New version

Resolves: rhbz#1956859
2021-05-04 19:57:47 +02:00 · 2021-05-04 19:57:47 +02:00 · ef659585d9
commit ef659585d9
parent a8bf41bfdb
5 changed files with 35 additions and 189 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,2 @@
-exim-*.tar.xz
-exim-*.tar.xz.asc
+/exim-*.tar.xz
+/exim-*.tar.xz.asc
--- a/exim-4.94-tls-cname-handling-fix.patch
+++ b/exim-4.94-tls-cname-handling-fix.patch
@ -1,154 +0,0 @@
-diff --git a/src/host.c b/src/host.c
-index 0e0e013..99bbba7 100644
--- a/src/host.c
-+++ b/src/host.c
-@@ -1950,6 +1950,13 @@ BOOL temp_error = FALSE;
- int af;
- #endif
- 
-+#ifndef DISABLE_TLS
-+/* Copy the host name at this point to the value which is used for
-+TLS certificate name checking, before anything modifies it.  */
-+
-+host->certname = host->name;
-+#endif
-+
- /* Make sure DNS options are set as required. This appears to be necessary in
- some circumstances when the get..byname() function actually calls the DNS. */
- 
-@@ -2117,6 +2124,9 @@ for (int i = 1; i <= times;
-       {
-       host_item *next = store_get(sizeof(host_item), FALSE);
-       next->name = host->name;
-+#ifndef DISABLE_TLS
-+      next->certname = host->certname;
-+#endif
-       next->mx = host->mx;
-       next->address = text_address;
-       next->port = PORT_NONE;
-@@ -2135,12 +2145,12 @@ for (int i = 1; i <= times;
- NULL. If temp_error is set, at least one of the lookups gave a temporary error,
- so we pass that back. */
- 
-if (host->address == NULL)
-+if (!host->address)
-   {
-   uschar *msg =
-     #ifndef STAND_ALONE
-    (message_id[0] == 0 && smtp_in != NULL)?
-      string_sprintf("no IP address found for host %s (during %s)", host->name,
-+    message_id[0] == 0 && smtp_in
-+      ? string_sprintf("no IP address found for host %s (during %s)", host->name,
-           smtp_get_connection_info()) :
-     #endif
-     string_sprintf("no IP address found for host %s", host->name);
-@@ -2260,6 +2270,13 @@ BOOL v6_find_again = FALSE;
- BOOL dnssec_fail = FALSE;
- int i;
- 
-+#ifndef DISABLE_TLS
-+/* Copy the host name at this point to the value which is used for
-+TLS certificate name checking, before any CNAME-following modifies it.  */
-+
-+host->certname = host->name;
-+#endif
-+
- /* If allow_ip is set, a name which is an IP address returns that value
- as its address. This is used for MX records when allow_mx_to_ip is set, for
- those sites that feel they have to flaunt the RFC rules. */
-diff --git a/src/structs.h b/src/structs.h
-index c6700d5..206237f 100644
--- a/src/structs.h
-+++ b/src/structs.h
-@@ -80,14 +80,17 @@ typedef enum {DS_UNK=-1, DS_NO, DS_YES} dnssec_status_t;
- 
- typedef struct host_item {
-   struct host_item *next;
-  const uschar *name;             /* Host name */
-  const uschar *address;          /* IP address in text form */
-  int     port;                   /* port value in host order (if SRV lookup) */
-  int     mx;                     /* MX value if found via MX records */
-  int     sort_key;               /* MX*1000 plus random "fraction" */
-  int     status;                 /* Usable, unusable, or unknown */
-  int     why;                    /* Why host is unusable */
-  int     last_try;               /* Time of last try if known */
-+  const uschar *name;		/* Host name */
-+#ifndef DISABLE_TLS
-+  const uschar *certname;	/* Name used for certificate checks */
-+#endif
-+  const uschar *address;	/* IP address in text form */
-+  int     port;			/* port value in host order (if SRV lookup) */
-+  int     mx;			/* MX value if found via MX records */
-+  int     sort_key;		/* MX*1000 plus random "fraction" */
-+  int     status;		/* Usable, unusable, or unknown */
-+  int     why;			/* Why host is unusable */
-+  int     last_try;		/* Time of last try if known */
-   dnssec_status_t dnssec;
- } host_item;
- 
-diff --git a/src/tls-gnu.c b/src/tls-gnu.c
-index 24114f0..875c82e 100644
--- a/src/tls-gnu.c
-+++ b/src/tls-gnu.c
-@@ -2601,9 +2601,9 @@ if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
-   {
-   state->exp_tls_verify_cert_hostnames =
- #ifdef SUPPORT_I18N
-    string_domain_utf8_to_alabel(host->name, NULL);
-+    string_domain_utf8_to_alabel(host->certname, NULL);
- #else
-    host->name;
-+    host->certname;
- #endif
-   DEBUG(D_tls)
-     debug_printf("TLS: server cert verification includes hostname: \"%s\".\n",
-diff --git a/src/tls-openssl.c b/src/tls-openssl.c
-index 8c9d8aa..a623229 100644
--- a/src/tls-openssl.c
-+++ b/src/tls-openssl.c
-@@ -372,10 +372,10 @@ typedef struct ocsp_resp {
- } ocsp_resplist;
- 
- typedef struct tls_ext_ctx_cb {
-  tls_support * tlsp;
-  uschar *certificate;
-  uschar *privatekey;
-  BOOL is_server;
-+  tls_support *	tlsp;
-+  uschar *	certificate;
-+  uschar *	privatekey;
-+  BOOL		is_server;
- #ifndef DISABLE_OCSP
-   STACK_OF(X509) *verify_stack;		/* chain for verifying the proof */
-   union {
-@@ -390,14 +390,14 @@ typedef struct tls_ext_ctx_cb {
-     } client;
-   } u_ocsp;
- #endif
-  uschar *dhparam;
-+  uschar *	dhparam;
-   /* these are cached from first expand */
-  uschar *server_cipher_list;
-+  uschar *	server_cipher_list;
-   /* only passed down to tls_error: */
-  host_item *host;
-+  host_item *	host;
-   const uschar * verify_cert_hostnames;
- #ifndef DISABLE_EVENT
-  uschar * event_action;
-+  uschar *	event_action;
- #endif
- } tls_ext_ctx_cb;
- 
-@@ -2915,9 +2915,9 @@ if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
-   {
-   cbinfo->verify_cert_hostnames =
- #ifdef SUPPORT_I18N
-    string_domain_utf8_to_alabel(host->name, NULL);
-+    string_domain_utf8_to_alabel(host->certname, NULL);
- #else
-    host->name;
-+    host->certname;
- #endif
-   DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
- 		    cbinfo->verify_cert_hostnames);
--- a/exim-4.94.2-config.patch
+++ b/exim-4.94.2-config.patch
@ -12,7 +12,7 @@ index 61368ec..e8fe9ef 100755
   echo "" >>$mft
   cat $mftt >> $mft
 diff --git a/src/EDITME b/src/EDITME
-index e568bdb..65082b5 100644
+index 8da36a3..9b7682c 100644
 --- a/src/EDITME
 +++ b/src/EDITME
@@ -99,7 +99,7 @@
@ -361,7 +361,7 @@ index e568bdb..65082b5 100644
 # If PID_FILE_PATH is not defined, Exim writes a file in its spool directory
 # using the name "exim-daemon.pid".
 diff --git a/src/configure.default b/src/configure.default
-index 3423ee0..7d1e552 100644
+index d94c148..1f6afd4 100644
 --- a/src/configure.default
 +++ b/src/configure.default
@@ -67,7 +67,7 @@
@ -524,7 +524,7 @@ index 3423ee0..7d1e552 100644
 
