Merge remote-tracking branch 'origin/master' into epel7

Resolves: CVE-2016-9963 Signed-off-by: Jaroslav Škarvada <jskarvad@redhat.com>
2017-01-02 13:00:58 +01:00 · 2017-01-02 13:00:58 +01:00 · c81d281a9d
parent df4a02e56c 296d145db8
commit c81d281a9d
19 changed files with 167 additions and 139 deletions
--- a/exim-4.85-pic.patch
+++ b/exim-4.85-pic.patch
@ -0,0 +1,13 @@
 diff --git a/src/lookups/Makefile b/src/lookups/Makefile
 index 6ba0cb1..21a7ad7 100644
 --- a/src/lookups/Makefile
 +++ b/src/lookups/Makefile
@@ -22,7 +22,7 @@ lookups.a:       $(OBJ)
 		 $(FE)$(CC) -c $(CFLAGS) $(INCLUDE) $*.c
 .c.so:;          @echo "$(CC) -shared $*.c"
 -		 $(FE)$(CC) $(LOOKUP_$*_INCLUDE) $(LOOKUP_$*_LIBS) -DDYNLOOKUP $(CFLAGS_DYNAMIC) $(CFLAGS) $(INCLUDE) $(DLFLAGS) $*.c -o $@
 +		 $(FE)$(CC) $(LOOKUP_$*_INCLUDE) $(LOOKUP_$*_LIBS) -DDYNLOOKUP $(CFLAGS_DYNAMIC) $(CFLAGS) $(INCLUDE) $(DLFLAGS) $(PIC) $*.c -o $@
 lf_check_file.o: $(PHDRS) lf_check_file.c  lf_functions.h
 lf_quote.o:      $(PHDRS) lf_quote.c       lf_functions.h
--- a/exim-4.87-allow-filter.patch
+++ b/exim-4.87-allow-filter.patch
@ -1,8 +1,8 @@
 diff --git a/src/configure.default b/src/configure.default
-index 37a6a00..52e0536 100644
+index e4ca5b9..d1ce2f1 100644
 --- a/src/configure.default
 +++ b/src/configure.default
-@@ -684,7 +684,7 @@ userforward:
+@@ -722,7 +722,7 @@ userforward:
 # local_part_suffix = +* : -*
 # local_part_suffix_optional
   file = $home/.forward
--- a/exim-4.87-cyrus.patch
+++ b/exim-4.87-cyrus.patch
@ -1,8 +1,8 @@
 diff --git a/src/configure.default b/src/configure.default
-index b631a4d..153c77b 100644
+index 12ed1e0..0af6fb8 100644
 --- a/src/configure.default
 +++ b/src/configure.default
-@@ -721,6 +721,16 @@ address_reply:
+@@ -763,6 +763,16 @@ address_reply:
   driver = autoreply
--- a/exim-4.84.2-dlopen-localscan.patch
+++ b/exim-4.84.2-dlopen-localscan.patch
@ -1,8 +1,8 @@
 diff --git a/src/EDITME b/src/EDITME
-index a3ffd48..19027ac 100644
+index bbb7527..df3dcc8 100644
 --- a/src/EDITME
 +++ b/src/EDITME
-@@ -783,6 +783,20 @@ TLS_LIBS=-lssl -lcrypto
+@@ -784,6 +784,20 @@ TLS_LIBS=-lssl -lcrypto
 #------------------------------------------------------------------------------
@ -24,10 +24,10 @@ index a3ffd48..19027ac 100644
 # documentation. Other forms are available separately. If you want to install
 # the documentation in "info" format, first fetch the Texinfo documentation
 diff --git a/src/config.h.defaults b/src/config.h.defaults
-index ba4615c..878e687 100644
+index 266c268..6a4a1f8 100644
 --- a/src/config.h.defaults
 +++ b/src/config.h.defaults
-@@ -27,6 +27,8 @@ it's a default value. */
+@@ -28,6 +28,8 @@ it's a default value. */
 #define AUTH_VARS                     3
@ -37,11 +37,11 @@ index ba4615c..878e687 100644
 #define CONFIGURE_FILE
 diff --git a/src/globals.c b/src/globals.c
-index 08e6e8d..c78e731 100644
+index ec2685b..f8375bf 100644
 --- a/src/globals.c
 +++ b/src/globals.c
-@@ -162,6 +162,10 @@ uschar *tls_verify_certificates= NULL;
+@@ -171,6 +171,10 @@ uschar *tls_verify_hosts       = NULL;
- uschar *tls_verify_hosts       = NULL;
+ uschar *tls_advertise_hosts    = NULL;
 #endif
 +#ifdef DLOPEN_LOCAL_SCAN
@ -52,20 +52,21 @@ index 08e6e8d..c78e731 100644
 /* Per Recipient Data Response variables */
 BOOL    prdr_enable            = FALSE;
 diff --git a/src/globals.h b/src/globals.h
-index b3ad4b2..30d00f0 100644
+index 57a5695..0a60902 100644
 --- a/src/globals.h
 +++ b/src/globals.h
-@@ -126,6 +126,10 @@ extern uschar *tls_verify_certificates;/* Path for certificates to check */
+@@ -129,6 +129,11 @@ extern uschar *tls_try_verify_hosts;   /* Optional client verification */
