Fixed dec64table OOB read in b64decode

Resolves: rhbz#1527710
Fixed buffer overflow in utility function
  Resolves: CVE-2018-6789
Updated and defuzzified patches
Dropped mariadb-macro-fix patch (not needed)
Dropped CVE-2017-1000369, calloutsize, CVE-2017-16943,
  CVE-2017-16944 patches (all upstreamed)

.gitignore

@@ -1,2 +1 @@
-exim-*.tar.bz2
-/exim-4.89.tar.xz
+exim-*.tar.xz

exim-4.89-CVE-2017-1000369.patch

@@ -1,37 +0,0 @@
-diff --git a/src/exim.c b/src/exim.c
-index a6a1ea8..394bf84 100644
---- a/src/exim.c
-+++ b/src/exim.c
-@@ -3092,7 +3092,14 @@ for (i = 1; i < argc; i++)
- 
-       /* -oMr: Received protocol */
- 
--      else if (Ustrcmp(argrest, "Mr") == 0) received_protocol = argv[++i];
-+      else if (Ustrcmp(argrest, "Mr") == 0)
-+
-+        if (received_protocol)
-+          {
-+          fprintf(stderr, "received_protocol is set already\n");
-+          exit(EXIT_FAILURE);
-+          }
-+        else received_protocol = argv[++i];
- 
-       /* -oMs: Set sender host name */
- 
-@@ -3188,7 +3195,15 @@ for (i = 1; i < argc; i++)
- 
-     if (*argrest != 0)
-       {
--      uschar *hn = Ustrchr(argrest, ':');
-+      uschar *hn;
-+
-+      if (received_protocol)
-+        {
-+        fprintf(stderr, "received_protocol is set already\n");
-+        exit(EXIT_FAILURE);
-+        }
-+
-+      hn = Ustrchr(argrest, ':');
-       if (hn == NULL)
-         {
-         received_protocol = argrest;

exim-4.89-CVE-2017-16943.patch

@@ -1,27 +0,0 @@
-diff --git a/src/receive.c b/src/receive.c
-index 7980c32..3246621 100644
---- a/src/receive.c
-+++ b/src/receive.c
-@@ -1772,8 +1772,8 @@ for (;;)
-   (and sometimes lunatic messages can have ones that are 100s of K long) we
-   call store_release() for strings that have been copied - if the string is at
-   the start of a block (and therefore the only thing in it, because we aren't
--  doing any other gets), the block gets freed. We can only do this because we
--  know there are no other calls to store_get() going on. */
-+  doing any other gets), the block gets freed. We can only do this release if
-+  there were no allocations since the once that we want to free. */
- 
-   if (ptr >= header_size - 4)
-     {
-@@ -1782,9 +1782,10 @@ for (;;)
-     header_size *= 2;
-     if (!store_extend(next->text, oldsize, header_size))
-       {
-+      BOOL release_ok = store_last_get[store_pool] == next->text;
-       uschar *newtext = store_get(header_size);
-       memcpy(newtext, next->text, ptr);
--      store_release(next->text);
-+      if (release_ok) store_release(next->text);
-       next->text = newtext;
-       }
-     }

