-
exim4 (4.71-3ubuntu1.4) lucid-security; urgency=low
* SECURITY UPDATE: arbitrary code execution via dns decode logic
- debian/patches/CVE-2012-5671.patch: adjust max length and validate
against it in src/pdkim/pdkim.h, src/dkim.c.
- CVE-2012-5671
-- Marc Deslauriers <email address hidden> Thu, 25 Oct 2012 08:48:31 -0400
-
exim4 (4.71-3ubuntu1.3) lucid-security; urgency=low
* SECURITY UPDATE: arbitrary code execution via DKIM identities
- debian/patches/86_CVE-2011-1407.patch: don't use match_isinlist() for
simple string list matching in src/receive.c.
- CVE-2011-1407
-- Marc Deslauriers <email address hidden> Tue, 24 May 2011 15:49:34 -0400
-
exim4 (4.71-3ubuntu1.2) lucid-security; urgency=low
* SECURITY UPDATE: format string vulnerability (LP: #779391)
- debian/patches/85_CVE-2011-1764.patch: patch from upstream
- CVE-2011-1764
-- Felix Geyer <email address hidden> Sun, 08 May 2011 15:31:05 +0200
-
exim4 (4.71-3ubuntu1.1) lucid-security; urgency=low
* SECURITY UPDATE: local privilege escalation via alternate config file
(LP: #697934)
- debian/patches/80_CVE-2010-4345.patch: backport massive behaviour-
altering changes from upstream git to fix issue.
- debian/patches/81_CVE-2010-4345-docs.patch: backport documentation
changes.
- debian/patches/67_unnecessaryCopt.dpatch: Do not use exim's -C option
in utility scripts. This would not work with ALT_CONFIG_PREFIX.
Patch obtained from Debian's 4.69-9+lenny2.
- Build with WHITELIST_D_MACROS=OUTGOING. After this security update,
exim will not regain root privileges (usually necessary for local
delivery) if the -D option was used. Macro identifiers listed in
WHITELIST_D_MACROS are exempted from this restriction. mailscanner
(4.79.11-2.2) uses -DOUTGOING.
- Build with TRUSTED_CONFIG_LIST=/etc/exim4/trusted_configs. After this
security update, exim will not re-gain root privileges (usually
necessary for local delivery) if the -C option was used. This makes
it impossible to start a fully functional damon with an alternate
configuration file. /etc/exim4/trusted_configs (can) contain a list
of filenames (one per line, full path given) to which this
restriction does not apply.
- debian/exim4-daemon-*.NEWS: Add description of changes. Thanks to
Debian and Andreas Metzler for the text.
- CVE-2010-4345
* SECURITY UPDATE: arbitrary file append via symlink attack (LP: #708023)
- debian/patches/82_CVE-2011-0017.patch: check setuid and setgid return
codes in src/exim.c, src/log.c.
- CVE-2011-0017
* SECURITY UPDATE: denial of service and possible arbitrary code
execution via hard link to another user's file (LP: #609620)
- debian/patches/CVE-2010-2023.patch: check for links in
src/transports/appendfile.c.
- CVE-2010-2023
* SECURITY UPDATE: denial of service and possible arbitrary code
execution via symlink on a lock file (LP: #609620)
- debian/patches/CVE-2010-2024.patch: improve lock file handling in
src/exim_lock.c, src/transports/appendfile.c.
- CVE-2010-2024
* debian/rules: disable debconf-updatepo so the security update doesn't
alter translations.
-- Marc Deslauriers <email address hidden> Tue, 08 Feb 2011 11:31:29 -0500
-
exim4 (4.71-3ubuntu1) lucid; urgency=low
* Merge with Debian unstable (lp: #501657). Remaining changes:
+ debian/patches/71_exiq_grep_error_on_messages_without_size.dpatch:
Improve handling of broken messages when "exim4 -bp" (mailq) reports
lines without size info.
+ Don't declare a Provides: default-mta; in Ubuntu, we want postfix to be
the default.
+ debian/control: Change build dependencies to MySQL 5.1.
+ debian/{control,rules}: add and enable hardened build for PIE
(Debian bug 542726).
exim4 (4.71-3) unstable; urgency=low
* exim4-base.cron.daily: Do not run exim_tidydb on Berkeley DB logfiles.
Closes: #501892
* exim4-base.postinst: If exim_dumpdb fails to read a hints-db also remove
Berkeley DB logfiles.
