rpms
/
exim
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

New version 

Resolves: rhbz#1527710
Fixed buffer overflow in utility function
  Resolves: CVE-2018-6789
Updated and defuzzified patches
Dropped mariadb-macro-fix patch (not needed)
Dropped CVE-2017-1000369, calloutsize, CVE-2017-16943,
  CVE-2017-16944 patches (all upstreamed)
This commit is contained in:
Jaroslav Škarvada 2018-02-14 16:43:42 +01:00
parent 62c96cdc52
commit 53057966f8
19 changed files with 108 additions and 726 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.gitignore vendored
View File

@ -1,3 +1,2 @@
exim-*.tar.bz2
/sa-exim-4.2.tar.gz
/exim-4.89.tar.xz
exim-*.tar.xz
sa-exim-*.tar.gz

37
exim-4.89-CVE-2017-1000369.patch
View File

@ -1,37 +0,0 @@
diff --git a/src/exim.c b/src/exim.c
index a6a1ea8..394bf84 100644
--- a/src/exim.c
+++ b/src/exim.c
@@ -3092,7 +3092,14 @@ for (i = 1; i < argc; i++)
/* -oMr: Received protocol */
- else if (Ustrcmp(argrest, "Mr") == 0) received_protocol = argv[++i];
+ else if (Ustrcmp(argrest, "Mr") == 0)
+
+ if (received_protocol)
+ {
+ fprintf(stderr, "received_protocol is set already\n");
+ exit(EXIT_FAILURE);
+ }
+ else received_protocol = argv[++i];
/* -oMs: Set sender host name */
@@ -3188,7 +3195,15 @@ for (i = 1; i < argc; i++)
if (*argrest != 0)
{
- uschar *hn = Ustrchr(argrest, ':');
+ uschar *hn;
+
+ if (received_protocol)
+ {
+ fprintf(stderr, "received_protocol is set already\n");
+ exit(EXIT_FAILURE);
+ }
+
+ hn = Ustrchr(argrest, ':');
if (hn == NULL)
{
received_protocol = argrest;

41
exim-4.89-CVE-2017-16944.patch
View File

@ -1,41 +0,0 @@
diff --git a/src/receive.c b/src/receive.c
index 3246621..f19c8b9 100644
--- a/src/receive.c
+++ b/src/receive.c
@@ -1827,7 +1827,7 @@ for (;;)
prevent further reading), and break out of the loop, having freed the
empty header, and set next = NULL to indicate no data line. */
- if (ptr == 0 && ch == '.' && (smtp_input || dot_ends))
+ if (ptr == 0 && ch == '.' && dot_ends)
{
ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
if (ch == '\r')
diff --git a/src/smtp_in.c b/src/smtp_in.c
index 1b45f84..0207540 100644
--- a/src/smtp_in.c
+++ b/src/smtp_in.c
@@ -4955,16 +4955,23 @@ while (done <= 0)
DEBUG(D_receive) debug_printf("chunking state %d, %d bytes\n",
(int)chunking_state, chunking_data_left);
+ /* push the current receive_* function on the "stack", and
+ replace them by bdat_getc(), which in turn will use the lwr_receive_*
+ functions to do the dirty work. */
lwr_receive_getc = receive_getc;
lwr_receive_ungetc = receive_ungetc;
+
receive_getc = bdat_getc;
receive_ungetc = bdat_ungetc;
+ dot_ends = FALSE;
+
goto DATA_BDAT;
}
case DATA_CMD:
HAD(SCH_DATA);
+ dot_ends = TRUE;
DATA_BDAT: /* Common code for DATA and BDAT */
if (!discarded && recipients_count <= 0)