   require verify        = sender
 
-@@ -471,6 +522,7 @@ acl_check_rcpt:
+@@ -485,6 +536,7 @@ acl_check_rcpt:
   accept  hosts         = +relay_from_hosts
           control       = submission
           control       = dkim_disable_verify
@ -532,7 +532,7 @@ index 3423ee0..7d1e552 100644
 
   # Accept if the message arrived over an authenticated connection, from
   # any host. Again, these messages are usually from MUAs, so recipient
-@@ -480,6 +532,7 @@ acl_check_rcpt:
+@@ -494,6 +546,7 @@ acl_check_rcpt:
   accept  authenticated = *
           control       = submission
           control       = dkim_disable_verify
@ -540,7 +540,7 @@ index 3423ee0..7d1e552 100644
 
   # Insist that a HELO/EHLO was accepted.
 
-@@ -505,7 +558,8 @@ acl_check_rcpt:
+@@ -519,7 +572,8 @@ acl_check_rcpt:
   # There are no default checks on DNS black lists because the domains that
   # contain these lists are changing all the time. However, here are two
   # examples of how you can get Exim to perform a DNS black list lookup at this
@ -550,7 +550,7 @@ index 3423ee0..7d1e552 100644
   #
   # deny    dnslists      = black.list.example
   #         message       = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
-@@ -513,6 +567,10 @@ acl_check_rcpt:
+@@ -527,6 +581,10 @@ acl_check_rcpt:
   # warn    dnslists      = black.list.example
   #         add_header    = X-Warning: $sender_host_address is in a black list at $dnslist_domain
   #         log_message   = found in $dnslist_domain
@ -561,7 +561,7 @@ index 3423ee0..7d1e552 100644
   #############################################################################
 
   #############################################################################
-@@ -539,6 +597,10 @@ acl_check_rcpt:
+@@ -553,6 +611,10 @@ acl_check_rcpt:
   #        set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER}
   #############################################################################
 
@ -572,7 +572,7 @@ index 3423ee0..7d1e552 100644
   # At this point, the address has passed all the checks that have been
   # configured, so we accept it unconditionally.
 