* Switch to Berkeley DB 4.8 (from 4.6). Zap hints db on upgrade. Temporarily
make -daemon packages depend on exim4-base >> 4.71-2. (This can be removed
after the next upstream release.)
Closes: #548479
* control: Drop bzip2 from Build-Depends. Use line-wrapping for
Build-Depends.
* 36_typoinexipick.diff: Fix a typo in exipick manpage. (Lintian).
* exim4-base.postinst: Redirect status message to stderr.
exim4 (4.71-2) unstable; urgency=low
* Pulled from upstream: 20_PDKIM-Upgrade-PolarSSL.diff. Update files copied
from PolarSSL to 0.12.1.
* Add example file to set smarthost from /etc/network/interfaces (mh)
* Add DKIM_* macros on remote smtp transports for setting the corresponding
dkim_* options.
* Upload to unstable.
exim4 (4.71-1) experimental; urgency=low
* New upstream version.
+ Drop patches included upstream. 51_dkimrelatedcrash.diff
51_noreject_unsigned.diff.
exim4 (4.70-2) experimental; urgency=low
* 51_noreject_unsigned.diff Fix a dkim related expansion error that appears
when the expanded value of dkim_verify_signers winds up empty and
acl_smtp_dkim is defined. (This has the effect of rejecting any mail
without DKIM signature.)
* Work around 490937 by removing CHANGES.
exim4 (4.70-1) experimental; urgency=low
* Point watchfile to ftp.exim.org.
* Use dpkg-source v3 instead of dpatch, simplifying debian/rules a little
bit.
* New upstream version.
+ Pull 51_dkimrelatedcrash.diff fixing a segfault only applying to the
4.7x series. http://bugs.exim.org/show_bug.cgi?id=912
* debhelper v7 mode.
+ Use -XCHANGES to Keep dh_installchangelogs v7 from insisting to install
./CHANGES as upstream changelog.
+ Bump build-dependency.
+ Use dh_prep instead of dh_clean -k.
exim4 (4.70~rc4-1) experimental; urgency=low
* New upstream version.
exim4 (4.70~cvs+20091030-1) experimental; urgency=low
* New upstream snapshot.
exim4 (4.70~cvs+20091026-1) experimental; urgency=low
* New snapshot.
+ Fixes segfault in dovecot authenticator. Closes: #551106
+ Improved documentation regarding certifacte verification on outgoing
SMTP connections. Closes: #544472
* Drop 40_boolean_redefine_protect.dpatch - included upstream.
* Drop unapplied superfluous patches from diff: 36_pcre 37_exiwhatpsmisc.
exim4 (4.70~cvs+20091017-1) experimental; urgency=low
* Fix syntax errors in README.Debian.xml. (Thank's, Daniel Leidert)
* New upstream cvs snapshot.
+ Drop unnecessary patches: 36_pcre 37_exiwhatpsmisc.
+ Close dovecot socket after wrong password was given. Closes: #515503
+ Standalone DKIM support. Obsoletes and therefore
Closes: #486437,#459883
* Drop upstream URL from package descriptions. Closes: #471425
* [patches/00_unpack.dpatch] Drop workaround for tar 1.14, even oldstable
has 1.16. Closes: #486436.
* Do not set 'tls_try_verify_hosts = *' by default anymore. Some clients
(e.g Outlook) will terminate the SSL connection when the server presents
the long list of accepted TLS certificates after STARTTLS. If TLS
certificate validation of clients is needed you'll need to set
MAIN_TLS_TRY_VERIFY_HOSTS again and point MAIN_TLS_VERIFY_CERTIFICATES to
a file containing only the accepted certificates.
Closes: #515999, #316522, #482012
* Add debian/README.source. (Policy 3.8.3)
* Fix typo in update-exim4.conf.8.
Thanks to Calum Mackay. Closes: #543354
* Listen on IPv6 loopback interface by default. (Only applies to fresh
installations.) Closes: #544292
* upstream default configure file explicitly disables dkim in some
instances. Merge into Debian config and update debian/example.conf.md5.
Bump Conflicts of exim4-config package.
-- Michael Bienia <email address hidden> Fri, 01 Jan 2010 16:28:19 +0100
-
exim4 (4.69-11ubuntu4) karmic; urgency=low
* debian/{control,rules}: add and enable hardened build for PIE
(Debian bug 542726).
-- Kees Cook <email address hidden> Thu, 20 Aug 2009 17:33:26 -0700