524
exim-4.89-calloutsize.patch
View File

@ -1,524 +0,0 @@
--- exim-4.89/src/exim.c.calloutsize 2017-03-04 16:21:35.000000000 -0500
+++ exim-4.89/src/exim.c 2017-08-16 15:52:41.424866990 -0400
@@ -2738,7 +2738,7 @@
/* -MCD: set the smtp_use_dsn flag; this indicates that the host
that exim is connected to supports the esmtp extension DSN */
- case 'D': smtp_peer_options |= PEER_OFFERED_DSN; break;
+ case 'D': smtp_peer_options |= OPTION_DSN; break;
/* -MCG: set the queue name, to a non-default value */
@@ -2748,12 +2748,12 @@
/* -MCK: the peer offered CHUNKING. Must precede -MC */
- case 'K': smtp_peer_options |= PEER_OFFERED_CHUNKING; break;
+ case 'K': smtp_peer_options |= OPTION_CHUNKING; break;
/* -MCP: set the smtp_use_pipelining flag; this is useful only when
it preceded -MC (see above) */
- case 'P': smtp_peer_options |= PEER_OFFERED_PIPE; break;
+ case 'P': smtp_peer_options |= OPTION_PIPE; break;
/* -MCQ: pass on the pid of the queue-running process that started
this chain of deliveries and the fd of its synchronizing pipe; this
@@ -2768,14 +2768,14 @@
/* -MCS: set the smtp_use_size flag; this is useful only when it
precedes -MC (see above) */
- case 'S': smtp_peer_options |= PEER_OFFERED_SIZE; break;
+ case 'S': smtp_peer_options |= OPTION_SIZE; break;
#ifdef SUPPORT_TLS
/* -MCT: set the tls_offered flag; this is useful only when it
precedes -MC (see above). The flag indicates that the host to which
Exim is connected has offered TLS support. */
- case 'T': smtp_peer_options |= PEER_OFFERED_TLS; break;
+ case 'T': smtp_peer_options |= OPTION_TLS; break;
#endif
default: badarg = TRUE; break;
--- exim-4.89/src/macros.h.calloutsize 2017-03-04 16:21:35.000000000 -0500
+++ exim-4.89/src/macros.h 2017-08-16 15:38:52.876969094 -0400
@@ -959,14 +959,14 @@
/* Codes for ESMTP facilities offered by peer */
-#define PEER_OFFERED_TLS BIT(0)
-#define PEER_OFFERED_IGNQ BIT(1)
-#define PEER_OFFERED_PRDR BIT(2)
-#define PEER_OFFERED_UTF8 BIT(3)
-#define PEER_OFFERED_DSN BIT(4)
-#define PEER_OFFERED_PIPE BIT(5)
-#define PEER_OFFERED_SIZE BIT(6)
-#define PEER_OFFERED_CHUNKING BIT(7)
+#define OPTION_TLS BIT(0)
+#define OPTION_IGNQ BIT(1)
+#define OPTION_PRDR BIT(2)
+#define OPTION_UTF8 BIT(3)
+#define OPTION_DSN BIT(4)
+#define OPTION_PIPE BIT(5)
+#define OPTION_SIZE BIT(6)
+#define OPTION_CHUNKING BIT(7)
/* Argument for *_getc */
--- exim-4.89/src/transport.c.calloutsize 2017-08-16 15:38:52.876969094 -0400
+++ exim-4.89/src/transport.c 2017-08-16 15:55:23.681414193 -0400
@@ -1976,13 +1976,12 @@
argv = CUSS child_exec_exim(CEE_RETURN_ARGV, TRUE, &i, FALSE, 0);
if (smtp_authenticated) argv[i++] = US"-MCA";
-
- if (smtp_peer_options & PEER_OFFERED_CHUNKING) argv[i++] = US"-MCK";
- if (smtp_peer_options & PEER_OFFERED_DSN) argv[i++] = US"-MCD";
- if (smtp_peer_options & PEER_OFFERED_PIPE) argv[i++] = US"-MCP";
- if (smtp_peer_options & PEER_OFFERED_SIZE) argv[i++] = US"-MCS";
+ if (smtp_peer_options & OPTION_CHUNKING) argv[i++] = US"-MCK";
+ if (smtp_peer_options & OPTION_DSN) argv[i++] = US"-MCD";
+ if (smtp_peer_options & OPTION_PIPE) argv[i++] = US"-MCP";
+ if (smtp_peer_options & OPTION_SIZE) argv[i++] = US"-MCS";
#ifdef SUPPORT_TLS
- if (smtp_peer_options & PEER_OFFERED_TLS) argv[i++] = US"-MCT";
+ if (smtp_peer_options & OPTION_TLS) argv[i++] = US"-MCT";
#endif
if (queue_run_pid != (pid_t)0)
--- exim-4.89/src/transports/smtp.c.calloutsize 2017-03-04 16:21:35.000000000 -0500
+++ exim-4.89/src/transports/smtp.c 2017-08-16 16:08:51.572126172 -0400
@@ -1291,44 +1291,44 @@
size_t bsize = Ustrlen(buf);
#ifdef SUPPORT_TLS
-if ( checks & PEER_OFFERED_TLS
+if ( checks & OPTION_TLS
&& pcre_exec(regex_STARTTLS, NULL, CS buf, bsize, 0, PCRE_EOPT, NULL, 0) < 0)
- checks &= ~PEER_OFFERED_TLS;
+ checks &= ~OPTION_TLS;
#endif
-if ( checks & PEER_OFFERED_IGNQ
+if ( checks & OPTION_IGNQ
&& pcre_exec(regex_IGNOREQUOTA, NULL, CS buf, bsize, 0,
PCRE_EOPT, NULL, 0) < 0)
- checks &= ~PEER_OFFERED_IGNQ;
+ checks &= ~OPTION_IGNQ;
-if ( checks & PEER_OFFERED_CHUNKING
+if ( checks & OPTION_CHUNKING
&& pcre_exec(regex_CHUNKING, NULL, CS buf, bsize, 0, PCRE_EOPT, NULL, 0) < 0)
- checks &= ~PEER_OFFERED_CHUNKING;
+ checks &= ~OPTION_CHUNKING;
#ifndef DISABLE_PRDR
-if ( checks & PEER_OFFERED_PRDR
+if ( checks & OPTION_PRDR
&& pcre_exec(regex_PRDR, NULL, CS buf, bsize, 0, PCRE_EOPT, NULL, 0) < 0)
- checks &= ~PEER_OFFERED_PRDR;
+ checks &= ~OPTION_PRDR;
#endif
#ifdef SUPPORT_I18N
-if ( checks & PEER_OFFERED_UTF8
+if ( checks & OPTION_UTF8
&& pcre_exec(regex_UTF8, NULL, CS buf, bsize, 0, PCRE_EOPT, NULL, 0) < 0)
- checks &= ~PEER_OFFERED_UTF8;
+ checks &= ~OPTION_UTF8;
#endif
-if ( checks & PEER_OFFERED_DSN
+if ( checks & OPTION_DSN
&& pcre_exec(regex_DSN, NULL, CS buf, bsize, 0, PCRE_EOPT, NULL, 0) < 0)
- checks &= ~PEER_OFFERED_DSN;
+ checks &= ~OPTION_DSN;
-if ( checks & PEER_OFFERED_PIPE
+if ( checks & OPTION_PIPE
&& pcre_exec(regex_PIPELINING, NULL, CS buf, bsize, 0,
PCRE_EOPT, NULL, 0) < 0)
- checks &= ~PEER_OFFERED_PIPE;
+ checks &= ~OPTION_PIPE;
-if ( checks & PEER_OFFERED_SIZE
+if ( checks & OPTION_SIZE
&& pcre_exec(regex_SIZE, NULL, CS buf, bsize, 0, PCRE_EOPT, NULL, 0) < 0)
- checks &= ~PEER_OFFERED_SIZE;
+ checks &= ~OPTION_SIZE;
return checks;
}
@@ -1479,6 +1479,7 @@
if ((sx->max_rcpt = sx->tblock->max_addresses) == 0) sx->max_rcpt = 999999;
sx->peer_offered = 0;
+sx->avoid_option = 0;
sx->igquotstr = US"";
if (!sx->helo_data) sx->helo_data = sx->ob->helo_data;
#ifdef EXPERIMENTAL_DSN_INFO
@@ -1715,7 +1716,7 @@
#ifdef SUPPORT_TLS
if (sx->smtps)
{
- smtp_peer_options |= PEER_OFFERED_TLS;
+ smtp_peer_options |= OPTION_TLS;
suppress_tls = FALSE;
sx->ob->tls_tempfail_tryclear = FALSE;
smtp_command = US"SSL-on-connect";