exim-4.89-calloutsize.patch

@@ -1,524 +0,0 @@
---- exim-4.89/src/exim.c.calloutsize	2017-03-04 16:21:35.000000000 -0500
-+++ exim-4.89/src/exim.c	2017-08-16 15:52:41.424866990 -0400
-@@ -2738,7 +2738,7 @@
-     /* -MCD: set the smtp_use_dsn flag; this indicates that the host
-        that exim is connected to supports the esmtp extension DSN */
- 
--	case 'D': smtp_peer_options |= PEER_OFFERED_DSN; break;
-+	case 'D': smtp_peer_options |= OPTION_DSN; break;
- 
-     /* -MCG: set the queue name, to a non-default value */
- 
-@@ -2748,12 +2748,12 @@
- 
-     /* -MCK: the peer offered CHUNKING.  Must precede -MC */
- 
--	case 'K': smtp_peer_options |= PEER_OFFERED_CHUNKING; break;
-+	case 'K': smtp_peer_options |= OPTION_CHUNKING; break;
- 
-     /* -MCP: set the smtp_use_pipelining flag; this is useful only when
-     it preceded -MC (see above) */
- 
--	case 'P': smtp_peer_options |= PEER_OFFERED_PIPE; break;
-+	case 'P': smtp_peer_options |= OPTION_PIPE; break;
- 
-     /* -MCQ: pass on the pid of the queue-running process that started
-     this chain of deliveries and the fd of its synchronizing pipe; this
-@@ -2768,14 +2768,14 @@
-     /* -MCS: set the smtp_use_size flag; this is useful only when it
-     precedes -MC (see above) */
- 
--	case 'S': smtp_peer_options |= PEER_OFFERED_SIZE; break;
-+	case 'S': smtp_peer_options |= OPTION_SIZE; break;
- 
- #ifdef SUPPORT_TLS
-     /* -MCT: set the tls_offered flag; this is useful only when it
-     precedes -MC (see above). The flag indicates that the host to which
-     Exim is connected has offered TLS support. */
- 
--	case 'T': smtp_peer_options |= PEER_OFFERED_TLS; break;
-+	case 'T': smtp_peer_options |= OPTION_TLS; break;
- #endif
- 
- 	default:  badarg = TRUE; break;
---- exim-4.89/src/macros.h.calloutsize	2017-03-04 16:21:35.000000000 -0500
-+++ exim-4.89/src/macros.h	2017-08-16 15:38:52.876969094 -0400
-@@ -959,14 +959,14 @@
- 
- /* Codes for ESMTP facilities offered by peer */
- 
--#define PEER_OFFERED_TLS	BIT(0)
--#define PEER_OFFERED_IGNQ	BIT(1)
--#define PEER_OFFERED_PRDR	BIT(2)
--#define PEER_OFFERED_UTF8	BIT(3)
--#define PEER_OFFERED_DSN	BIT(4)
--#define PEER_OFFERED_PIPE	BIT(5)
--#define PEER_OFFERED_SIZE	BIT(6)
--#define PEER_OFFERED_CHUNKING	BIT(7)
-+#define OPTION_TLS	BIT(0)
-+#define OPTION_IGNQ	BIT(1)
-+#define OPTION_PRDR	BIT(2)
-+#define OPTION_UTF8	BIT(3)
-+#define OPTION_DSN	BIT(4)
-+#define OPTION_PIPE	BIT(5)
-+#define OPTION_SIZE	BIT(6)
-+#define OPTION_CHUNKING	BIT(7)
- 
- /* Argument for *_getc */
- 
---- exim-4.89/src/transport.c.calloutsize	2017-08-16 15:38:52.876969094 -0400
-+++ exim-4.89/src/transport.c	2017-08-16 15:55:23.681414193 -0400
-@@ -1976,13 +1976,12 @@
-   argv = CUSS child_exec_exim(CEE_RETURN_ARGV, TRUE, &i, FALSE, 0);
- 
-   if (smtp_authenticated) argv[i++] = US"-MCA";
--
--  if (smtp_peer_options & PEER_OFFERED_CHUNKING) argv[i++] = US"-MCK";
--  if (smtp_peer_options & PEER_OFFERED_DSN) argv[i++] = US"-MCD";
--  if (smtp_peer_options & PEER_OFFERED_PIPE) argv[i++] = US"-MCP";
--  if (smtp_peer_options & PEER_OFFERED_SIZE) argv[i++] = US"-MCS";
-+  if (smtp_peer_options & OPTION_CHUNKING)       argv[i++] = US"-MCK";
-+  if (smtp_peer_options & OPTION_DSN)            argv[i++] = US"-MCD";
-+  if (smtp_peer_options & OPTION_PIPE)           argv[i++] = US"-MCP";
-+  if (smtp_peer_options & OPTION_SIZE)           argv[i++] = US"-MCS";
- #ifdef SUPPORT_TLS
--  if (smtp_peer_options & PEER_OFFERED_TLS) argv[i++] = US"-MCT";
-+  if (smtp_peer_options & OPTION_TLS) argv[i++] = US"-MCT";
- #endif
- 
-   if (queue_run_pid != (pid_t)0)
---- exim-4.89/src/transports/smtp.c.calloutsize	2017-03-04 16:21:35.000000000 -0500
-+++ exim-4.89/src/transports/smtp.c	2017-08-16 16:08:51.572126172 -0400
-@@ -1291,44 +1291,44 @@
- size_t bsize = Ustrlen(buf);
- 
- #ifdef SUPPORT_TLS
--if (  checks & PEER_OFFERED_TLS
-+if (  checks & OPTION_TLS
-    && pcre_exec(regex_STARTTLS, NULL, CS buf, bsize, 0, PCRE_EOPT, NULL, 0) < 0)
--  checks &= ~PEER_OFFERED_TLS;
-+  checks &= ~OPTION_TLS;
- #endif
- 
--if (  checks & PEER_OFFERED_IGNQ
-+if (  checks & OPTION_IGNQ
-    && pcre_exec(regex_IGNOREQUOTA, NULL, CS buf, bsize, 0,
- 		PCRE_EOPT, NULL, 0) < 0)
--  checks &= ~PEER_OFFERED_IGNQ;
-+  checks &= ~OPTION_IGNQ;
- 
--if (  checks & PEER_OFFERED_CHUNKING
-+if (  checks & OPTION_CHUNKING
-    && pcre_exec(regex_CHUNKING, NULL, CS buf, bsize, 0, PCRE_EOPT, NULL, 0) < 0)
--  checks &= ~PEER_OFFERED_CHUNKING;
-+  checks &= ~OPTION_CHUNKING;
- 
- #ifndef DISABLE_PRDR
--if (  checks & PEER_OFFERED_PRDR
-+if (  checks & OPTION_PRDR
-    && pcre_exec(regex_PRDR, NULL, CS buf, bsize, 0, PCRE_EOPT, NULL, 0) < 0)
--  checks &= ~PEER_OFFERED_PRDR;
-+  checks &= ~OPTION_PRDR;
- #endif
- 