 extern uschar *tls_verify_certificates;/* Path for certificates to check */
 extern uschar *tls_verify_hosts;       /* Mandatory client verification */
 #endif
- 
+
 +#ifdef DLOPEN_LOCAL_SCAN
 +extern uschar *local_scan_path;        /* Path to local_scan() library */
 +#endif
 +
- #ifdef EXPERIMENTAL_DSN
+ extern uschar *tls_advertise_hosts;    /* host for which TLS is advertised */
 extern uschar  *dsn_envid;             /* DSN envid string */
 extern int      dsn_ret;               /* DSN ret type*/
 diff --git a/src/local_scan.c b/src/local_scan.c
 index 3500047..8599172 100644
 --- a/src/local_scan.c
@ -250,10 +251,10 @@ index 3500047..8599172 100644
 +
 /* End of local_scan.c */
 diff --git a/src/readconf.c b/src/readconf.c
-index 6e33034..4688383 100644
+index 5ca6a84..f1ec503 100644
 --- a/src/readconf.c
 +++ b/src/readconf.c
-@@ -295,6 +295,9 @@ static optionlist optionlist_config[] = {
+@@ -317,6 +317,9 @@ static optionlist optionlist_config[] = {
   { "local_from_prefix",        opt_stringptr,   &local_from_prefix },
   { "local_from_suffix",        opt_stringptr,   &local_from_suffix },
   { "local_interfaces",         opt_stringptr,   &local_interfaces },
--- a/exim-4.87-dynlookup-config.patch
+++ b/exim-4.87-dynlookup-config.patch
@ -1,8 +1,8 @@
 diff --git a/src/EDITME b/src/EDITME
-index 07f8211..7d7a4a4 100644
+index df3dcc8..de01565 100644
 --- a/src/EDITME
 +++ b/src/EDITME
-@@ -301,14 +301,16 @@ LOOKUP_DSEARCH=yes
+@@ -306,14 +306,16 @@ LOOKUP_DSEARCH=yes
 # LOOKUP_IBASE=yes
 LOOKUP_LDAP=yes
 LDAP_LIB_TYPE=OPENLDAP2
@ -20,6 +20,6 @@ index 07f8211..7d7a4a4 100644
 LOOKUP_PASSWD=yes
 -LOOKUP_PGSQL=yes
 +LOOKUP_PGSQL=2
 # LOOKUP_REDIS=yes
 LOOKUP_SQLITE=yes
 # LOOKUP_WHOSON=yes
--- a/exim-4.87-environment.patch
+++ b/exim-4.87-environment.patch
@ -0,0 +1,14 @@
 diff --git a/src/configure.default b/src/configure.default
 --- a/src/configure.default
 +++ b/src/configure.default
@@ -357,8 +357,8 @@ timeout_frozen_after = 7d
 # Note that TZ is handled separateley by the timezone runtime option
 # and TIMEZONE_DEFAULT buildtime option.
 -# keep_environment = ^LDAP
 -# add_environment = PATH=/usr/bin::/bin
 +keep_environment = ^LDAP
 +add_environment = PATH=/usr/bin::/bin
--- a/exim-4.87-greylist-conf.patch
+++ b/exim-4.87-greylist-conf.patch
@ -1,8 +1,8 @@
 diff --git a/src/configure.default b/src/configure.default
-index 3728043..0126880 100644
+index 1f10008..40b3bb2 100644
 --- a/src/configure.default
 +++ b/src/configure.default
-@@ -106,6 +106,7 @@ hostlist   relay_from_hosts = localhost
+@@ -107,6 +107,7 @@ hostlist   relay_from_hosts = localhost
 # manual for details. The lists above are used in the access control lists for
 # checking incoming messages. The names of these ACLs are defined here:
@ -10,7 +10,7 @@ index 3728043..0126880 100644
 acl_smtp_rcpt = acl_check_rcpt
 acl_smtp_data = acl_check_data
 acl_smtp_mime = acl_check_mime
-@@ -340,6 +341,29 @@ timeout_frozen_after = 7d
+@@ -368,6 +369,29 @@ timeout_frozen_after = 7d
 begin acl
@ -40,7 +40,7 @@ index 3728043..0126880 100644
 # This access control list is used for every RCPT command in an incoming
 # SMTP message. The tests are run in order until the address is either
 # accepted or denied.
-@@ -460,7 +484,8 @@ acl_check_rcpt:
+@@ -493,7 +517,8 @@ acl_check_rcpt:
   # There are no default checks on DNS black lists because the domains that
   # contain these lists are changing all the time. However, here are two
   # examples of how you can get Exim to perform a DNS black list lookup at this
@ -50,7 +50,7 @@ index 3728043..0126880 100644
   #
   # deny    message       = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
   #         dnslists      = black.list.example
-@@ -468,6 +493,10 @@ acl_check_rcpt:
+@@ -501,6 +526,10 @@ acl_check_rcpt:
   # warn    dnslists      = black.list.example
   #         add_header    = X-Warning: $sender_host_address is in a black list at $dnslist_domain
   #         log_message   = found in $dnslist_domain
@ -61,7 +61,7 @@ index 3728043..0126880 100644
   #############################################################################
   #############################################################################