@@ -1780,18 +1781,18 @@
}
}
- sx->peer_offered = smtp_peer_options = 0;
+ sx->avoid_option = sx->peer_offered = smtp_peer_options = 0;
if (sx->esmtp || sx->lmtp)
{
sx->peer_offered = ehlo_response(sx->buffer,
- PEER_OFFERED_TLS /* others checked later */
+ OPTION_TLS /* others checked later */
);
/* Set tls_offered if the response to EHLO specifies support for STARTTLS. */
#ifdef SUPPORT_TLS
- smtp_peer_options |= sx->peer_offered & PEER_OFFERED_TLS;
+ smtp_peer_options |= sx->peer_offered & OPTION_TLS;
#endif
}
}
@@ -1825,7 +1826,7 @@
for error analysis. */
#ifdef SUPPORT_TLS
-if ( smtp_peer_options & PEER_OFFERED_TLS
+if ( smtp_peer_options & OPTION_TLS
&& !suppress_tls
&& verify_check_given_host(&sx->ob->hosts_avoid_tls, sx->host) != OK
&& ( !sx->verify
@@ -1970,7 +1971,7 @@
{
errno = ERRNO_TLSREQUIRED;
message = string_sprintf("a TLS session is required, but %s",
- smtp_peer_options & PEER_OFFERED_TLS
+ smtp_peer_options & OPTION_TLS
? "an attempt to start TLS failed" : "the server did not offer TLS support");
goto TLS_FAILED;
}
@@ -1991,60 +1992,60 @@
{
sx->peer_offered = ehlo_response(sx->buffer,
0 /* no TLS */
- | (sx->lmtp && sx->ob->lmtp_ignore_quota ? PEER_OFFERED_IGNQ : 0)
- | PEER_OFFERED_CHUNKING
- | PEER_OFFERED_PRDR
+ | (sx->lmtp && sx->ob->lmtp_ignore_quota ? OPTION_IGNQ : 0)
+ | OPTION_CHUNKING
+ | OPTION_PRDR
#ifdef SUPPORT_I18N
- | (sx->addrlist->prop.utf8_msg ? PEER_OFFERED_UTF8 : 0)
+ | (sx->addrlist->prop.utf8_msg ? OPTION_UTF8 : 0)
/*XXX if we hand peercaps on to continued-conn processes,
must not depend on this addr */
#endif
- | PEER_OFFERED_DSN
- | PEER_OFFERED_PIPE
- | (sx->ob->size_addition >= 0 ? PEER_OFFERED_SIZE : 0)
+ | OPTION_DSN
+ | OPTION_PIPE
+ | (sx->ob->size_addition >= 0 ? OPTION_SIZE : 0)
);
/* Set for IGNOREQUOTA if the response to LHLO specifies support and the
lmtp_ignore_quota option was set. */
- sx->igquotstr = sx->peer_offered & PEER_OFFERED_IGNQ ? US" IGNOREQUOTA" : US"";
+ sx->igquotstr = sx->peer_offered & OPTION_IGNQ ? US" IGNOREQUOTA" : US"";
/* If the response to EHLO specified support for the SIZE parameter, note
this, provided size_addition is non-negative. */
- smtp_peer_options |= sx->peer_offered & PEER_OFFERED_SIZE;
+ smtp_peer_options |= sx->peer_offered & OPTION_SIZE;
/* Note whether the server supports PIPELINING. If hosts_avoid_esmtp matched
the current host, esmtp will be false, so PIPELINING can never be used. If
the current host matches hosts_avoid_pipelining, don't do it. */
- if ( sx->peer_offered & PEER_OFFERED_PIPE
+ if ( sx->peer_offered & OPTION_PIPE
&& verify_check_given_host(&sx->ob->hosts_avoid_pipelining, sx->host) != OK)
- smtp_peer_options |= PEER_OFFERED_PIPE;
+ smtp_peer_options |= OPTION_PIPE;
DEBUG(D_transport) debug_printf("%susing PIPELINING\n",
- smtp_peer_options & PEER_OFFERED_PIPE ? "" : "not ");
+ smtp_peer_options & OPTION_PIPE ? "" : "not ");
- if ( sx->peer_offered & PEER_OFFERED_CHUNKING
+ if ( sx->peer_offered & OPTION_CHUNKING
&& verify_check_given_host(&sx->ob->hosts_try_chunking, sx->host) != OK)
- sx->peer_offered &= ~PEER_OFFERED_CHUNKING;
+ sx->peer_offered &= ~OPTION_CHUNKING;
- if (sx->peer_offered & PEER_OFFERED_CHUNKING)
+ if (sx->peer_offered & OPTION_CHUNKING)
{DEBUG(D_transport) debug_printf("CHUNKING usable\n");}
#ifndef DISABLE_PRDR
- if ( sx->peer_offered & PEER_OFFERED_PRDR
+ if ( sx->peer_offered & OPTION_PRDR
&& verify_check_given_host(&sx->ob->hosts_try_prdr, sx->host) != OK)
- sx->peer_offered &= ~PEER_OFFERED_PRDR;
+ sx->peer_offered &= ~OPTION_PRDR;
- if (sx->peer_offered & PEER_OFFERED_PRDR)
+ if (sx->peer_offered & OPTION_PRDR)
{DEBUG(D_transport) debug_printf("PRDR usable\n");}
#endif
/* Note if the server supports DSN */
- smtp_peer_options |= sx->peer_offered & PEER_OFFERED_DSN;
+ smtp_peer_options |= sx->peer_offered & OPTION_DSN;
DEBUG(D_transport) debug_printf("%susing DSN\n",
- sx->peer_offered & PEER_OFFERED_DSN ? "" : "not ");
+ sx->peer_offered & OPTION_DSN ? "" : "not ");
/* Note if the response to EHLO specifies support for the AUTH extension.
If it has, check that this host is one we want to authenticate to, and do
@@ -2061,7 +2062,7 @@
}
}
}
-pipelining_active = !!(smtp_peer_options & PEER_OFFERED_PIPE);
+pipelining_active = !!(smtp_peer_options & OPTION_PIPE);
/* The setting up of the SMTP call is now complete. Any subsequent errors are
message-specific. */
@@ -2079,7 +2080,7 @@
}
/* If this is an international message we need the host to speak SMTPUTF8 */
-if (sx->utf8_needed && !(sx->peer_offered & PEER_OFFERED_UTF8))
+if (sx->utf8_needed && !(sx->peer_offered & OPTION_UTF8))
{
errno = ERRNO_UTF8_FWD;
goto RESPONSE_FAILED;
@@ -2202,14 +2203,15 @@
*p = 0;
-/* If we know the receiving MTA supports the SIZE qualification,
+/* If we know the receiving MTA supports the SIZE qualification, and we know it,
send it, adding something to the message size to allow for imprecision
and things that get added en route. Exim keeps the number of lines
in a message, so we can give an accurate value for the original message, but we
need some additional to handle added headers. (Double "." characters don't get
included in the count.) */
-if (sx->peer_offered & PEER_OFFERED_SIZE)
+if ( message_size > 0
+ && sx->peer_offered & OPTION_SIZE && !(sx->avoid_option & OPTION_SIZE))
{
sprintf(CS p, " SIZE=%d", message_size+message_linecount+sx->ob->size_addition);
while (*p) p++;
@@ -2220,7 +2222,7 @@
request that */
sx->prdr_active = FALSE;
-if (sx->peer_offered & PEER_OFFERED_PRDR)
+if (sx->peer_offered & OPTION_PRDR)
for (addr = addrlist; addr; addr = addr->next)
if (addr->transport_return == PENDING_DEFER)
{
@@ -2239,7 +2241,7 @@