- #ifdef SUPPORT_I18N
--if (  checks & PEER_OFFERED_UTF8
-+if (  checks & OPTION_UTF8
-    && pcre_exec(regex_UTF8, NULL, CS buf, bsize, 0, PCRE_EOPT, NULL, 0) < 0)
--  checks &= ~PEER_OFFERED_UTF8;
-+  checks &= ~OPTION_UTF8;
- #endif
- 
--if (  checks & PEER_OFFERED_DSN
-+if (  checks & OPTION_DSN
-    && pcre_exec(regex_DSN, NULL, CS buf, bsize, 0, PCRE_EOPT, NULL, 0) < 0)
--  checks &= ~PEER_OFFERED_DSN;
-+  checks &= ~OPTION_DSN;
- 
--if (  checks & PEER_OFFERED_PIPE
-+if (  checks & OPTION_PIPE
-    && pcre_exec(regex_PIPELINING, NULL, CS buf, bsize, 0,
- 		PCRE_EOPT, NULL, 0) < 0)
--  checks &= ~PEER_OFFERED_PIPE;
-+  checks &= ~OPTION_PIPE;
- 
--if (  checks & PEER_OFFERED_SIZE
-+if (  checks & OPTION_SIZE
-    && pcre_exec(regex_SIZE, NULL, CS buf, bsize, 0, PCRE_EOPT, NULL, 0) < 0)
--  checks &= ~PEER_OFFERED_SIZE;
-+  checks &= ~OPTION_SIZE;
- 
- return checks;
- }
-@@ -1479,6 +1479,7 @@
- 
- if ((sx->max_rcpt = sx->tblock->max_addresses) == 0) sx->max_rcpt = 999999;
- sx->peer_offered = 0;
-+sx->avoid_option = 0;
- sx->igquotstr = US"";
- if (!sx->helo_data) sx->helo_data = sx->ob->helo_data;
- #ifdef EXPERIMENTAL_DSN_INFO
-@@ -1715,7 +1716,7 @@
- #ifdef SUPPORT_TLS
-   if (sx->smtps)
-     {
--    smtp_peer_options |= PEER_OFFERED_TLS;
-+    smtp_peer_options |= OPTION_TLS;
-     suppress_tls = FALSE;
-     sx->ob->tls_tempfail_tryclear = FALSE;
-     smtp_command = US"SSL-on-connect";
-@@ -1780,18 +1781,18 @@
-       }
-     }
- 
--  sx->peer_offered = smtp_peer_options = 0;
-+  sx->avoid_option = sx->peer_offered = smtp_peer_options = 0;
- 
-   if (sx->esmtp || sx->lmtp)
-     {
-     sx->peer_offered = ehlo_response(sx->buffer,
--      PEER_OFFERED_TLS	/* others checked later */
-+      OPTION_TLS	/* others checked later */
-       );
- 
-   /* Set tls_offered if the response to EHLO specifies support for STARTTLS. */
- 
- #ifdef SUPPORT_TLS
--    smtp_peer_options |= sx->peer_offered & PEER_OFFERED_TLS;
-+    smtp_peer_options |= sx->peer_offered & OPTION_TLS;
- #endif
-     }
-   }
-@@ -1825,7 +1826,7 @@
- for error analysis. */
- 
- #ifdef SUPPORT_TLS
--if (  smtp_peer_options & PEER_OFFERED_TLS
-+if (  smtp_peer_options & OPTION_TLS
-    && !suppress_tls
-    && verify_check_given_host(&sx->ob->hosts_avoid_tls, sx->host) != OK
-    && (  !sx->verify
-@@ -1970,7 +1971,7 @@
-   {
-   errno = ERRNO_TLSREQUIRED;
-   message = string_sprintf("a TLS session is required, but %s",
--    smtp_peer_options & PEER_OFFERED_TLS
-+    smtp_peer_options & OPTION_TLS
-     ? "an attempt to start TLS failed" : "the server did not offer TLS support");
-   goto TLS_FAILED;
-   }
-@@ -1991,60 +1992,60 @@
-     {
-     sx->peer_offered = ehlo_response(sx->buffer,
- 	0 /* no TLS */
--	| (sx->lmtp && sx->ob->lmtp_ignore_quota ? PEER_OFFERED_IGNQ : 0)
--	| PEER_OFFERED_CHUNKING
--	| PEER_OFFERED_PRDR
-+	| (sx->lmtp && sx->ob->lmtp_ignore_quota ? OPTION_IGNQ : 0)
-+	| OPTION_CHUNKING
-+	| OPTION_PRDR
- #ifdef SUPPORT_I18N
--	| (sx->addrlist->prop.utf8_msg ? PEER_OFFERED_UTF8 : 0)
-+	| (sx->addrlist->prop.utf8_msg ? OPTION_UTF8 : 0)
- 	  /*XXX if we hand peercaps on to continued-conn processes,
- 		must not depend on this addr */
- #endif
--	| PEER_OFFERED_DSN
--	| PEER_OFFERED_PIPE
--	| (sx->ob->size_addition >= 0 ? PEER_OFFERED_SIZE : 0)
-+	| OPTION_DSN
-+	| OPTION_PIPE
-+	| (sx->ob->size_addition >= 0 ? OPTION_SIZE : 0)
-       );
- 
-     /* Set for IGNOREQUOTA if the response to LHLO specifies support and the
-     lmtp_ignore_quota option was set. */
- 
--    sx->igquotstr = sx->peer_offered & PEER_OFFERED_IGNQ ? US" IGNOREQUOTA" : US"";
-+    sx->igquotstr = sx->peer_offered & OPTION_IGNQ ? US" IGNOREQUOTA" : US"";
- 
-     /* If the response to EHLO specified support for the SIZE parameter, note
-     this, provided size_addition is non-negative. */
- 
--    smtp_peer_options |= sx->peer_offered & PEER_OFFERED_SIZE;
-+    smtp_peer_options |= sx->peer_offered & OPTION_SIZE;
- 
-     /* Note whether the server supports PIPELINING. If hosts_avoid_esmtp matched
-     the current host, esmtp will be false, so PIPELINING can never be used. If
-     the current host matches hosts_avoid_pipelining, don't do it. */
- 
--    if (  sx->peer_offered & PEER_OFFERED_PIPE
-+    if (  sx->peer_offered & OPTION_PIPE
-        && verify_check_given_host(&sx->ob->hosts_avoid_pipelining, sx->host) != OK)
--      smtp_peer_options |= PEER_OFFERED_PIPE;
-+      smtp_peer_options |= OPTION_PIPE;
- 
-     DEBUG(D_transport) debug_printf("%susing PIPELINING\n",
--      smtp_peer_options & PEER_OFFERED_PIPE ? "" : "not ");
-+      smtp_peer_options & OPTION_PIPE ? "" : "not ");
- 
--    if (  sx->peer_offered & PEER_OFFERED_CHUNKING
-+    if (  sx->peer_offered & OPTION_CHUNKING