-@@ -481,6 +510,10 @@ acl_check_rcpt:
+@@ -514,6 +543,10 @@ acl_check_rcpt:
   # require verify = csa
   #############################################################################
@ -72,7 +72,7 @@ index 3728043..0126880 100644
   # At this point, the address has passed all the checks that have been
   # configured, so we accept it unconditionally.
-@@ -506,6 +539,12 @@ acl_check_data:
+@@ -544,6 +577,12 @@ acl_check_data:
   # deny    condition  = ${if !def:h_Message-ID: {1}}
   #         message    = RFC2822 says that all mail SHOULD have a Message-ID header.\n\
   #                      Most messages without it are spam, so your mail has been rejected.
@ -85,7 +85,7 @@ index 3728043..0126880 100644
   # Deny if the message contains a virus. Before enabling this check, you
   # must install a virus scanner and set the av_scanner option above.
-@@ -540,8 +579,30 @@ acl_check_data:
+@@ -578,8 +617,30 @@ acl_check_data:
   #         message   = Your message scored $spam_score SpamAssassin point. Report follows:\n\
   #  	    	        $spam_report
--- a/exim-4.87-localhost-is-local.patch
+++ b/exim-4.87-localhost-is-local.patch
@ -1,8 +1,8 @@
 diff --git a/src/configure.default b/src/configure.default
-index 52e0536..3728043 100644
+index d1ce2f1..1f10008 100644
 --- a/src/configure.default
 +++ b/src/configure.default
-@@ -54,7 +54,7 @@
+@@ -55,7 +55,7 @@
 # +local_domains, +relay_to_domains, and +relay_from_hosts, respectively. They
 # are all colon-separated lists:
--- a/exim-4.87-pamconfig.patch
+++ b/exim-4.87-pamconfig.patch
@ -1,8 +1,8 @@
 diff --git a/src/configure.default b/src/configure.default
-index 153c77b..38f0f56 100644
+index 0af6fb8..531435b 100644
 --- a/src/configure.default
 +++ b/src/configure.default
-@@ -141,7 +141,7 @@ acl_smtp_data = acl_check_data
+@@ -142,7 +142,7 @@ acl_smtp_data = acl_check_data
 # Allow any client to use TLS.
@ -11,7 +11,7 @@ index 153c77b..38f0f56 100644
 # Specify the location of the Exim server's TLS certificate and private key.
 # The private key must not be encrypted (password protected). You can put
-@@ -149,8 +149,8 @@ acl_smtp_data = acl_check_data
+@@ -150,8 +150,8 @@ acl_smtp_data = acl_check_data
 # need the first setting, or in separate files, in which case you need both
 # options.
@ -22,7 +22,7 @@ index 153c77b..38f0f56 100644
 # In order to support roaming users who wish to send email from anywhere,
 # you may want to make Exim listen on other ports as well as port 25, in
-@@ -161,8 +161,8 @@ acl_smtp_data = acl_check_data
+@@ -162,8 +162,8 @@ acl_smtp_data = acl_check_data
 # them you should also allow TLS-on-connect on the traditional but
 # non-standard port 465.
@ -33,7 +33,7 @@ index 153c77b..38f0f56 100644
 # Specify the domain you want to be added to all unqualified addresses
-@@ -220,6 +220,24 @@ never_users = root
+@@ -221,6 +221,24 @@ never_users = root
 host_lookup = *
@ -56,9 +56,9 @@ index 153c77b..38f0f56 100644
 +#
 +auth_advertise_hosts =
- # The settings below, which are actually the same as the defaults in the
+ # The settings below cause Exim to make RFC 1413 (ident) callbacks
- # code, cause Exim to make RFC 1413 (ident) callbacks for all incoming SMTP
+ # for all incoming SMTP calls. You can limit the hosts to which these
-@@ -800,7 +818,7 @@ begin authenticators
+@@ -842,7 +860,7 @@ begin authenticators
 #  driver                     = plaintext
 #  server_set_id              = $auth2
 #  server_prompts             = :
@ -67,7 +67,7 @@ index 153c77b..38f0f56 100644
 #  server_advertise_condition = ${if def:tls_in_cipher }
 # LOGIN authentication has traditional prompts and responses. There is no
-@@ -812,7 +830,7 @@ begin authenticators
+@@ -854,7 +872,7 @@ begin authenticators
 #  driver                     = plaintext
 #  server_set_id              = $auth1
 #  server_prompts             = <| Username: | Password:
--- a/exim-4.87-procmail.patch
+++ b/exim-4.87-procmail.patch
@ -1,8 +1,8 @@
 diff --git a/src/configure.default b/src/configure.default
-index 8b599d2..37a6a00 100644
+index 374c51d..e4ca5b9 100644
 --- a/src/configure.default
 +++ b/src/configure.default
-@@ -692,6 +692,12 @@ userforward:
+@@ -730,6 +730,12 @@ userforward:
   pipe_transport = address_pipe
   reply_transport = address_reply
@ -15,9 +15,9 @@ index 8b599d2..37a6a00 100644
 # This router matches local user mailboxes. If the router fails, the error
 # message is "Unknown user".
-@@ -729,6 +735,16 @@ begin transports
+@@ -771,6 +777,16 @@ remote_smtp:
 remote_smtp:
   driver = smtp
   message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
 +# This transport invokes procmail to deliver mail
 +procmail:
--- a/exim-4.87-rhl.patch
+++ b/exim-4.87-rhl.patch
@ -1,8 +1,8 @@
 diff --git a/src/configure.default b/src/configure.default
-index 1274349..b631a4d 100644
+index 3c8cf97..12ed1e0 100644
 --- a/src/configure.default
 +++ b/src/configure.default
-@@ -590,7 +590,7 @@ system_aliases:
+@@ -628,7 +628,7 @@ system_aliases:
   driver = redirect
   allow_fail
   allow_defer
@ -11,7 +11,7 @@ index 1274349..b631a4d 100644
 # user = exim
   file_transport = address_file
   pipe_transport = address_pipe
-@@ -687,8 +687,8 @@ local_delivery:
+@@ -729,8 +729,8 @@ local_delivery:
   delivery_date_add
   envelope_to_add
   return_path_add
--- a/exim-4.87-smarthost-config.patch
+++ b/exim-4.87-smarthost-config.patch
@ -1,10 +1,10 @@
 diff --git a/src/configure.default b/src/configure.default
-index 0126880..b7c30ac 100644
+index 40b3bb2..9acae90 100644
 --- a/src/configure.default
 +++ b/src/configure.default
-@@ -796,6 +796,15 @@ begin transports
+@@ -838,6 +838,15 @@ remote_smtp:
 remote_smtp:
   driver = smtp
   message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
 +# This transport is used for delivering messages over SMTP using the
 +# "message submission" port (RFC4409).
@ -18,7 +18,7 @@ index 0126880..b7c30ac 100644
 # This transport invokes procmail to deliver mail
 procmail:
   driver = pipe
-@@ -904,6 +913,21 @@ begin rewrite
+@@ -946,6 +955,21 @@ begin rewrite
 #                   AUTHENTICATION CONFIGURATION                     #
 ######################################################################
@ -40,7 +40,7 @@ index 0126880..b7c30ac 100644
 # The following authenticators support plaintext username/password
 # authentication using the standard PLAIN mechanism and the traditional
 # but non-standard LOGIN mechanism, with Exim acting as the server.
-@@ -919,7 +943,7 @@ begin rewrite
+@@ -961,7 +985,7 @@ begin rewrite
 # The default RCPT ACL checks for successful authentication, and will accept
 # messages from authenticated users from anywhere on the Internet.
--- a/exim-4.87-spamdconf.patch
+++ b/exim-4.87-spamdconf.patch
@ -1,8 +1,6 @@
-diff --git a/src/configure.default b/src/configure.default
+--- a/src/configure.default.spamd	2016-12-25 21:06:57.453758443 +0000
-index 38f0f56..8b599d2 100644
+++ b/src/configure.default	2016-12-25 21:07:49.940188407 +0000
--- a/src/configure.default
+@@ -109,6 +109,7 @@ hostlist   relay_from_hosts = localhost
 +++ b/src/configure.default
@@ -108,6 +108,7 @@ hostlist   relay_from_hosts = localhost
 acl_smtp_rcpt = acl_check_rcpt
 acl_smtp_data = acl_check_data
@ -10,7 +8,7 @@ index 38f0f56..8b599d2 100644
 # You should not change those settings until you understand how ACLs work.
-@@ -120,7 +121,7 @@ acl_smtp_data = acl_check_data
+@@ -121,7 +122,7 @@ acl_smtp_data = acl_check_data
 # of what to set for other virus scanners. The second modification is in the
 # acl_check_data access control list (see below).
@ -19,7 +17,7 @@ index 38f0f56..8b599d2 100644
 # For spam scanning, there is a similar option that defines the interface to
-@@ -403,7 +404,8 @@ acl_check_rcpt:
+@@ -431,7 +432,8 @@ acl_check_rcpt:
   accept  local_parts   = postmaster
           domains       = +local_domains
@ -29,9 +27,9 @@ index 38f0f56..8b599d2 100644
   require verify        = sender
-@@ -495,27 +497,63 @@ acl_check_rcpt:
+@@ -535,27 +537,63 @@ acl_check_data:
- 
+                        got $max_received_linelength
- acl_check_data:
+           condition  = ${if > {$max_received_linelength}{998}}
 +  # Put simple tests first. A good one is to check for the presence of a
 +  # Message-Id: header, which RFC2822 says SHOULD be present. Some broken
@ -52,6 +50,12 @@ index 38f0f56..8b599d2 100644
 -  # Add headers to a message if it is judged to be spam. Before enabling this,
 -  # you must install SpamAssassin. You may also need to set the spamd_address
 -  # option above.