/* If it supports internationalised messages, and this meesage need that,
request it */
-if ( sx->peer_offered & PEER_OFFERED_UTF8
+if ( sx->peer_offered & OPTION_UTF8
&& addrlist->prop.utf8_msg
&& !addrlist->prop.utf8_downcvt
)
@@ -2261,7 +2263,7 @@
/* Add any DSN flags to the mail command */
-if (sx->peer_offered & PEER_OFFERED_DSN && !sx->dsn_all_lasthop)
+if (sx->peer_offered & OPTION_DSN && !sx->dsn_all_lasthop)
{
if (dsn_ret == dsn_ret_hdrs)
{ Ustrcpy(p, " RET=HDRS"); p += 9; }
@@ -2297,7 +2299,7 @@
/* Add any DSN flags to the rcpt command */
-if (sx->peer_offered & PEER_OFFERED_DSN && !(addr->dsn_flags & rf_dsnlasthop))
+if (sx->peer_offered & OPTION_DSN && !(addr->dsn_flags & rf_dsnlasthop))
{
if (addr->dsn_flags & rf_dsnflags)
{
@@ -2367,7 +2369,7 @@
the delivery log line. */
if ( sx->addrlist->prop.utf8_msg
- && (sx->addrlist->prop.utf8_downcvt || !(sx->peer_offered & PEER_OFFERED_UTF8))
+ && (sx->addrlist->prop.utf8_downcvt || !(sx->peer_offered & OPTION_UTF8))
)
{
if (s = string_address_utf8_to_alabel(s, &errstr), errstr)
@@ -2431,7 +2433,7 @@
BOOL no_flush;
uschar * rcpt_addr;
- addr->dsn_aware = sx->peer_offered & PEER_OFFERED_DSN
+ addr->dsn_aware = sx->peer_offered & OPTION_DSN
? dsn_support_yes : dsn_support_no;
address_count++;
@@ -2594,10 +2596,10 @@
if ( transport_filter_argv
&& *transport_filter_argv
&& **transport_filter_argv
- && sx.peer_offered & PEER_OFFERED_CHUNKING
+ && sx.peer_offered & OPTION_CHUNKING
)
{
- sx.peer_offered &= ~PEER_OFFERED_CHUNKING;
+ sx.peer_offered &= ~OPTION_CHUNKING;
DEBUG(D_transport) debug_printf("CHUNKING not usable due to transport filter\n");
}
}
@@ -2656,7 +2658,7 @@
If using CHUNKING, do not send a BDAT until we know how big a chunk we want
to send is. */
-if ( !(sx.peer_offered & PEER_OFFERED_CHUNKING)
+if ( !(sx.peer_offered & OPTION_CHUNKING)
&& (sx.ok || (pipelining_active && !mua_wrapper)))
{
int count = smtp_write_command(&sx.outblock, FALSE, "DATA\r\n");
@@ -2686,7 +2688,7 @@
well as body. Set the appropriate timeout value to be used for each chunk.
(Haven't been able to make it work using select() for writing yet.) */
-if (!(sx.peer_offered & PEER_OFFERED_CHUNKING) && !sx.ok)
+if (!(sx.peer_offered & OPTION_CHUNKING) && !sx.ok)
{
/* Save the first address of the next batch. */
sx.first_addr = sx.next_addr;
@@ -2712,7 +2714,7 @@
of responses. The callback needs a whole bunch of state so set up
a transport-context structure to be passed around. */
- if (sx.peer_offered & PEER_OFFERED_CHUNKING)
+ if (sx.peer_offered & OPTION_CHUNKING)
{
tctx.check_string = tctx.escape_string = NULL;
tctx.options |= topt_use_bdat;
@@ -2737,7 +2739,7 @@
transport_write_timeout = sx.ob->data_timeout;
smtp_command = US"sending data block"; /* For error messages */
DEBUG(D_transport|D_v)
- if (sx.peer_offered & PEER_OFFERED_CHUNKING)
+ if (sx.peer_offered & OPTION_CHUNKING)
debug_printf(" will write message using CHUNKING\n");
else
debug_printf(" SMTP>> writing message and terminating \".\"\n");
@@ -2771,7 +2773,7 @@
smtp_command = US"end of data";
- if (sx.peer_offered & PEER_OFFERED_CHUNKING && sx.cmd_count > 1)
+ if (sx.peer_offered & OPTION_CHUNKING && sx.cmd_count > 1)
{
/* Reap any outstanding MAIL & RCPT commands, but not a DATA-go-ahead */
switch(sync_responses(&sx, sx.cmd_count-1, 0))
@@ -2926,7 +2928,7 @@
#ifndef DISABLE_PRDR
if (sx.prdr_active) addr->flags |= af_prdr_used;
#endif
- if (sx.peer_offered & PEER_OFFERED_CHUNKING) addr->flags |= af_chunking_used;
+ if (sx.peer_offered & OPTION_CHUNKING) addr->flags |= af_chunking_used;
flag = '-';
#ifndef DISABLE_PRDR
--- exim-4.89/src/transports/smtp.h.calloutsize 2017-03-04 16:21:35.000000000 -0500
+++ exim-4.89/src/transports/smtp.h 2017-08-16 15:38:52.877969104 -0400
@@ -127,6 +127,7 @@
int cmd_count;
uschar peer_offered;
+ uschar avoid_option;
uschar * igquotstr;
uschar * helo_data;
#ifdef EXPERIMENTAL_DSN_INFO
--- exim-4.89/src/verify.c.calloutsize 2017-03-04 16:21:35.000000000 -0500
+++ exim-4.89/src/verify.c 2017-08-16 15:51:37.913261370 -0400
@@ -779,8 +779,12 @@
postmaster-verify.
The sync_responses() would need to be taught about it and we'd
need another return code filtering out to here.
+
+ Avoid using a SIZE option on the MAIL for all randon-rcpt checks.
*/
+ sx.avoid_option = OPTION_SIZE;
+
/* Remember when we last did a random test */
new_domain_record.random_stamp = time(NULL);
@@ -790,8 +794,9 @@
case PENDING_OK:
new_domain_record.random_result = ccache_accept;
break;
- case FAIL:
+ case FAIL: /* the preferred result */
new_domain_record.random_result = ccache_reject;
+ sx.avoid_option = 0;
/* Between each check, issue RSET, because some servers accept only
one recipient after MAIL FROM:<>.
@@ -836,12 +841,14 @@
else
done = TRUE;
- /* Main verify. If the host is accepting all local parts, as determined
- by the "random" check, we don't need to waste time doing any further
- checking. */
+ /* Main verify. For rcpt-verify use SIZE if we know it and we're not cacheing;
+ for sndr-verify never use it. */
if (done)
{
+ if (!(options & vopt_is_recipient && options & vopt_callout_no_cache))
+ sx.avoid_option = OPTION_SIZE;
+
done = FALSE;
switch(smtp_write_mail_and_rcpt_cmds(&sx, &yield))
{
@@ -850,12 +857,12 @@
case PENDING_OK: done = TRUE;
new_address_record.result = ccache_accept;
break;
- case FAIL: done = TRUE;
+ case FAIL: done = TRUE;
yield = FAIL;
*failure_ptr = US"recipient";
new_address_record.result = ccache_reject;
break;
- default: break;
+ default: break;
}
break;
@@ -908,6 +915,7 @@
sx.ok = FALSE;
sx.send_rset = TRUE;
sx.completed_addr = FALSE;
+ sx.avoid_option = OPTION_SIZE;
if( smtp_write_mail_and_rcpt_cmds(&sx, &yield) == 0
&& addr->transport_return == PENDING_OK