-        && verify_check_given_host(&sx->ob->hosts_try_chunking, sx->host) != OK)
--      sx->peer_offered &= ~PEER_OFFERED_CHUNKING;
-+      sx->peer_offered &= ~OPTION_CHUNKING;
- 
--    if (sx->peer_offered & PEER_OFFERED_CHUNKING)
-+    if (sx->peer_offered & OPTION_CHUNKING)
-       {DEBUG(D_transport) debug_printf("CHUNKING usable\n");}
- 
- #ifndef DISABLE_PRDR
--    if (  sx->peer_offered & PEER_OFFERED_PRDR
-+    if (  sx->peer_offered & OPTION_PRDR
-        && verify_check_given_host(&sx->ob->hosts_try_prdr, sx->host) != OK)
--      sx->peer_offered &= ~PEER_OFFERED_PRDR;
-+      sx->peer_offered &= ~OPTION_PRDR;
- 
--    if (sx->peer_offered & PEER_OFFERED_PRDR)
-+    if (sx->peer_offered & OPTION_PRDR)
-       {DEBUG(D_transport) debug_printf("PRDR usable\n");}
- #endif
- 
-     /* Note if the server supports DSN */
--    smtp_peer_options |= sx->peer_offered & PEER_OFFERED_DSN;
-+    smtp_peer_options |= sx->peer_offered & OPTION_DSN;
-     DEBUG(D_transport) debug_printf("%susing DSN\n",
--			sx->peer_offered & PEER_OFFERED_DSN ? "" : "not ");
-+			sx->peer_offered & OPTION_DSN ? "" : "not ");
- 
-     /* Note if the response to EHLO specifies support for the AUTH extension.
-     If it has, check that this host is one we want to authenticate to, and do
-@@ -2061,7 +2062,7 @@
-       }
-     }
-   }
--pipelining_active = !!(smtp_peer_options & PEER_OFFERED_PIPE);
-+pipelining_active = !!(smtp_peer_options & OPTION_PIPE);
- 
- /* The setting up of the SMTP call is now complete. Any subsequent errors are
- message-specific. */
-@@ -2079,7 +2080,7 @@
-   }
- 
- /* If this is an international message we need the host to speak SMTPUTF8 */
--if (sx->utf8_needed && !(sx->peer_offered & PEER_OFFERED_UTF8))
-+if (sx->utf8_needed && !(sx->peer_offered & OPTION_UTF8))
-   {
-   errno = ERRNO_UTF8_FWD;
-   goto RESPONSE_FAILED;
-@@ -2202,14 +2203,15 @@
- 
- *p = 0;
- 
--/* If we know the receiving MTA supports the SIZE qualification,
-+/* If we know the receiving MTA supports the SIZE qualification, and we know it,
- send it, adding something to the message size to allow for imprecision
- and things that get added en route. Exim keeps the number of lines
- in a message, so we can give an accurate value for the original message, but we
- need some additional to handle added headers. (Double "." characters don't get
- included in the count.) */
- 
--if (sx->peer_offered & PEER_OFFERED_SIZE)
-+if (  message_size > 0
-+   && sx->peer_offered & OPTION_SIZE && !(sx->avoid_option & OPTION_SIZE))
-   {
-   sprintf(CS p, " SIZE=%d", message_size+message_linecount+sx->ob->size_addition);
-   while (*p) p++;
-@@ -2220,7 +2222,7 @@
- request that */
- 
- sx->prdr_active = FALSE;
--if (sx->peer_offered & PEER_OFFERED_PRDR)
-+if (sx->peer_offered & OPTION_PRDR)
-   for (addr = addrlist; addr; addr = addr->next)
-     if (addr->transport_return == PENDING_DEFER)
-       {
-@@ -2239,7 +2241,7 @@
- /* If it supports internationalised messages, and this meesage need that,
- request it */
- 
--if (  sx->peer_offered & PEER_OFFERED_UTF8
-+if (  sx->peer_offered & OPTION_UTF8
-    && addrlist->prop.utf8_msg
-    && !addrlist->prop.utf8_downcvt
-    )
-@@ -2261,7 +2263,7 @@
- 
- /* Add any DSN flags to the mail command */
- 
--if (sx->peer_offered & PEER_OFFERED_DSN && !sx->dsn_all_lasthop)
-+if (sx->peer_offered & OPTION_DSN && !sx->dsn_all_lasthop)
-   {
-   if (dsn_ret == dsn_ret_hdrs)
-     { Ustrcpy(p, " RET=HDRS"); p += 9; }
-@@ -2297,7 +2299,7 @@
- 
- /* Add any DSN flags to the rcpt command */
- 
--if (sx->peer_offered & PEER_OFFERED_DSN && !(addr->dsn_flags & rf_dsnlasthop))
-+if (sx->peer_offered & OPTION_DSN && !(addr->dsn_flags & rf_dsnlasthop))
-   {
-   if (addr->dsn_flags & rf_dsnflags)
-     {
-@@ -2367,7 +2369,7 @@
-   the delivery log line. */
- 
-   if (  sx->addrlist->prop.utf8_msg
--     && (sx->addrlist->prop.utf8_downcvt || !(sx->peer_offered & PEER_OFFERED_UTF8))
-+     && (sx->addrlist->prop.utf8_downcvt || !(sx->peer_offered & OPTION_UTF8))
-      )
-     {
-     if (s = string_address_utf8_to_alabel(s, &errstr), errstr)
-@@ -2431,7 +2433,7 @@
-   BOOL no_flush;
-   uschar * rcpt_addr;
- 
--  addr->dsn_aware = sx->peer_offered & PEER_OFFERED_DSN
-+  addr->dsn_aware = sx->peer_offered & OPTION_DSN
-     ? dsn_support_yes : dsn_support_no;
- 
-   address_count++;
-@@ -2594,10 +2596,10 @@
-   if (  transport_filter_argv
-      && *transport_filter_argv
-      && **transport_filter_argv
--     && sx.peer_offered & PEER_OFFERED_CHUNKING
-+     && sx.peer_offered & OPTION_CHUNKING
-      )
-     {
--    sx.peer_offered &= ~PEER_OFFERED_CHUNKING;
-+    sx.peer_offered &= ~OPTION_CHUNKING;
-     DEBUG(D_transport) debug_printf("CHUNKING not usable due to transport filter\n");
