contain a list of
    filenames (one per line, full path given) to which this restriction does
    not apply.

 -- Andreas Metzler <email address hidden> Sun, 26 Dec 2010 15:13:08 +0100

Tags: patch
Revision history for this message
Artur Rona (ari-tczew) wrote :
Revision history for this message
Artur Rona (ari-tczew) wrote :

Want to be sponsored by Jonathan Thomas!

Changed in exim4 (Ubuntu):
status: New → Confirmed
Revision history for this message
Jonathan Thomas (echidnaman) wrote :

The build fails in pbuilder for me:

make[1]: Leaving directory `/tmp/buildd/exim4-4.73~rc1/build-tree/build-Linux-i386'
cd /tmp/buildd/exim4-4.73~rc1/build-tree && mv build-${build:-`/bin/sh scripts/os-type`-`/bin/sh scripts/arch-type`} build-exim4-daemon-heavy
mv: cannot move `build-Linux-i386' to `build-exim4-daemon-heavy/build-Linux-i386': Directory not empty
make: *** [build-exim4-daemon-heavy/exim] Error 1
dpkg-buildpackage: error: debian/rules binary gave error exit status 2
root@jonathan-laptop:~/exim4-4.73~rc1#

Revision history for this message
Artur Rona (ari-tczew) wrote :

So this is your problem locally. My pbuilder natty is fine. Have you got updated pbuilder? If you don't trust me, I can send package to PPA.

Revision history for this message
Andreas Metzler (k-launchpad-downhill-at-eu-org) wrote :

FWIW the final 4.73 release is probably going to appear soon.

Brian Murray (brian-murray)
tags: added: patch
Revision history for this message
Artur Rona (ari-tczew) wrote :

@Andreas, if Debian will pack stable 4.73, then we can grab it.

@Jonathan: package built fine also on my PPA. I suggest you to recreate a pbuilder for natty. Toolchain issue.
i386: https://launchpad.net/~ari-tczew/+archive/testing/+build/2127415
amd64: https://launchpad.net/~ari-tczew/+archive/testing/+build/2127414

Revision history for this message
Andreas Metzler (k-launchpad-downhill-at-eu-org) wrote :

I will definitely try to upload the final 4.73 release to Debian/experimental soon after its release.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package exim4 - 4.73~rc1-1ubuntu1

---------------
exim4 (4.73~rc1-1ubuntu1) natty; urgency=low

  * Merge from debian unstable. Remaining changes: (LP: #697934)
    - debian/patches/71_exiq_grep_error_on_messages_without_size.patch:
      + Improve handling of broken messages when "exim4 -bp" (mailq)
        reports lines without size info.
    - debian/control: Don't declare a Provides: default-mta; in Ubuntu,
      we want postfix to be the default.
    - debian/{control,rules}: Add and enable hardened build for PIE.
      (Closes: #542726)
  * Drop B-D on libmysqlclient15-dev, resolved in Debian.
 -- Artur Rona <email address hidden> Tue, 28 Dec 2010 22:20:17 +0100

Changed in exim4 (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Andreas Metzler (k-launchpad-downhill-at-eu-org) wrote :

I have just uploaded 4.74rc2 to experimental. Worthwile upstream fixes relative to 4.73rc1

If a non-debug daemon was invoked with a non-whitelisted macro, then
   logs from after attempting delivery would be silently lost, including
   for successful delivery. This log-loss bug was introduced in 4.73 as
   part of the security lockdown.

-C /dev/null works again.

CVE-2011-0017

Revision history for this message
Andreas Metzler (k-launchpad-downhill-at-eu-org) wrote :

4.74 in experimental. Compared to 4.74rc2 there are just some build fixes.

Revision history for this message
Oliver Siegmar (osiegmar) wrote :

exim4 4.71-3ubuntu1.1 completely stopped our mail server working, because we have three queues -DINCOMING, -DOUTGOING and the default one (no -D). Is there any way to configure a whitelist for -D switches (not the WHITELIST_D_MACROS compile time option)?

Revision history for this message
Artur Rona (ari-tczew) wrote :

Oliver, please file a new bug against exim4 and write about regression after update to 4.71-3ubuntu1.1 in lucid (this bug is related to natty and different version).

Thanks!

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.