 -  #
 -  # warn    spam       = nobody
 -  #         add_header = X-Spam_score: $spam_score\n\
 -  #                      X-Spam_score_int: $spam_score_int\n\
 -  #                      X-Spam_bar: $spam_bar\n\
 -  #                      X-Spam_report: $spam_report
 +  # Bypass SpamAssassin checks if the message is too large.
 +  #
 +  # accept  condition  = ${if >={$message_size}{100000} {1}}
@ -66,12 +70,7 @@ index 38f0f56..8b599d2 100644
 +  #
 +  # accept  condition  = ${if !def:spam_score_int {1}}
 +  #         add_header = X-Spam-Note: SpamAssassin invocation failed
-   #
+  #
 -  # warn    spam       = nobody
 -  #         add_header = X-Spam_score: $spam_score\n\
 -  #                      X-Spam_score_int: $spam_score_int\n\
 -  #                      X-Spam_bar: $spam_bar\n\
 -  #                      X-Spam_report: $spam_report
 +
 +  # Unconditionally add score and report headers
 +  #
--- a/exim-4.88-config.patch
+++ b/exim-4.88-config.patch
@ -1,8 +1,8 @@
-diff --git a/scripts/Configure-Makefile b/scripts/Configure-Makefile
+diff --git a/src/scripts/Configure-Makefile b/src/scripts/Configure-Makefile
-index eeb26ee..9cb6385 100755
+index 3e486a6..6c4afec 100755
 --- a/scripts/Configure-Makefile
 +++ b/scripts/Configure-Makefile
-@@ -249,7 +249,7 @@ if [ "${EXIM_PERL}" != "" ] ; then
+@@ -269,7 +269,7 @@ if [ "${EXIM_PERL}" != "" ] ; then
   mv $mft $mftt
   echo "PERL_CC=`$PERL_COMMAND -MConfig -e 'print $Config{cc}'`" >>$mft
@ -11,8 +11,8 @@ index eeb26ee..9cb6385 100755
   echo "PERL_LIBS=`$PERL_COMMAND -MExtUtils::Embed -e ldopts`" >>$mft
   echo "" >>$mft
   cat $mftt >> $mft
-diff --git a/src/EDITME b/src/EDITME
+diff --git a/src/src/EDITME b/src/src/EDITME
-index d576fd7..a3ffd48 100644
+index 6929346..5a08197 100644
 --- a/src/EDITME
 +++ b/src/EDITME
@@ -98,7 +98,7 @@
@ -73,7 +73,7 @@ index d576fd7..a3ffd48 100644
 #------------------------------------------------------------------------------
-@@ -296,18 +296,20 @@ LOOKUP_DBM=yes
+@@ -301,19 +301,21 @@ LOOKUP_DBM=yes
 LOOKUP_LSEARCH=yes
 LOOKUP_DNSDB=yes
@ -96,32 +96,25 @@ index d576fd7..a3ffd48 100644
 # LOOKUP_ORACLE=yes
 -# LOOKUP_PASSWD=yes
 -# LOOKUP_PGSQL=yes
 -# LOOKUP_SQLITE=yes
 -# LOOKUP_SQLITE_PC=sqlite3
 +LOOKUP_PASSWD=yes
 +LOOKUP_PGSQL=yes
 # LOOKUP_REDIS=yes
 -# LOOKUP_SQLITE=yes
 -# LOOKUP_SQLITE_PC=sqlite3
 +LOOKUP_SQLITE=yes
 # LOOKUP_WHOSON=yes
 # These two settings are obsolete; all three lookups are compiled when
-@@ -383,14 +385,14 @@ EXIM_MONITOR=eximon.bin
+@@ -390,7 +392,7 @@ EXIM_MONITOR=eximon.bin
 # and the MIME ACL. Please read the documentation to learn more about these
 # features.
 -# WITH_CONTENT_SCAN=yes
 +WITH_CONTENT_SCAN=yes
- # If you want to use the deprecated "demime" condition in the DATA ACL,
+ #------------------------------------------------------------------------------