-     }
-   }
-@@ -2656,7 +2658,7 @@
- If using CHUNKING, do not send a BDAT until we know how big a chunk we want
- to send is. */
- 
--if (  !(sx.peer_offered & PEER_OFFERED_CHUNKING)
-+if (  !(sx.peer_offered & OPTION_CHUNKING)
-    && (sx.ok || (pipelining_active && !mua_wrapper)))
-   {
-   int count = smtp_write_command(&sx.outblock, FALSE, "DATA\r\n");
-@@ -2686,7 +2688,7 @@
- well as body. Set the appropriate timeout value to be used for each chunk.
- (Haven't been able to make it work using select() for writing yet.) */
- 
--if (!(sx.peer_offered & PEER_OFFERED_CHUNKING) && !sx.ok)
-+if (!(sx.peer_offered & OPTION_CHUNKING) && !sx.ok)
-   {
-   /* Save the first address of the next batch. */
-   sx.first_addr = sx.next_addr;
-@@ -2712,7 +2714,7 @@
-   of responses.  The callback needs a whole bunch of state so set up
-   a transport-context structure to be passed around. */
- 
--  if (sx.peer_offered & PEER_OFFERED_CHUNKING)
-+  if (sx.peer_offered & OPTION_CHUNKING)
-     {
-     tctx.check_string = tctx.escape_string = NULL;
-     tctx.options |= topt_use_bdat;
-@@ -2737,7 +2739,7 @@
-   transport_write_timeout = sx.ob->data_timeout;
-   smtp_command = US"sending data block";   /* For error messages */
-   DEBUG(D_transport|D_v)
--    if (sx.peer_offered & PEER_OFFERED_CHUNKING)
-+    if (sx.peer_offered & OPTION_CHUNKING)
-       debug_printf("         will write message using CHUNKING\n");
-     else
-       debug_printf("  SMTP>> writing message and terminating \".\"\n");
-@@ -2771,7 +2773,7 @@
- 
-   smtp_command = US"end of data";
- 
--  if (sx.peer_offered & PEER_OFFERED_CHUNKING && sx.cmd_count > 1)
-+  if (sx.peer_offered & OPTION_CHUNKING && sx.cmd_count > 1)
-     {
-     /* Reap any outstanding MAIL & RCPT commands, but not a DATA-go-ahead */
-     switch(sync_responses(&sx, sx.cmd_count-1, 0))
-@@ -2926,7 +2928,7 @@
- #ifndef DISABLE_PRDR
-       if (sx.prdr_active) addr->flags |= af_prdr_used;
- #endif
--      if (sx.peer_offered & PEER_OFFERED_CHUNKING) addr->flags |= af_chunking_used;
-+      if (sx.peer_offered & OPTION_CHUNKING) addr->flags |= af_chunking_used;
-       flag = '-';
- 
- #ifndef DISABLE_PRDR
---- exim-4.89/src/transports/smtp.h.calloutsize	2017-03-04 16:21:35.000000000 -0500
-+++ exim-4.89/src/transports/smtp.h	2017-08-16 15:38:52.877969104 -0400
-@@ -127,6 +127,7 @@
-   int		cmd_count;
- 
-   uschar	peer_offered;
-+  uschar	avoid_option;
-   uschar *	igquotstr;
-   uschar *	helo_data;
- #ifdef EXPERIMENTAL_DSN_INFO
---- exim-4.89/src/verify.c.calloutsize	2017-03-04 16:21:35.000000000 -0500
-+++ exim-4.89/src/verify.c	2017-08-16 15:51:37.913261370 -0400
-@@ -779,8 +779,12 @@
-       postmaster-verify.
-       The sync_responses() would need to be taught about it and we'd
-       need another return code filtering out to here.
-+
-+      Avoid using a SIZE option on the MAIL for all randon-rcpt checks.
-       */
- 
-+      sx.avoid_option = OPTION_SIZE;
-+
-       /* Remember when we last did a random test */
-       new_domain_record.random_stamp = time(NULL);
- 
-@@ -790,8 +794,9 @@
- 	  case PENDING_OK:
- 	    new_domain_record.random_result = ccache_accept;
- 	    break;
--	  case FAIL:
-+	  case FAIL:            /* the preferred result */
- 	    new_domain_record.random_result = ccache_reject;
-+	    sx.avoid_option = 0;
- 
- 	    /* Between each check, issue RSET, because some servers accept only
- 	    one recipient after MAIL FROM:<>.
-@@ -836,12 +841,14 @@
-     else
-       done = TRUE;
- 
--    /* Main verify. If the host is accepting all local parts, as determined
--    by the "random" check, we don't need to waste time doing any further
--    checking. */
-+    /* Main verify.  For rcpt-verify use SIZE if we know it and we're not cacheing;
-+    for sndr-verify never use it. */
- 
-     if (done)
-       {
-+      if (!(options & vopt_is_recipient  &&  options & vopt_callout_no_cache))
-+	sx.avoid_option = OPTION_SIZE;
-+
-       done = FALSE;
-       switch(smtp_write_mail_and_rcpt_cmds(&sx, &yield))
- 	{
-@@ -850,12 +857,12 @@
- 		    case PENDING_OK:  done = TRUE;
- 				      new_address_record.result = ccache_accept;
- 				      break;
--		    case FAIL:	      done = TRUE;
-+		    case FAIL:	    done = TRUE;
- 				      yield = FAIL;
- 				      *failure_ptr = US"recipient";
- 				      new_address_record.result = ccache_reject;
- 				      break;
--		    default:	      break;
-+		    default:	    break;
- 		    }
- 		  break;
- 
-@@ -908,6 +915,7 @@
- 	sx.ok = FALSE;
- 	sx.send_rset = TRUE;
- 	sx.completed_addr = FALSE;
-+	sx.avoid_option = OPTION_SIZE;
- 
- 	if(  smtp_write_mail_and_rcpt_cmds(&sx, &yield) == 0
- 	  && addr->transport_return == PENDING_OK