-@@ -588,21 +650,32 @@ acl_check_data:
+@@ -602,21 +664,32 @@ acl_check_data:
           message =     header syntax
           log_message = header syntax ($acl_verify_message)
 
@ -601,20 +601,19 @@ index 3423ee0..7d1e552 100644
 -  # Add headers to a message if it is judged to be spam. Before enabling this,
 -  # you must install SpamAssassin. You may also need to set the spamd_address
 -  # option above.
-  #
+  # Bypass SpamAssassin checks if the message is too large.
+   #
 -  # warn    spam       = nobody
 -  #         add_header = X-Spam_score: $spam_score\n\
 -  #                      X-Spam_score_int: $spam_score_int\n\
 -  #                      X-Spam_bar: $spam_bar\n\
 -  #                      X-Spam_report: $spam_report
-+  # Bypass SpamAssassin checks if the message is too large.
-+  #
 +  # accept  condition  = ${if >={$message_size}{100000} {1}}
 +  #         add_header = X-Spam-Note: SpamAssassin run bypassed due to message size
 
   #############################################################################
   # No more tests if PRDR was actively used.
-@@ -616,11 +689,63 @@ acl_check_data:
+@@ -630,11 +703,63 @@ acl_check_data:
   #           condition    = ...
   #############################################################################
 
@ -633,8 +632,7 @@ index 3423ee0..7d1e552 100644
 +  #
 +  # warn    add_header = X-Spam-Score: $spam_score ($spam_bar)\n\
 +  #                      X-Spam-Report: $spam_report
- 
-  # Accept the message.
+
 +  # And reject if the SpamAssassin score is greater than ten
 +  #
 +  # deny    condition = ${if >{$spam_score_int}{100} {1}}
@ -646,7 +644,8 @@ index 3423ee0..7d1e552 100644
 +  # warn    condition = ${if >{$spam_score_int}{5} {1}}
 +  #         set acl_m_greylistreasons = Message has $spam_score SpamAssassin points\n$acl_m_greylistreasons
 +
-+
+ 
+-  # Accept the message.
 +  # If you want to greylist _all_ mail rather than only mail which looks like there
 +  # might be something wrong with it, then you can do this...
 +  #
@ -679,7 +678,7 @@ index 3423ee0..7d1e552 100644
 
 
 ######################################################################
-@@ -722,7 +847,7 @@ system_aliases:
+@@ -736,7 +861,7 @@ system_aliases:
   driver = redirect
   allow_fail
   allow_defer
@ -688,7 +687,7 @@ index 3423ee0..7d1e552 100644
 # user = exim
   file_transport = address_file
   pipe_transport = address_pipe
-@@ -760,7 +885,7 @@ userforward:
+@@ -774,7 +899,7 @@ userforward:
 # local_part_suffix = +* : -*
 # local_part_suffix_optional
   file = $home/.forward
@ -697,7 +696,7 @@ index 3423ee0..7d1e552 100644
   no_verify
   no_expn
   check_ancestor
-@@ -768,6 +893,12 @@ userforward:
+@@ -782,6 +907,12 @@ userforward:
   pipe_transport = address_pipe
   reply_transport = address_reply
 
@ -710,7 +709,7 @@ index 3423ee0..7d1e552 100644
 
 # This router matches local user mailboxes. If the router fails, the error
 # message is "Unknown user".
-@@ -809,6 +940,25 @@ remote_smtp:
+@@ -823,6 +954,25 @@ remote_smtp:
   driver = smtp
   message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
 
@ -736,7 +735,7 @@ index 3423ee0..7d1e552 100644
 
 # This transport is used for delivering messages to a smarthost, if the
 # smarthost router is enabled.  This starts from the same basis as
-@@ -861,8 +1011,8 @@ local_delivery:
+@@ -875,8 +1025,8 @@ local_delivery:
   delivery_date_add
   envelope_to_add
   return_path_add
@ -747,7 +746,7 @@ index 3423ee0..7d1e552 100644
 
 
 # This transport is used for handling pipe deliveries generated by alias or
-@@ -895,6 +1045,16 @@ address_reply:
+@@ -909,6 +1059,16 @@ address_reply:
   driver = autoreply
 