 # uncomment the line below. Doing so will also explicitly turn on the
 # WITH_CONTENT_SCAN option. If possible, use the MIME ACL instead of
 # the "demime" condition.
 -# WITH_OLD_DEMIME=yes
 +WITH_OLD_DEMIME=yes
 # If you're using ClamAV and are backporting fixes to an old version, instead
- # of staying current (which is the more usual approach) then you may need to
+@@ -577,7 +579,7 @@ FIXED_NEVER_USERS=root
@@ -573,7 +575,7 @@ FIXED_NEVER_USERS=root
 # CONFIGURE_OWNER setting, to specify a configuration file which is listed in
 # the TRUSTED_CONFIG_LIST file, then root privileges are not dropped by Exim.
@ -130,7 +123,7 @@ index d576fd7..a3ffd48 100644
 #------------------------------------------------------------------------------
-@@ -618,15 +620,13 @@ FIXED_NEVER_USERS=root
+@@ -622,16 +624,14 @@ FIXED_NEVER_USERS=root
 # included in the Exim binary. You will then need to set up the run time
 # configuration to make use of the mechanism(s) selected.
@ -143,6 +136,7 @@ index d576fd7..a3ffd48 100644
 -# AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi
 -# AUTH_PLAINTEXT=yes
 -# AUTH_SPA=yes
 -# AUTH_TLS=yes
 +AUTH_CRAM_MD5=yes
 +AUTH_CYRUS_SASL=yes
 +AUTH_DOVECOT=yes
@ -150,10 +144,11 @@ index d576fd7..a3ffd48 100644
 +AUTH_GSASL_PC=libgsasl
 +AUTH_PLAINTEXT=yes
 +AUTH_SPA=yes
 +AUTH_TLS=yes
 #------------------------------------------------------------------------------
-@@ -647,7 +647,7 @@ FIXED_NEVER_USERS=root
+@@ -652,7 +652,7 @@ FIXED_NEVER_USERS=root
 # one that is set in the headers_charset option. The default setting is
 # defined by this setting:
@ -162,7 +157,7 @@ index d576fd7..a3ffd48 100644
 # If you are going to make use of $header_xxx expansions in your configuration
 # file, or if your users are going to use them in filter files, and the normal
-@@ -667,7 +667,7 @@ HEADERS_CHARSET="ISO-8859-1"
+@@ -672,7 +672,7 @@ HEADERS_CHARSET="ISO-8859-1"
 # the Sieve filter support. For those OS where iconv() is known to be installed
 # as standard, the file in OS/Makefile-xxxx contains
 #
@ -171,7 +166,7 @@ index d576fd7..a3ffd48 100644
 #
 # If you are not using one of those systems, but have installed iconv(), you
 # need to uncomment that line above. In some cases, you may find that iconv()
-@@ -729,11 +729,11 @@ HEADERS_CHARSET="ISO-8859-1"
+@@ -734,11 +734,11 @@ HEADERS_CHARSET="ISO-8859-1"
 # leave these settings commented out.
 # This setting is required for any TLS support (either OpenSSL or GnuTLS)
@ -186,7 +181,7 @@ index d576fd7..a3ffd48 100644
 # Uncomment the first and either the second or the third of these if you
 # are using GnuTLS.  If you have pkg-config, then the second, else the third.
-@@ -798,7 +798,7 @@ HEADERS_CHARSET="ISO-8859-1"
+@@ -807,7 +807,7 @@ HEADERS_CHARSET="ISO-8859-1"
 # Once you have done this, "make install" will build the info files and
 # install them in the directory you have defined.
@ -195,7 +190,7 @@ index d576fd7..a3ffd48 100644
 #------------------------------------------------------------------------------
-@@ -811,7 +811,7 @@ HEADERS_CHARSET="ISO-8859-1"
+@@ -820,7 +820,7 @@ HEADERS_CHARSET="ISO-8859-1"
