lp:ubuntu/karmic-security/exim4

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

33. By Marc Deslauriers on 2011-02-08

* SECURITY UPDATE: local privilege escalation via alternate config file
  (LP: #697934)
  - debian/patches/80_CVE-2010-4345.dpatch: backport massive behaviour-
    altering changes from upstream git to fix issue.
  - debian/patches/81_CVE-2010-4345-docs.dpatch: backport documentation
    changes.
  - debian/patches/67_unnecessaryCopt.dpatch: Do not use exim's -C option
    in utility scripts. This would not work with ALT_CONFIG_PREFIX.
    Patch obtained from Debian's 4.69-9+lenny2.
  - Build with WHITELIST_D_MACROS=OUTGOING. After this security update,
    exim will not regain root privileges (usually necessary for local
    delivery) if the -D option was used. Macro identifiers listed in
    WHITELIST_D_MACROS are exempted from this restriction. mailscanner
    (4.79.11-2.2) uses -DOUTGOING.
  - Build with TRUSTED_CONFIG_LIST=/etc/exim4/trusted_configs. After this
    security update, exim will not re-gain root privileges (usually
    necessary for local delivery) if the -C option was used. This makes
    it impossible to start a fully functional damon with an alternate
    configuration file. /etc/exim4/trusted_configs (can) contain a list
    of filenames (one per line, full path given) to which this
    restriction does not apply.
  - debian/exim4-daemon-*.NEWS: Add description of changes. Thanks to
    Debian and Andreas Metzler for the text.
  - CVE-2010-4345
* SECURITY UPDATE: arbitrary file append via symlink attack (LP: #708023)
  - debian/patches/82_CVE-2011-0017.dpatch: check setuid and setgid return
    codes in src/exim.c, src/log.c.
  - CVE-2011-0017
* SECURITY UPDATE: denial of service and possible arbitrary code
  execution via hard link to another user's file (LP: #609620)
  - debian/patches/CVE-2010-2023.dpatch: check for links in
    src/transports/appendfile.c.
  - CVE-2010-2023
* SECURITY UPDATE: denial of service and possible arbitrary code
  execution via symlink on a lock file (LP: #609620)
  - debian/patches/CVE-2010-2024.dpatch: improve lock file handling in
    src/exim_lock.c, src/transports/appendfile.c.
  - CVE-2010-2024
* debian/rules: disable debconf-updatepo so the security update doesn't
  alter translations.

32. By Marc Deslauriers on 2010-12-10

* SECURITY UPDATE: remote code execution via buffer overflow
  - debian/patches/72_CVE-2010-4344.dpatch: validate lengths in
    src/string.c.
  - CVE-2010-4344

31. By Kees Cook on 2009-08-20

debian/{control,rules}: add and enable hardened build for PIE
(Debian bug 542726).

30. By Mathias Gug on 2009-08-17

debian/control: Change build dependencies to MySQL 5.1.

29. By Steve Langasek on 2009-06-03

Don't declare a Provides: default-mta; in Ubuntu, we want postfix to be
the default.

28. By Thierry Carrez on 2009-05-13

* Merge from debian unstable (LP: #375923), remaining changes:
  - debian/patches/71_exiq_grep_error_on_messages_without_size.dpatch:
    Improve handling of broken messages when "exim4 -bp" (mailq) reports
    lines without size info

27. By Dustin Kirkland  on 2009-02-11

[ Daniel van Eeden <email address hidden> ]
debian/patches/71_exiq_grep_error_on_messages_without_size.dpatch:
Improve handling of broken messages when "exim4 -bp" (mailq) reports lines
w/o size info, LP: #18194

26. By Andreas Metzler <email address hidden> on 2008-09-30

[update-exim4.conf]: Use POSIX character classes [:alnum:] or explicit
listing ("ABCDEF..") instead of a-z, since the latter does not work as
expected in some locales. Closes: #500691

25. By Steve Kowalik on 2008-10-11

No-change rebuild for libgnutls13 -> libgnutls26 transistion.

24. By Ian Stride on 2008-05-27

* Fixed typos in README.Debian.xml. Closes LP: #65036.
* Updated Maintainer field as per Debian maintainer field spec.