10
exim-4.89-mariadb-10.2-compile-fix.patch
View File

@ -1,10 +0,0 @@
--- a/src/lookups/mysql.c 2017-06-30 18:14:16.681819941 +0200
+++ b/src/lookups/mysql.c 2017-06-30 18:14:29.776921269 +0200
@@ -13,6 +13,7 @@
#include "lf_functions.h"
#include <mysql.h> /* The system header */
+#include <mysql_version.h>
/* Structure and anchor for caching connections. */

4
exim-4.88-allow-filter.patch → exim-4.90.1-allow-filter.patch
View File

@ -1,8 +1,8 @@
diff --git a/src/configure.default b/src/configure.default
index 1e3c63f..0e7854c 100644
index 2cce34b..50e9236 100644
--- a/src/configure.default
+++ b/src/configure.default
@@ -724,7 +724,7 @@ userforward:
@@ -727,7 +727,7 @@ userforward:
# local_part_suffix = +* : -*
# local_part_suffix_optional
file = $home/.forward

54
exim-4.89-config.patch → exim-4.90.1-config.patch
View File

@ -1,8 +1,8 @@
diff --git a/scripts/Configure-Makefile b/scripts/Configure-Makefile
index 3e486a6..6c4afec 100755
index 2af1927..e461505 100755
--- a/scripts/Configure-Makefile
+++ b/scripts/Configure-Makefile
@@ -269,7 +269,7 @@ if [ "${EXIM_PERL}" != "" ] ; then
@@ -296,7 +296,7 @@ if [ "${EXIM_PERL}" != "" ] ; then
mv $mft $mftt
echo "PERL_CC=`$PERL_COMMAND -MConfig -e 'print $Config{cc}'`" >>$mft
@ -12,7 +12,7 @@ index 3e486a6..6c4afec 100755
echo "" >>$mft
cat $mftt >> $mft
diff --git a/src/EDITME b/src/EDITME
index df74aac..0caf02d 100644
index 72e26ce..0bd97f1 100644
--- a/src/EDITME
+++ b/src/EDITME
@@ -98,7 +98,7 @@
@ -51,7 +51,7 @@ index df74aac..0caf02d 100644
# Many sites define a user called "exim", with an appropriate default group,
# and use
@@ -232,7 +232,7 @@ TRANSPORT_SMTP=yes
@@ -237,7 +237,7 @@ TRANSPORT_SMTP=yes
# This one is special-purpose, and commonly not required, so it is not
# included by default.
@ -60,7 +60,7 @@ index df74aac..0caf02d 100644
#------------------------------------------------------------------------------
@@ -241,9 +241,9 @@ TRANSPORT_SMTP=yes
@@ -246,9 +246,9 @@ TRANSPORT_SMTP=yes
# MBX, is included only when requested. If you do not know what this is about,
# leave these settings commented out.
@ -73,7 +73,7 @@ index df74aac..0caf02d 100644
#------------------------------------------------------------------------------
@@ -301,19 +301,21 @@ LOOKUP_DBM=yes
@@ -306,20 +306,22 @@ LOOKUP_DBM=yes
LOOKUP_LSEARCH=yes
LOOKUP_DNSDB=yes
@ -84,6 +84,7 @@ index df74aac..0caf02d 100644
# LOOKUP_IBASE=yes
-# LOOKUP_LDAP=yes
-# LOOKUP_MYSQL=yes
-# LOOKUP_MYSQL_PC=mariadb
-# LOOKUP_NIS=yes
-# LOOKUP_NISPLUS=yes
+LOOKUP_LDAP=yes
@ -91,6 +92,7 @@ index df74aac..0caf02d 100644
+LOOKUP_INCLUDE=-I/usr/include/mysql
+LOOKUP_LIBS=-lldap -llber -lsqlite3 -L/usr/$(_lib)/mysql -lmysqlclient -lpq
+LOOKUP_MYSQL=yes
+LOOKUP_MYSQL_PC=mariadb
+LOOKUP_NIS=yes
+LOOKUP_NISPLUS=yes
# LOOKUP_ORACLE=yes
@ -105,7 +107,7 @@ index df74aac..0caf02d 100644
# LOOKUP_WHOSON=yes
# These two settings are obsolete; all three lookups are compiled when
@@ -390,7 +392,7 @@ EXIM_MONITOR=eximon.bin
@@ -396,7 +398,7 @@ EXIM_MONITOR=eximon.bin
# and the MIME ACL. Please read the documentation to learn more about these
# features.
@ -114,7 +116,7 @@ index df74aac..0caf02d 100644
#------------------------------------------------------------------------------
# If you're using ClamAV and are backporting fixes to an old version, instead
@@ -577,7 +579,7 @@ FIXED_NEVER_USERS=root
@@ -584,7 +586,7 @@ FIXED_NEVER_USERS=root
# CONFIGURE_OWNER setting, to specify a configuration file which is listed in
# the TRUSTED_CONFIG_LIST file, then root privileges are not dropped by Exim.
@ -123,7 +125,7 @@ index df74aac..0caf02d 100644
#------------------------------------------------------------------------------
@@ -622,17 +624,14 @@ FIXED_NEVER_USERS=root
@@ -629,17 +631,14 @@ FIXED_NEVER_USERS=root
# included in the Exim binary. You will then need to set up the run time
# configuration to make use of the mechanism(s) selected.
@ -149,7 +151,7 @@ index df74aac..0caf02d 100644
# Heimdal through 1.5 required pkg-config 'heimdal-gssapi'; Heimdal 7.1
# requires multiple pkg-config files to work with Exim, so the second example
@@ -656,7 +655,7 @@ FIXED_NEVER_USERS=root
@@ -663,7 +662,7 @@ FIXED_NEVER_USERS=root
# one that is set in the headers_charset option. The default setting is
# defined by this setting:
@ -158,7 +160,7 @@ index df74aac..0caf02d 100644
# If you are going to make use of $header_xxx expansions in your configuration
# file, or if your users are going to use them in filter files, and the normal
@@ -676,7 +675,7 @@ HEADERS_CHARSET="ISO-8859-1"
@@ -683,7 +682,7 @@ HEADERS_CHARSET="ISO-8859-1"
# the Sieve filter support. For those OS where iconv() is known to be installed
# as standard, the file in OS/Makefile-xxxx contains
#
@ -167,7 +169,7 @@ index df74aac..0caf02d 100644
#
# If you are not using one of those systems, but have installed iconv(), you
# need to uncomment that line above. In some cases, you may find that iconv()
@@ -745,11 +744,11 @@ HEADERS_CHARSET="ISO-8859-1"
@@ -752,11 +751,11 @@ HEADERS_CHARSET="ISO-8859-1"
# leave these settings commented out.
# This setting is required for any TLS support (either OpenSSL or GnuTLS)
@ -182,7 +184,7 @@ index df74aac..0caf02d 100644
# Uncomment the first and either the second or the third of these if you
# are using GnuTLS. If you have pkg-config, then the second, else the third.
@@ -818,7 +817,7 @@ HEADERS_CHARSET="ISO-8859-1"
@@ -825,7 +824,7 @@ HEADERS_CHARSET="ISO-8859-1"
# Once you have done this, "make install" will build the info files and
# install them in the directory you have defined.
@ -191,7 +193,7 @@ index df74aac..0caf02d 100644
#------------------------------------------------------------------------------
@@ -831,7 +830,7 @@ HEADERS_CHARSET="ISO-8859-1"
@@ -838,7 +837,7 @@ HEADERS_CHARSET="ISO-8859-1"
# %s. This will be replaced by one of the strings "main", "panic", or "reject"
# to form the final file names. Some installations may want something like this:
@ -200,7 +202,7 @@ index df74aac..0caf02d 100644
# which results in files with names /var/log/exim_mainlog, etc. The directory
# in which the log files are placed must exist; Exim does not try to create
@@ -903,7 +902,7 @@ ZCAT_COMMAND=/usr/bin/zcat
@@ -910,7 +909,7 @@ ZCAT_COMMAND=/usr/bin/zcat
# (version 5.004 or later) installed, set EXIM_PERL to perl.o. Using embedded
# Perl costs quite a lot of resources. Only do this if you really need it.
@ -209,7 +211,7 @@ index df74aac..0caf02d 100644
#------------------------------------------------------------------------------
@@ -913,7 +912,7 @@ ZCAT_COMMAND=/usr/bin/zcat
@@ -920,7 +919,7 @@ ZCAT_COMMAND=/usr/bin/zcat
# that the local_scan API is made available by the linker. You may also need
# to add -ldl to EXTRALIBS so that dlopen() is available to Exim.
@ -218,7 +220,7 @@ index df74aac..0caf02d 100644
#------------------------------------------------------------------------------
@@ -923,7 +922,7 @@ ZCAT_COMMAND=/usr/bin/zcat
@@ -930,7 +929,7 @@ ZCAT_COMMAND=/usr/bin/zcat
# support, which is intended for use in conjunction with the SMTP AUTH
# facilities, is included only when requested by the following setting:
@ -227,7 +229,7 @@ index df74aac..0caf02d 100644
# You probably need to add -lpam to EXTRALIBS, and in some releases of
# GNU/Linux -ldl is also needed.
@@ -1021,7 +1020,7 @@ ZCAT_COMMAND=/usr/bin/zcat
@@ -1028,7 +1027,7 @@ ZCAT_COMMAND=/usr/bin/zcat
# group. Once you have installed saslauthd, you should arrange for it to be
# started by root at boot time.
@ -236,20 +238,18 @@ index df74aac..0caf02d 100644
#------------------------------------------------------------------------------
@@ -1034,9 +1033,9 @@ ZCAT_COMMAND=/usr/bin/zcat
# You may well also have to specify a local "include" file and an additional
@@ -1042,8 +1041,8 @@ ZCAT_COMMAND=/usr/bin/zcat
# library for TCP wrappers, so you probably need something like this:
#
-# USE_TCP_WRAPPERS=yes
# USE_TCP_WRAPPERS=yes
-# CFLAGS=-O -I/usr/local/include
-# EXTRALIBS_EXIM=-L/usr/local/lib -lwrap
+USE_TCP_WRAPPERS=yes
+CFLAGS+=$(RPM_OPT_FLAGS) $(PIE)
+EXTRALIBS_EXIM=-lwrap -lpam -ldl -export-dynamic -rdynamic
+EXTRALIBS_EXIM=-lpam -ldl -export-dynamic -rdynamic
#
# but of course there may need to be other things in CFLAGS and EXTRALIBS_EXIM
# as well.
@@ -1088,7 +1087,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases
@@ -1095,7 +1094,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases
# is "yes", as well as supporting line editing, a history of input lines in the
# current run is maintained.
@ -258,7 +258,7 @@ index df74aac..0caf02d 100644
# You may need to add -ldl to EXTRALIBS when you set USE_READLINE=yes.
# Note that this option adds to the size of the Exim binary, because the
@@ -1098,7 +1097,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases
@@ -1112,7 +1111,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases
#------------------------------------------------------------------------------
# Uncomment this setting to include IPv6 support.
@ -267,7 +267,7 @@ index df74aac..0caf02d 100644
###############################################################################
# THINGS YOU ALMOST NEVER NEED TO MENTION #
@@ -1119,13 +1118,13 @@ SYSTEM_ALIASES_FILE=/etc/aliases
@@ -1133,13 +1132,13 @@ SYSTEM_ALIASES_FILE=/etc/aliases
# haven't got Perl, Exim will still build and run; you just won't be able to
# use those utilities.
@ -288,7 +288,7 @@ index df74aac..0caf02d 100644
#------------------------------------------------------------------------------
@@ -1327,7 +1326,7 @@ EXIM_TMPDIR="/tmp"
@@ -1341,7 +1340,7 @@ EXIM_TMPDIR="/tmp"
# (process id) to a file so that it can easily be identified. The path of the
# file can be specified here. Some installations may want something like this:

4
exim-4.88-cyrus.patch → exim-4.90.1-cyrus.patch
View File

@ -1,8 +1,8 @@
diff --git a/src/configure.default b/src/configure.default
index 8b6162b..d588898 100644
index 562d0be..1138335 100644
--- a/src/configure.default
+++ b/src/configure.default
@@ -765,6 +765,16 @@ address_reply:
@@ -768,6 +768,16 @@ address_reply:
driver = autoreply

16
exim-4.89-dlopen-localscan.patch → exim-4.90.1-dlopen-localscan.patch
View File

@ -1,8 +1,8 @@
diff --git a/src/EDITME b/src/EDITME
index 0caf02d..6957546 100644
index 0bd97f1..ce2b047 100644
--- a/src/EDITME
+++ b/src/EDITME
@@ -802,6 +802,20 @@ TLS_LIBS=-lssl -lcrypto
@@ -809,6 +809,20 @@ TLS_LIBS=-lssl -lcrypto
#------------------------------------------------------------------------------
@ -24,10 +24,10 @@ index 0caf02d..6957546 100644
# documentation. Other forms are available separately. If you want to install
# the documentation in "info" format, first fetch the Texinfo documentation
diff --git a/src/config.h.defaults b/src/config.h.defaults
index 58e1813..9b18f98 100644
index 4750523..e3943a8 100644
--- a/src/config.h.defaults
+++ b/src/config.h.defaults
@@ -28,6 +28,8 @@ it's a default value. */
@@ -31,6 +31,8 @@ Do not put spaces between # and the 'define'.
#define AUTH_VARS 3
@ -37,7 +37,7 @@ index 58e1813..9b18f98 100644
#define CONFIGURE_FILE
diff --git a/src/globals.c b/src/globals.c
index 79ac37f..b7d690f 100644
index 5df84bd..74724fd 100644
--- a/src/globals.c
+++ b/src/globals.c
@@ -167,6 +167,10 @@ uschar *tls_verify_hosts = NULL;
@ -52,7 +52,7 @@ index 79ac37f..b7d690f 100644
/* Per Recipient Data Response variables */
BOOL prdr_enable = FALSE;
diff --git a/src/globals.h b/src/globals.h
index 340f1ae..4b65781 100644
index 37d4cad..2b313e0 100644
--- a/src/globals.h
+++ b/src/globals.h
@@ -126,6 +126,11 @@ extern uschar *tls_try_verify_hosts; /* Optional client verification */
@ -251,10 +251,10 @@ index 3500047..8599172 100644
+
/* End of local_scan.c */
diff --git a/src/readconf.c b/src/readconf.c
index 790f073..6e88bcd 100644
index 8d5f38c..73095be 100644
--- a/src/readconf.c
+++ b/src/readconf.c
@@ -318,6 +318,9 @@ static optionlist optionlist_config[] = {
@@ -195,6 +195,9 @@ static optionlist optionlist_config[] = {
{ "local_from_prefix", opt_stringptr, &local_from_prefix },
{ "local_from_suffix", opt_stringptr, &local_from_suffix },
{ "local_interfaces", opt_stringptr, &local_interfaces },

9
exim-4.87-dynlookup-config.patch → exim-4.90.1-dynlookup-config.patch
View File

@ -1,8 +1,8 @@
diff --git a/src/EDITME b/src/EDITME
index df3dcc8..de01565 100644
index ce2b047..ad06440 100644
--- a/src/EDITME
+++ b/src/EDITME
@@ -306,14 +306,16 @@ LOOKUP_DSEARCH=yes
@@ -311,15 +311,17 @@ LOOKUP_DSEARCH=yes
# LOOKUP_IBASE=yes
LOOKUP_LDAP=yes
LDAP_LIB_TYPE=OPENLDAP2
@ -10,10 +10,11 @@ index df3dcc8..de01565 100644
-LOOKUP_LIBS=-lldap -llber -lsqlite3 -L/usr/$(_lib)/mysql -lmysqlclient -lpq
-LOOKUP_MYSQL=yes
+LOOKUP_LIBS=-lldap -llber -lsqlite3
+LOOKUP_MYSQL_INCLUDE=-I/usr/include/mysql
+LOOKUP_MYSQL_LIBS=-L/usr/${_lib}/mysql -lmysqlclient
+LOOKUP_INCLUDE=-I/usr/include/mysql
+LOOKUP_MYSQL_LIBS=-lmysqlclient
+LOOKUP_PGSQL_LIBS=-lpq
+LOOKUP_MYSQL=2
LOOKUP_MYSQL_PC=mariadb
LOOKUP_NIS=yes
LOOKUP_NISPLUS=yes
# LOOKUP_ORACLE=yes

3
exim-4.89-environment.patch → exim-4.90.1-environment.patch
View File

@ -1,7 +1,8 @@
diff --git a/src/configure.default b/src/configure.default
index b955c6e..590c664 100644
--- a/src/configure.default
+++ b/src/configure.default
@@ -357,8 +357,8 @@ timeout_frozen_after = 7d
@@ -360,8 +360,8 @@ timeout_frozen_after = 7d
# Note that TZ is handled separately by the timezone runtime option
# and TIMEZONE_DEFAULT buildtime option.