exim-4.89-mariadb-macro-fix.patch

@@ -1,73 +0,0 @@
-diff --git a/src/lookups/mysql.c b/src/lookups/mysql.c
-index 5cf15af..b5133bc 100644
---- a/src/lookups/mysql.c
-+++ b/src/lookups/mysql.c
-@@ -14,6 +14,53 @@ functions. */
- 
- #include <mysql.h>       /* The system header */
- 
-+/* We define symbols for *_VERSION_ID (numeric), *_VERSION_STR (char*)
-+and *_BASE_STR (char*). It's a bit of guesswork. Especially for mariadb
-+with versions before 10.2, as they do not define there there specific symbols.
-+*/
-+
-+// Newer (>= 10.2) MariaDB
-+#if defined                   MARIADB_VERSION_ID
-+#define EXIM_MxSQL_VERSION_ID MARIADB_VERSION_ID
-+
-+// MySQL defines MYSQL_VERSION_ID, and MariaDB does so
-+// https://dev.mysql.com/doc/refman/5.7/en/c-api-server-client-versions.html
-+#elif defined                 LIBMYSQL_VERSION_ID
-+#define EXIM_MxSQL_VERSION_ID LIBMYSQL_VERSION_ID
-+#elif defined                 MYSQL_VERSION_ID
-+#define EXIM_MxSQL_VERSION_ID MYSQL_VERSION_ID
-+
-+#else
-+#define EXIM_MYSQL_VERSION_ID  0
-+#endif
-+
-+// Newer (>= 10.2) MariaDB
-+#ifdef                         MARIADB_CLIENT_VERSION_STR
-+#define EXIM_MxSQL_VERSION_STR MARIADB_CLIENT_VERSION_STR
-+
-+// Mysql uses MYSQL_SERVER_VERSION
-+#elif defined                  LIBMYSQL_VERSION
-+#define EXIM_MxSQL_VERSION_STR LIBMYSQL_VERSION
-+#elif defined                  MYSQL_SERVER_VERSION
-+#define EXIM_MxSQL_VERSION_STR MYSQL_SERVER_VERSION
-+
-+#else
-+#define EXIM_MxSQL_VERSION_STR  "N.A."
-+#endif
-+
-+#if defined                 MARIADB_BASE_VERSION
-+#define EXIM_MxSQL_BASE_STR MARIADB_BASE_VERSION
-+
-+#elif defined               MARIADB_PACKAGE_VERSION
-+#define EXIM_MxSQL_BASE_STR "mariadb"
-+
-+#elif defined               MYSQL_BASE_VERSION
-+#define EXIM_MxSQL_BASE_STR MYSQL_BASE_VERSION
-+
-+#else
-+#define EXIM_MxSQL_BASE_STR  "n.A."
-+#endif
-+
- 
- /* Structure and anchor for caching connections. */
- 
-@@ -432,10 +479,10 @@ return quoted;
- void
- mysql_version_report(FILE *f)
- {
--fprintf(f, "Library version: MySQL: Compile: %s [%s]\n"
--           "                        Runtime: %s\n",
--        MYSQL_SERVER_VERSION, MYSQL_COMPILATION_COMMENT,
--        mysql_get_client_info());
-+fprintf(f, "Library version: MySQL: Compile: %lu %s [%s]\n"
-+           "                        Runtime: %lu %s\n",
-+        (long)EXIM_MxSQL_VERSION_ID, EXIM_MxSQL_VERSION_STR, EXIM_MxSQL_BASE_STR,
-+        mysql_get_client_version(), mysql_get_client_info());
- #ifdef DYNLOOKUP
- fprintf(f, "                        Exim version %s\n", EXIM_VERSION_STR);
- #endif

exim-4.90.1-allow-filter.patch

@@ -1,8 +1,8 @@
 diff --git a/src/configure.default b/src/configure.default
-index 1e3c63f..0e7854c 100644
+index 2cce34b..50e9236 100644
 --- a/src/configure.default
 +++ b/src/configure.default
-@@ -724,7 +724,7 @@ userforward:
+@@ -727,7 +727,7 @@ userforward:
  # local_part_suffix = +* : -*
  # local_part_suffix_optional
    file = $home/.forward

exim-4.90.1-config.patch

@@ -1,8 +1,8 @@
 diff --git a/scripts/Configure-Makefile b/scripts/Configure-Makefile
-index 3e486a6..6c4afec 100755
+index 2af1927..e461505 100755
 --- a/scripts/Configure-Makefile
 +++ b/scripts/Configure-Makefile
-@@ -269,7 +269,7 @@ if [ "${EXIM_PERL}" != "" ] ; then
+@@ -296,7 +296,7 @@ if [ "${EXIM_PERL}" != "" ] ; then
  
    mv $mft $mftt
    echo "PERL_CC=`$PERL_COMMAND -MConfig -e 'print $Config{cc}'`" >>$mft
@@ -12,7 +12,7 @@ index 3e486a6..6c4afec 100755
    echo "" >>$mft
    cat $mftt >> $mft
 diff --git a/src/EDITME b/src/EDITME
-index df74aac..0caf02d 100644
+index 72e26ce..0bd97f1 100644
 --- a/src/EDITME
 +++ b/src/EDITME
 @@ -98,7 +98,7 @@
@@ -51,7 +51,7 @@ index df74aac..0caf02d 100644
  
  # Many sites define a user called "exim", with an appropriate default group,
  # and use
-@@ -232,7 +232,7 @@ TRANSPORT_SMTP=yes
+@@ -237,7 +237,7 @@ TRANSPORT_SMTP=yes
  # This one is special-purpose, and commonly not required, so it is not
  # included by default.
  
@@ -60,7 +60,7 @@ index df74aac..0caf02d 100644
  
  
  #------------------------------------------------------------------------------
-@@ -241,9 +241,9 @@ TRANSPORT_SMTP=yes
+@@ -246,9 +246,9 @@ TRANSPORT_SMTP=yes
  # MBX, is included only when requested. If you do not know what this is about,
  # leave these settings commented out.
  
@@ -73,7 +73,7 @@ index df74aac..0caf02d 100644
  
  
  #------------------------------------------------------------------------------
-@@ -301,19 +301,21 @@ LOOKUP_DBM=yes
+@@ -306,20 +306,22 @@ LOOKUP_DBM=yes
  LOOKUP_LSEARCH=yes
  LOOKUP_DNSDB=yes
  
@@ -84,6 +84,7 @@ index df74aac..0caf02d 100644
  # LOOKUP_IBASE=yes
 -# LOOKUP_LDAP=yes
 -# LOOKUP_MYSQL=yes
+-# LOOKUP_MYSQL_PC=mariadb
 -# LOOKUP_NIS=yes
 -# LOOKUP_NISPLUS=yes
 +LOOKUP_LDAP=yes
@@ -91,6 +92,7 @@ index df74aac..0caf02d 100644
 +LOOKUP_INCLUDE=-I/usr/include/mysql
 +LOOKUP_LIBS=-lldap -llber -lsqlite3 -L/usr/$(_lib)/mysql -lmysqlclient -lpq
 +LOOKUP_MYSQL=yes
++LOOKUP_MYSQL_PC=mariadb
 +LOOKUP_NIS=yes
 +LOOKUP_NISPLUS=yes
  # LOOKUP_ORACLE=yes
@@ -105,7 +107,7 @@ index df74aac..0caf02d 100644
  # LOOKUP_WHOSON=yes
  
  # These two settings are obsolete; all three lookups are compiled when
-@@ -390,7 +392,7 @@ EXIM_MONITOR=eximon.bin
+@@ -396,7 +398,7 @@ EXIM_MONITOR=eximon.bin
  # and the MIME ACL. Please read the documentation to learn more about these
  # features.
  