 # %s. This will be replaced by one of the strings "main", "panic", or "reject"
 # to form the final file names. Some installations may want something like this:
@ -204,7 +199,7 @@ index d576fd7..a3ffd48 100644
 # which results in files with names /var/log/exim_mainlog, etc. The directory
 # in which the log files are placed must exist; Exim does not try to create
-@@ -877,7 +877,7 @@ ZCAT_COMMAND=/usr/bin/zcat
+@@ -892,7 +892,7 @@ ZCAT_COMMAND=/usr/bin/zcat
 # (version 5.004 or later) installed, set EXIM_PERL to perl.o. Using embedded
 # Perl costs quite a lot of resources. Only do this if you really need it.
@ -213,7 +208,7 @@ index d576fd7..a3ffd48 100644
 #------------------------------------------------------------------------------
-@@ -887,7 +887,7 @@ ZCAT_COMMAND=/usr/bin/zcat
+@@ -902,7 +902,7 @@ ZCAT_COMMAND=/usr/bin/zcat
 # that the local_scan API is made available by the linker. You may also need
 # to add -ldl to EXTRALIBS so that dlopen() is available to Exim.
@ -222,7 +217,7 @@ index d576fd7..a3ffd48 100644
 #------------------------------------------------------------------------------
-@@ -897,7 +897,7 @@ ZCAT_COMMAND=/usr/bin/zcat
+@@ -912,7 +912,7 @@ ZCAT_COMMAND=/usr/bin/zcat
 # support, which is intended for use in conjunction with the SMTP AUTH
 # facilities, is included only when requested by the following setting:
@ -231,7 +226,7 @@ index d576fd7..a3ffd48 100644
 # You probably need to add -lpam to EXTRALIBS, and in some releases of
 # GNU/Linux -ldl is also needed.
-@@ -965,7 +965,7 @@ ZCAT_COMMAND=/usr/bin/zcat
+@@ -1006,7 +1006,7 @@ ZCAT_COMMAND=/usr/bin/zcat
 # group. Once you have installed saslauthd, you should arrange for it to be
 # started by root at boot time.
@ -240,7 +235,7 @@ index d576fd7..a3ffd48 100644
 #------------------------------------------------------------------------------
-@@ -978,9 +978,9 @@ ZCAT_COMMAND=/usr/bin/zcat
+@@ -1019,9 +1019,9 @@ ZCAT_COMMAND=/usr/bin/zcat
 # You may well also have to specify a local "include" file and an additional
 # library for TCP wrappers, so you probably need something like this:
 #
@ -253,7 +248,7 @@ index d576fd7..a3ffd48 100644
 #
 # but of course there may need to be other things in CFLAGS and EXTRALIBS_EXIM
 # as well.
-@@ -1032,7 +1032,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases
+@@ -1073,7 +1073,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases
 # is "yes", as well as supporting line editing, a history of input lines in the
 # current run is maintained.
@ -262,7 +257,7 @@ index d576fd7..a3ffd48 100644
 # You may need to add -ldl to EXTRALIBS when you set USE_READLINE=yes.
 # Note that this option adds to the size of the Exim binary, because the
-@@ -1042,7 +1042,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases
+@@ -1083,7 +1083,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases
 #------------------------------------------------------------------------------
 # Uncomment this setting to include IPv6 support.
@ -271,7 +266,7 @@ index d576fd7..a3ffd48 100644
 ###############################################################################
 #              THINGS YOU ALMOST NEVER NEED TO MENTION                        #
-@@ -1063,13 +1063,13 @@ SYSTEM_ALIASES_FILE=/etc/aliases
+@@ -1104,13 +1104,13 @@ SYSTEM_ALIASES_FILE=/etc/aliases
 # haven't got Perl, Exim will still build and run; you just won't be able to
 # use those utilities.
@ -292,7 +287,7 @@ index d576fd7..a3ffd48 100644
 #------------------------------------------------------------------------------
-@@ -1269,7 +1269,7 @@ TMPDIR="/tmp"
+@@ -1312,7 +1312,7 @@ EXIM_TMPDIR="/tmp"
 # (process id) to a file so that it can easily be identified. The path of the
 # file can be specified here. Some installations may want something like this:
--- a/14
+++ b/14
@ -2,6 +2,14 @@
 . /etc/sysconfig/network
 # Source exim configureation.
 if [ -f /etc/sysconfig/exim ] ; then
        . /etc/sysconfig/exim
 fi
 USER=${USER:=exim}
 GROUP=${GROUP:=exim}
 gen_cert() {
        if [ ! -f /etc/pki/tls/certs/exim.pem ] ; then
                umask 077
@ -22,11 +30,11 @@ ${FQDN}
 root@${FQDN}
 EOF
                if [ $? -eq 0 ]; then
-                        success
+                        echo success
-                        chown exim.exim /etc/pki/tls/{private,certs}/exim.pem
+                        chown $USER:$GROUP /etc/pki/tls/{private,certs}/exim.pem
                        chmod 600 /etc/pki/tls/{private,certs}/exim.pem