14
exim-4.88-greylist-conf.patch → exim-4.90.1-greylist-conf.patch
View File

@ -1,5 +1,5 @@
diff --git a/src/configure.default b/src/configure.default
index 921c53b..a92c954 100644
index 72675be..30ffc8c 100644
--- a/src/configure.default
+++ b/src/configure.default
@@ -107,6 +107,7 @@ hostlist relay_from_hosts = localhost
@ -10,7 +10,7 @@ index 921c53b..a92c954 100644
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
acl_smtp_mime = acl_check_mime
@@ -368,6 +369,29 @@ timeout_frozen_after = 7d
@@ -371,6 +372,29 @@ timeout_frozen_after = 7d
begin acl
@ -40,7 +40,7 @@ index 921c53b..a92c954 100644
# This access control list is used for every RCPT command in an incoming
# SMTP message. The tests are run in order until the address is either
# accepted or denied.
@@ -493,7 +517,8 @@ acl_check_rcpt:
@@ -496,7 +520,8 @@ acl_check_rcpt:
# There are no default checks on DNS black lists because the domains that
# contain these lists are changing all the time. However, here are two
# examples of how you can get Exim to perform a DNS black list lookup at this
@ -50,7 +50,7 @@ index 921c53b..a92c954 100644
#
# deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
# dnslists = black.list.example
@@ -501,6 +526,10 @@ acl_check_rcpt:
@@ -504,6 +529,10 @@ acl_check_rcpt:
# warn dnslists = black.list.example
# add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain
# log_message = found in $dnslist_domain
@ -61,7 +61,7 @@ index 921c53b..a92c954 100644
#############################################################################
#############################################################################
@@ -514,6 +543,10 @@ acl_check_rcpt:
@@ -517,6 +546,10 @@ acl_check_rcpt:
# require verify = csa
#############################################################################
@ -72,7 +72,7 @@ index 921c53b..a92c954 100644
# At this point, the address has passed all the checks that have been
# configured, so we accept it unconditionally.
@@ -546,6 +579,12 @@ acl_check_data:
@@ -549,6 +582,12 @@ acl_check_data:
# deny condition = ${if !def:h_Message-ID: {1}}
# message = RFC2822 says that all mail SHOULD have a Message-ID header.\n\
# Most messages without it are spam, so your mail has been rejected.
@ -85,7 +85,7 @@ index 921c53b..a92c954 100644
# Deny if the message contains a virus. Before enabling this check, you
# must install a virus scanner and set the av_scanner option above.
@@ -580,8 +619,30 @@ acl_check_data:
@@ -583,8 +622,30 @@ acl_check_data:
# message = Your message scored $spam_score SpamAssassin point. Report follows:\n\
# $spam_report

14
exim-4.88-pamconfig.patch → exim-4.90.1-pamconfig.patch
View File

@ -1,5 +1,5 @@
diff --git a/src/configure.default b/src/configure.default
index d588898..61bdae8 100644
index 1138335..0675b40 100644
--- a/src/configure.default
+++ b/src/configure.default
@@ -142,7 +142,7 @@ acl_smtp_data = acl_check_data
@ -20,9 +20,9 @@ index d588898..61bdae8 100644
+tls_certificate = /etc/pki/tls/certs/exim.pem
+tls_privatekey = /etc/pki/tls/private/exim.pem
# In order to support roaming users who wish to send email from anywhere,
# you may want to make Exim listen on other ports as well as port 25, in
@@ -162,8 +162,8 @@ acl_smtp_data = acl_check_data
# For OpenSSL, prefer EC- over RSA-authenticated ciphers
# tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAULT
@@ -165,8 +165,8 @@ acl_smtp_data = acl_check_data
# them you should also allow TLS-on-connect on the traditional but
# non-standard port 465.
@ -33,7 +33,7 @@ index d588898..61bdae8 100644
# Specify the domain you want to be added to all unqualified addresses
@@ -221,6 +221,24 @@ never_users = root
@@ -224,6 +224,24 @@ never_users = root
host_lookup = *
@ -58,7 +58,7 @@ index d588898..61bdae8 100644
# The settings below cause Exim to make RFC 1413 (ident) callbacks
# for all incoming SMTP calls. You can limit the hosts to which these
@@ -844,7 +862,7 @@ begin authenticators
@@ -847,7 +865,7 @@ begin authenticators
# driver = plaintext
# server_set_id = $auth2
# server_prompts = :
@ -67,7 +67,7 @@ index d588898..61bdae8 100644
# server_advertise_condition = ${if def:tls_in_cipher }
# LOGIN authentication has traditional prompts and responses. There is no
@@ -856,7 +874,7 @@ begin authenticators
@@ -859,7 +877,7 @@ begin authenticators
# driver = plaintext
# server_set_id = $auth1
# server_prompts = <| Username: | Password:

6
exim-4.88-procmail.patch → exim-4.90.1-procmail.patch
View File

@ -1,8 +1,8 @@
diff --git a/src/configure.default b/src/configure.default
index ecc3d6e..1e3c63f 100644
index 8b4575c..2cce34b 100644
--- a/src/configure.default
+++ b/src/configure.default
@@ -732,6 +732,12 @@ userforward:
@@ -735,6 +735,12 @@ userforward:
pipe_transport = address_pipe
reply_transport = address_reply
@ -15,7 +15,7 @@ index ecc3d6e..1e3c63f 100644
# This router matches local user mailboxes. If the router fails, the error
# message is "Unknown user".
@@ -773,6 +779,16 @@ remote_smtp:
@@ -776,6 +782,16 @@ remote_smtp:
driver = smtp
message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}

6
exim-4.88-rhl.patch → exim-4.90.1-rhl.patch
View File

@ -1,8 +1,8 @@
diff --git a/src/configure.default b/src/configure.default
index 985f1d0..8b6162b 100644
index 1dc9b91..562d0be 100644
--- a/src/configure.default
+++ b/src/configure.default
@@ -630,7 +630,7 @@ system_aliases:
@@ -633,7 +633,7 @@ system_aliases:
driver = redirect
allow_fail
allow_defer
@ -11,7 +11,7 @@ index 985f1d0..8b6162b 100644
# user = exim
file_transport = address_file
pipe_transport = address_pipe
@@ -731,8 +731,8 @@ local_delivery:
@@ -734,8 +734,8 @@ local_delivery:
delivery_date_add
envelope_to_add
return_path_add

8
exim-4.88-smarthost-config.patch → exim-4.90.1-smarthost-config.patch
View File

@ -1,8 +1,8 @@
diff --git a/src/configure.default b/src/configure.default
index a92c954..13599ae 100644
index 30ffc8c..b955c6e 100644
--- a/src/configure.default
+++ b/src/configure.default
@@ -840,6 +840,15 @@ remote_smtp:
@@ -843,6 +843,15 @@ remote_smtp:
driver = smtp
message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
@ -18,7 +18,7 @@ index a92c954..13599ae 100644
# This transport invokes procmail to deliver mail
procmail:
driver = pipe
@@ -948,6 +957,21 @@ begin rewrite
@@ -951,6 +960,21 @@ begin rewrite
# AUTHENTICATION CONFIGURATION #
######################################################################
@ -40,7 +40,7 @@ index a92c954..13599ae 100644
# The following authenticators support plaintext username/password
# authentication using the standard PLAIN mechanism and the traditional
# but non-standard LOGIN mechanism, with Exim acting as the server.
@@ -963,7 +987,7 @@ begin rewrite
@@ -966,7 +990,7 @@ begin rewrite
# The default RCPT ACL checks for successful authentication, and will accept
# messages from authenticated users from anywhere on the Internet.