@@ -114,7 +116,7 @@ index df74aac..0caf02d 100644
  
  #------------------------------------------------------------------------------
  # If you're using ClamAV and are backporting fixes to an old version, instead
-@@ -577,7 +579,7 @@ FIXED_NEVER_USERS=root
+@@ -584,7 +586,7 @@ FIXED_NEVER_USERS=root
  # CONFIGURE_OWNER setting, to specify a configuration file which is listed in
  # the TRUSTED_CONFIG_LIST file, then root privileges are not dropped by Exim.
  
@@ -123,7 +125,7 @@ index df74aac..0caf02d 100644
  
  
  #------------------------------------------------------------------------------
-@@ -622,17 +624,14 @@ FIXED_NEVER_USERS=root
+@@ -629,17 +631,14 @@ FIXED_NEVER_USERS=root
  # included in the Exim binary. You will then need to set up the run time
  # configuration to make use of the mechanism(s) selected.
  
@@ -149,7 +151,7 @@ index df74aac..0caf02d 100644
  
  # Heimdal through 1.5 required pkg-config 'heimdal-gssapi'; Heimdal 7.1
  # requires multiple pkg-config files to work with Exim, so the second example
-@@ -656,7 +655,7 @@ FIXED_NEVER_USERS=root
+@@ -663,7 +662,7 @@ FIXED_NEVER_USERS=root
  # one that is set in the headers_charset option. The default setting is
  # defined by this setting:
  
@@ -158,7 +160,7 @@ index df74aac..0caf02d 100644
  
  # If you are going to make use of $header_xxx expansions in your configuration
  # file, or if your users are going to use them in filter files, and the normal
-@@ -676,7 +675,7 @@ HEADERS_CHARSET="ISO-8859-1"
+@@ -683,7 +682,7 @@ HEADERS_CHARSET="ISO-8859-1"
  # the Sieve filter support. For those OS where iconv() is known to be installed
  # as standard, the file in OS/Makefile-xxxx contains
  #
@@ -167,7 +169,7 @@ index df74aac..0caf02d 100644
  #
  # If you are not using one of those systems, but have installed iconv(), you
  # need to uncomment that line above. In some cases, you may find that iconv()
-@@ -745,11 +744,11 @@ HEADERS_CHARSET="ISO-8859-1"
+@@ -752,11 +751,11 @@ HEADERS_CHARSET="ISO-8859-1"
  # leave these settings commented out.
  
  # This setting is required for any TLS support (either OpenSSL or GnuTLS)
@@ -182,7 +184,7 @@ index df74aac..0caf02d 100644
  
  # Uncomment the first and either the second or the third of these if you
  # are using GnuTLS.  If you have pkg-config, then the second, else the third.
-@@ -818,7 +817,7 @@ HEADERS_CHARSET="ISO-8859-1"
+@@ -825,7 +824,7 @@ HEADERS_CHARSET="ISO-8859-1"
  # Once you have done this, "make install" will build the info files and
  # install them in the directory you have defined.
  
@@ -191,7 +193,7 @@ index df74aac..0caf02d 100644
  
  
  #------------------------------------------------------------------------------
-@@ -831,7 +830,7 @@ HEADERS_CHARSET="ISO-8859-1"
+@@ -838,7 +837,7 @@ HEADERS_CHARSET="ISO-8859-1"
  # %s. This will be replaced by one of the strings "main", "panic", or "reject"
  # to form the final file names. Some installations may want something like this:
  
@@ -200,7 +202,7 @@ index df74aac..0caf02d 100644
  
  # which results in files with names /var/log/exim_mainlog, etc. The directory
  # in which the log files are placed must exist; Exim does not try to create
-@@ -903,7 +902,7 @@ ZCAT_COMMAND=/usr/bin/zcat
+@@ -910,7 +909,7 @@ ZCAT_COMMAND=/usr/bin/zcat
  # (version 5.004 or later) installed, set EXIM_PERL to perl.o. Using embedded
  # Perl costs quite a lot of resources. Only do this if you really need it.
  
@@ -209,7 +211,7 @@ index df74aac..0caf02d 100644
  
  
  #------------------------------------------------------------------------------
-@@ -913,7 +912,7 @@ ZCAT_COMMAND=/usr/bin/zcat
+@@ -920,7 +919,7 @@ ZCAT_COMMAND=/usr/bin/zcat
  # that the local_scan API is made available by the linker. You may also need
  # to add -ldl to EXTRALIBS so that dlopen() is available to Exim.
  
@@ -218,7 +220,7 @@ index df74aac..0caf02d 100644
  
  
  #------------------------------------------------------------------------------
-@@ -923,7 +922,7 @@ ZCAT_COMMAND=/usr/bin/zcat
+@@ -930,7 +929,7 @@ ZCAT_COMMAND=/usr/bin/zcat
  # support, which is intended for use in conjunction with the SMTP AUTH
  # facilities, is included only when requested by the following setting:
  
@@ -227,7 +229,7 @@ index df74aac..0caf02d 100644
  
  # You probably need to add -lpam to EXTRALIBS, and in some releases of
  # GNU/Linux -ldl is also needed.
-@@ -1021,7 +1020,7 @@ ZCAT_COMMAND=/usr/bin/zcat
+@@ -1028,7 +1027,7 @@ ZCAT_COMMAND=/usr/bin/zcat
  # group. Once you have installed saslauthd, you should arrange for it to be
  # started by root at boot time.
  