                else
-                        failure
+                        echo failure
                fi
                echo
        fi
--- a/exim.init
+++ b/exim.init
@ -23,6 +23,9 @@ else
 	QUEUE=1h
 fi
 USER=${USER:=exim}
 GROUP=${GROUP:=exim}
 gen_cert() {
 	if [ ! -f /etc/pki/tls/certs/exim.pem ] ; then
 		umask 077
@ -44,7 +47,7 @@ root@${FQDN}
 EOF
 		if [ $? -eq 0 ]; then
 			success
-			chown exim.exim /etc/pki/tls/{private,certs}/exim.pem
+			chown $USER:$GROUP /etc/pki/tls/{private,certs}/exim.pem
 			chmod 600 /etc/pki/tls/{private,certs}/exim.pem
 		else
 			failure
@ -65,7 +68,7 @@ start() {
 	then
 	    if [ "exim" != "`ls -l /var/log/exim/main.log | awk '{print $4}'`" ]
 	    then
-		chown -R exim:exim /var/log/exim /var/spool/exim
+		chown -R $USER:$GROUP /var/log/exim /var/spool/exim
 	    fi
 	fi
--- a/exim.spec
+++ b/exim.spec
@ -14,8 +14,8 @@
 Summary: The exim mail transfer agent
 Name: exim
-Version: 4.84.2
+Version: 4.88
-Release: 2%{?dist}
+Release: 1%{?dist}
 License: GPLv2+
 Url: http://www.exim.org/
 Group: System Environment/Daemons
@ -52,21 +52,22 @@ Source25: exim-gen-cert
 Source26: clamd.exim.service
 %endif
-Patch4: exim-rhl.patch
+Patch4: exim-4.87-rhl.patch
-Patch6: exim-4.83-config.patch
+Patch6: exim-4.88-config.patch
 Patch8: exim-4.82-libdir.patch
-Patch12: exim-4.82-cyrus.patch
+Patch12: exim-4.87-cyrus.patch
-Patch13: exim-4.82-pamconfig.patch
+Patch13: exim-4.87-pamconfig.patch
-Patch14: exim-4.83-spamdconf.patch
+Patch14: exim-4.87-spamdconf.patch
-Patch18: exim-4.84.2-dlopen-localscan.patch
+Patch18: exim-4.87-dlopen-localscan.patch
-Patch19: exim-4.82-procmail.patch
+Patch19: exim-4.87-procmail.patch
-Patch20: exim-4.82-allow-filter.patch
+Patch20: exim-4.87-allow-filter.patch
-Patch21: exim-4.82-localhost-is-local.patch
+Patch21: exim-4.87-localhost-is-local.patch
-Patch22: exim-4.82-greylist-conf.patch
+Patch22: exim-4.87-greylist-conf.patch
-Patch23: exim-4.82-smarthost-config.patch
+Patch23: exim-4.87-smarthost-config.patch
-Patch25: exim-4.82-dynlookup-config.patch
+Patch25: exim-4.87-dynlookup-config.patch
-Patch26: exim-4.84-mime-fix.patch
+# Upstream ticket: http://bugs.exim.org/show_bug.cgi?id=1584
-Patch27: exim-4.84.2-environment.patch
+Patch26: exim-4.85-pic.patch
 Patch27: exim-4.87-environment.patch
 Requires: /etc/pki/tls/certs /etc/pki/tls/private
 Requires: /etc/aliases
@ -223,7 +224,7 @@ greylisting unconditional.
 %patch22 -p1 -b .grey
 %patch23 -p1 -b .smarthost
 %patch25 -p1 -b .dynconfig
-%patch26 -p1 -b .mime-fix
+%patch26 -p1 -b .fpic
 %patch27 -p1 -b .environment
 cp src/EDITME Local/Makefile
@ -235,8 +236,10 @@ cp exim_monitor/EDITME Local/eximon.conf
 %build
 %ifnarch s390 s390x sparc sparcv9 sparcv9v sparc64 sparc64v
 	export PIE=-fpie
 	export PIC=-fpic
 %else
 	export PIE=-fPIE
 	export PIC=-fPIC
 %endif
 make _lib=%{_lib} FULLECHO=
@ -615,20 +618,10 @@ test "$1"  = 0 || %{_initrddir}/clamd.exim condrestart >/dev/null 2>&1 || :
 %{_sysconfdir}/cron.daily/greylist-tidy.sh
 %changelog
-* Mon Apr 18 2016 Jaroslav Škarvada <jskarvad@redhat.com> - 4.84.2-2
+* Mon Jan  2 2017 Jaroslav Škarvada <jskarvad@redhat.com> - 4.88-1
- Used sane environment defaults in default configuration
+- New version
-  Resolves: rhbz#1323775
+- Fixed DKIM private key leakage
-
+  Resolves: CVE-2016-9963
 * Thu Mar  3 2016 Jaroslav Škarvada <jskarvad@redhat.com> - 4.84.2-1
 - New version (security bug fix release)
  Resolves: rhbz#1314118
 - Fixed local privilege escalation for set-uid root when using perl_startup
  Resolves: CVE-2016-1531
 - Defuzzified patches
 * Mon Dec  7 2015 Jaroslav Škarvada <jskarvad@redhat.com> - 4.84-5
 - MIME crash fix (by mime-fix patch)
  Resolves: rhbz#1289056
 * Fri Oct 10 2014 Jaroslav Škarvada <jskarvad@redhat.com> - 4.84-4
 - Do not override LFLAGS (problem reported by Todd Lyons)
--- a/exim.sysconfig
+++ b/exim.sysconfig
@ -1,2 +1,4 @@
 DAEMON=yes
 QUEUE=1h
 USER=exim
 GROUP=exim
--- a/2
+++ b/2
@ -1 +1 @@
-3c3ff9edbc82c8ffe7a4cfff23f6d904  exim-4.84.2.tar.bz2
+SHA512 (exim-4.88.tar.bz2) = ea094bf703628c201de119fc5f09539475e52158e935f8f2a9e4138c4a1bfe885017145c3cc5e22aa9087b195091955c69385ebf1ea0baec64ed5c1b8e3b1caf
`@ -1 +1 @@`
	`3c3ff9edbc82c8ffe7a4cfff23f6d904 exim-4.84.2.tar.bz2`	`SHA512 (exim-4.88.tar.bz2) = ea094bf703628c201de119fc5f09539475e52158e935f8f2a9e4138c4a1bfe885017145c3cc5e22aa9087b195091955c69385ebf1ea0baec64ed5c1b8e3b1caf`