21
exim-4.87-spamdconf.patch → exim-4.90.1-spamdconf.patch
View File

@ -1,5 +1,7 @@
--- a/src/configure.default.spamd 2016-12-25 21:06:57.453758443 +0000
+++ b/src/configure.default 2016-12-25 21:07:49.940188407 +0000
diff --git a/src/configure.default b/src/configure.default
index 0675b40..8b4575c 100644
--- a/src/configure.default
+++ b/src/configure.default
@@ -109,6 +109,7 @@ hostlist relay_from_hosts = localhost
acl_smtp_rcpt = acl_check_rcpt
@ -17,7 +19,7 @@
# For spam scanning, there is a similar option that defines the interface to
@@ -431,7 +432,8 @@ acl_check_rcpt:
@@ -434,7 +435,8 @@ acl_check_rcpt:
accept local_parts = postmaster
domains = +local_domains
@ -27,7 +29,7 @@
require verify = sender
@@ -535,27 +537,63 @@ acl_check_data:
@@ -538,27 +540,63 @@ acl_check_data:
got $max_received_linelength
condition = ${if > {$max_received_linelength}{998}}
@ -50,17 +52,17 @@
- # Add headers to a message if it is judged to be spam. Before enabling this,
- # you must install SpamAssassin. You may also need to set the spamd_address
- # option above.
- #
+ # Bypass SpamAssassin checks if the message is too large.
#
- # warn spam = nobody
- # add_header = X-Spam_score: $spam_score\n\
- # X-Spam_score_int: $spam_score_int\n\
- # X-Spam_bar: $spam_bar\n\
- # X-Spam_report: $spam_report
+ # Bypass SpamAssassin checks if the message is too large.
+ #
+ # accept condition = ${if >={$message_size}{100000} {1}}
+ # add_header = X-Spam-Note: SpamAssassin run bypassed due to message size
+
- # Accept the message.
+ # Run SpamAssassin, but allow for it to fail or time out. Add a warning message
+ # and accept the mail if that happens. Add an X-Spam-Flag: header if the SA
+ # score exceeds the SA system threshold.
@ -76,8 +78,7 @@
+ #
+ # warn add_header = X-Spam-Score: $spam_score ($spam_bar)\n\
+ # X-Spam-Report: $spam_report
- # Accept the message.
+
+ # And reject if the SpamAssassin score is greater than ten
+ #
+ # deny condition = ${if >{$spam_score_int}{100} {1}}

56
exim.spec
View File

@ -14,8 +14,8 @@
Summary: The exim mail transfer agent
Name: exim
Version: 4.89
Release: 4%{?dist}
Version: 4.90.1
Release: 1%{?dist}
License: GPLv2+
Url: http://www.exim.org/
Group: System Environment/Daemons
@ -52,34 +52,21 @@ Source25: exim-gen-cert
Source26: clamd.exim.service
%endif
Patch4: exim-4.88-rhl.patch
Patch6: exim-4.89-config.patch
Patch4: exim-4.90.1-rhl.patch
Patch6: exim-4.90.1-config.patch
Patch8: exim-4.82-libdir.patch
Patch12: exim-4.88-cyrus.patch
Patch13: exim-4.88-pamconfig.patch
Patch14: exim-4.87-spamdconf.patch
Patch18: exim-4.89-dlopen-localscan.patch
Patch19: exim-4.88-procmail.patch
Patch20: exim-4.88-allow-filter.patch
Patch12: exim-4.90.1-cyrus.patch
Patch13: exim-4.90.1-pamconfig.patch
Patch14: exim-4.90.1-spamdconf.patch
Patch18: exim-4.90.1-dlopen-localscan.patch
Patch19: exim-4.90.1-procmail.patch
Patch20: exim-4.90.1-allow-filter.patch
Patch21: exim-4.87-localhost-is-local.patch
Patch22: exim-4.88-greylist-conf.patch
Patch23: exim-4.88-smarthost-config.patch
Patch25: exim-4.87-dynlookup-config.patch
# Upstream ticket: http://bugs.exim.org/show_bug.cgi?id=1584
Patch22: exim-4.90.1-greylist-conf.patch
Patch23: exim-4.90.1-smarthost-config.patch
Patch25: exim-4.90.1-dynlookup-config.patch
Patch26: exim-4.85-pic.patch
Patch27: exim-4.89-environment.patch
# https://github.com/Exim/exim/pull/56
Patch28: exim-4.89-mariadb-10.2-compile-fix.patch
# Backported from upstream:
# https://github.com/Exim/exim/commit/65e061b76867a9ea7aeeb535341b790b90ae6c21
Patch29: exim-4.89-CVE-2017-1000369.patch
# Backported from upstream:
# https://git.exim.org/exim.git/commitdiff/14de8063d82edc5bf003ed50abdea55ac542679b
Patch30: exim-4.89-calloutsize.patch
# Upstream ticket: https://bugs.exim.org/show_bug.cgi?id=2199
Patch31: exim-4.89-CVE-2017-16943.patch
# Upstream ticket: https://bugs.exim.org/show_bug.cgi?id=2201
Patch32: exim-4.89-CVE-2017-16944.patch
Patch27: exim-4.90.1-environment.patch
Requires: /etc/pki/tls/certs /etc/pki/tls/private
Requires: /etc/aliases
@ -238,11 +225,6 @@ greylisting unconditional.
%patch25 -p1 -b .dynconfig
%patch26 -p1 -b .fpic
%patch27 -p1 -b .environment
%patch28 -p1 -b .mariadb-10.2-compile-fix
%patch29 -p1 -b .CVE-2017-1000369
%patch30 -p1 -b .calloutsize
%patch31 -p1 -b .CVE-2017-16943
%patch32 -p1 -b .CVE-2017-16944
cp src/EDITME Local/Makefile
sed -i 's@^# LOOKUP_MODULE_DIR=.*@LOOKUP_MODULE_DIR=%{_libdir}/exim/%{version}-%{release}/lookups@' Local/Makefile
@ -635,6 +617,16 @@ test "$1" = 0 || %{_initrddir}/clamd.exim condrestart >/dev/null 2>&1 || :
%{_sysconfdir}/cron.daily/greylist-tidy.sh
%changelog
* Tue Feb 13 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 4.90.1-1
- New version
Resolves: rhbz#1527710
- Fixed buffer overflow in utility function
Resolves: CVE-2018-6789
- Updated and defuzzified patches
- Dropped mariadb-macro-fix patch (not needed)
- Dropped CVE-2017-1000369, calloutsize, CVE-2017-16943,
CVE-2017-16944 patches (all upstreamed)
* Fri Dec 1 2017 Jaroslav Škarvada <jskarvad@redhat.com> - 4.89-4
- Fixed denial of service
Resolves: CVE-2017-16944

2
sources
View File

@ -1,2 +1,2 @@
SHA512 (sa-exim-4.2.tar.gz) = 2c1839c4d897bf65d19c754bbc9dc0674276ccad4a564c639591396afc23f1456decceec94817f62ee9b688f5d6d90436d3d47c869e04a69c955b1376c9fbd7b
SHA512 (exim-4.89.tar.xz) = ce5faef3847a5baf1b4fec1ffe46ce7efaafb24e63bcc52a61f38e8312a88eccaa816c3947ba428bef3eed38b1e91e606f6ed07bc0a3e14c6a6ed0ecb41eb9fa
SHA512 (exim-4.90.1.tar.xz) = b4830a2e03023b2bafc9e62535f467bb61b0f1398b6b3af0a7ef6f49e6cba60a9496e6762d0898b7ac1c2823db8cf96ed9f37e26b05809b4ba01725d9e72b806