 
@ -764,7 +763,7 @@ index 3423ee0..7d1e552 100644
 
 ######################################################################
 #                      RETRY CONFIGURATION                           #
-@@ -935,6 +1095,21 @@ begin rewrite
+@@ -949,6 +1109,21 @@ begin rewrite
 #                   AUTHENTICATION CONFIGURATION                     #
 ######################################################################
 
@ -786,7 +785,7 @@ index 3423ee0..7d1e552 100644
 # The following authenticators support plaintext username/password
 # authentication using the standard PLAIN mechanism and the traditional
 # but non-standard LOGIN mechanism, with Exim acting as the server.
-@@ -950,7 +1125,7 @@ begin rewrite
+@@ -964,7 +1139,7 @@ begin rewrite
 # The default RCPT ACL checks for successful authentication, and will accept
 # messages from authenticated users from anywhere on the Internet.
 
@ -795,7 +794,7 @@ index 3423ee0..7d1e552 100644
 
 # PLAIN authentication has no server prompts. The client sends its
 # credentials in one lump, containing an authorization ID (which we do not
-@@ -964,7 +1139,7 @@ begin authenticators
+@@ -978,7 +1153,7 @@ begin authenticators
 #  driver                     = plaintext
 #  server_set_id              = $auth2
 #  server_prompts             = :
@ -804,7 +803,7 @@ index 3423ee0..7d1e552 100644
 #  server_advertise_condition = ${if def:tls_in_cipher }
 
 # LOGIN authentication has traditional prompts and responses. There is no
-@@ -976,7 +1151,7 @@ begin authenticators
+@@ -990,7 +1165,7 @@ begin authenticators
 #  driver                     = plaintext
 #  server_set_id              = $auth1
 #  server_prompts             = <| Username: | Password:
--- a/exim.spec
+++ b/exim.spec
@ -11,8 +11,8 @@

 Summary: The exim mail transfer agent
 Name: exim
-Version: 4.94
-Release: 7%{?dist}
+Version: 4.94.2
+Release: 1%{?dist}
 License: GPLv2+
 Url: https://www.exim.org/

@ -42,12 +42,10 @@ Source24: exim.service
 Source25: exim-gen-cert
 Source26: clamd.exim.service

-Patch0: exim-4.94-config.patch
+Patch0: exim-4.94.2-config.patch
 Patch1: exim-4.94-libdir.patch
 Patch2: exim-4.94-dlopen-localscan.patch
 Patch3: exim-4.85-pic.patch
-# https://bugs.exim.org/show_bug.cgi?id=2594
-Patch4: exim-4.94-tls-cname-handling-fix.patch

 Requires: /etc/pki/tls/certs /etc/pki/tls/private
 Requires: /etc/aliases
@ -162,7 +160,6 @@ greylisting unconditional.
 %patch1 -p1 -b .libdir
 %patch2 -p1 -b .dl
 %patch3 -p1 -b .fpic
-%patch4 -p1 -b .tls-cname-handling-fix

 cp src/EDITME Local/Makefile
 sed -i 's@^# LOOKUP_MODULE_DIR=.*@LOOKUP_MODULE_DIR=%{_libdir}/exim/%{version}-%{release}/lookups@' Local/Makefile
@ -480,6 +477,10 @@ fi
 %{_sysconfdir}/cron.daily/greylist-tidy.sh

 %changelog
+* Tue May  4 2021 Jaroslav Škarvada <jskarvad@redhat.com> - 4.94.2-1
+- New version
+  Resolves: rhbz#1956859
+
 * Thu Mar 25 2021 Jaroslav Škarvada <jskarvad@redhat.com> - 4.94-7
 - Fixed cname handling in TLS certificate verification
  Resolves: rhbz#1942582
--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (exim-4.94.tar.xz) = 3bf95ade30902327403e7308089a3e423761da5b0745397dace7c7fd15ba3838d93e0ee418f1fed57606f79e57b793c7c7407e5c0d526146f0036126d5d95316
-SHA512 (exim-4.94.tar.xz.asc) = 7288ff92852bed4058a8c7315ec8f80d8ad80297d50e6971531b54bcf528614f37bb8debaf9e73ffe29fbbe6fa2162f3aeb06373307b23442392427688eb3cb8
+SHA512 (exim-4.94.2.tar.xz) = 5334c236221ed4e03dbc33e6a79d939b06037fa2f4b71971607a360b67af5c85a89681ee13a5eeaf0184382c55a160cf2e89ed7afb2949f025a54f1e88f9e3fc
+SHA512 (exim-4.94.2.tar.xz.asc) = 982c93530b8c8e13e6d8ea6032c8db27ede6692bc584ea5507b39bba6b4c3082285fb453affdc06e8d962c894c04ee9fc039523c5f329f785f918f831d9803a3