@@ -236,20 +238,18 @@ index df74aac..0caf02d 100644
  
  
  #------------------------------------------------------------------------------
-@@ -1034,9 +1033,9 @@ ZCAT_COMMAND=/usr/bin/zcat
- # You may well also have to specify a local "include" file and an additional
+@@ -1042,8 +1041,8 @@ ZCAT_COMMAND=/usr/bin/zcat
  # library for TCP wrappers, so you probably need something like this:
  #
--# USE_TCP_WRAPPERS=yes
+ # USE_TCP_WRAPPERS=yes
 -# CFLAGS=-O -I/usr/local/include
 -# EXTRALIBS_EXIM=-L/usr/local/lib -lwrap
-+USE_TCP_WRAPPERS=yes
 +CFLAGS+=$(RPM_OPT_FLAGS) $(PIE)
-+EXTRALIBS_EXIM=-lwrap -lpam -ldl -export-dynamic -rdynamic
++EXTRALIBS_EXIM=-lpam -ldl -export-dynamic -rdynamic
  #
  # but of course there may need to be other things in CFLAGS and EXTRALIBS_EXIM
  # as well.
-@@ -1088,7 +1087,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases
+@@ -1095,7 +1094,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases
  # is "yes", as well as supporting line editing, a history of input lines in the
  # current run is maintained.
  
@@ -258,7 +258,7 @@ index df74aac..0caf02d 100644
  
  # You may need to add -ldl to EXTRALIBS when you set USE_READLINE=yes.
  # Note that this option adds to the size of the Exim binary, because the
-@@ -1098,7 +1097,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases
+@@ -1112,7 +1111,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases
  #------------------------------------------------------------------------------
  # Uncomment this setting to include IPv6 support.
  
@@ -267,7 +267,7 @@ index df74aac..0caf02d 100644
  
  ###############################################################################
  #              THINGS YOU ALMOST NEVER NEED TO MENTION                        #
-@@ -1119,13 +1118,13 @@ SYSTEM_ALIASES_FILE=/etc/aliases
+@@ -1133,13 +1132,13 @@ SYSTEM_ALIASES_FILE=/etc/aliases
  # haven't got Perl, Exim will still build and run; you just won't be able to
  # use those utilities.
  
@@ -288,7 +288,7 @@ index df74aac..0caf02d 100644
  
  
  #------------------------------------------------------------------------------
-@@ -1327,7 +1326,7 @@ EXIM_TMPDIR="/tmp"
+@@ -1341,7 +1340,7 @@ EXIM_TMPDIR="/tmp"
  # (process id) to a file so that it can easily be identified. The path of the
  # file can be specified here. Some installations may want something like this:
  

exim-4.90.1-cyrus.patch

@@ -1,8 +1,8 @@
 diff --git a/src/configure.default b/src/configure.default
-index 8b6162b..d588898 100644
+index 562d0be..1138335 100644
 --- a/src/configure.default
 +++ b/src/configure.default
-@@ -765,6 +765,16 @@ address_reply:
+@@ -768,6 +768,16 @@ address_reply:
    driver = autoreply
  
  

exim-4.90.1-dec64table-read-fix.patch

@@ -0,0 +1,16 @@
+diff --git a/src/base64.c b/src/src/base64.c
+index dbbd6a4..e63522e 100644
+--- a/src/base64.c
++++ b/src/base64.c
+@@ -173,7 +173,7 @@ while ((x = *code++) != 0)
+ 
+   while (isspace(y = *code++)) ;
+   /* debug_printf("b64d: '%c'\n", y); */
+-  if (y == 0 || (y = dec64table[y]) == 255)
++  if (y > 127 || (y = dec64table[y]) == 255)
+     return -1;
+ 
+   *result++ = (x << 2) | (y >> 4);
+-- 
+1.9.1
+

exim-4.90.1-dlopen-localscan.patch

@@ -1,8 +1,8 @@
 diff --git a/src/EDITME b/src/EDITME
-index 0caf02d..6957546 100644
+index 0bd97f1..ce2b047 100644
 --- a/src/EDITME
 +++ b/src/EDITME
-@@ -802,6 +802,20 @@ TLS_LIBS=-lssl -lcrypto
+@@ -809,6 +809,20 @@ TLS_LIBS=-lssl -lcrypto
  
  
  #------------------------------------------------------------------------------
@@ -24,10 +24,10 @@ index 0caf02d..6957546 100644
  # documentation. Other forms are available separately. If you want to install
  # the documentation in "info" format, first fetch the Texinfo documentation
 diff --git a/src/config.h.defaults b/src/config.h.defaults
-index 58e1813..9b18f98 100644
+index 4750523..e3943a8 100644
 --- a/src/config.h.defaults
 +++ b/src/config.h.defaults
-@@ -28,6 +28,8 @@ it's a default value. */
+@@ -31,6 +31,8 @@ Do not put spaces between # and the 'define'.
  
  #define AUTH_VARS                     3
  
@@ -37,7 +37,7 @@ index 58e1813..9b18f98 100644
  
  #define CONFIGURE_FILE
 diff --git a/src/globals.c b/src/globals.c
-index 79ac37f..b7d690f 100644
+index 5df84bd..74724fd 100644
 --- a/src/globals.c
 +++ b/src/globals.c
 @@ -167,6 +167,10 @@ uschar *tls_verify_hosts       = NULL;
@@ -52,7 +52,7 @@ index 79ac37f..b7d690f 100644
  /* Per Recipient Data Response variables */
  BOOL    prdr_enable            = FALSE;
 diff --git a/src/globals.h b/src/globals.h
-index 340f1ae..4b65781 100644
+index 37d4cad..2b313e0 100644
 --- a/src/globals.h
 +++ b/src/globals.h
 @@ -126,6 +126,11 @@ extern uschar *tls_try_verify_hosts;   /* Optional client verification */
@@ -251,10 +251,10 @@ index 3500047..8599172 100644
 +
  /* End of local_scan.c */
 diff --git a/src/readconf.c b/src/readconf.c
-index 790f073..6e88bcd 100644
+index 8d5f38c..73095be 100644
 --- a/src/readconf.c
 +++ b/src/readconf.c
-@@ -318,6 +318,9 @@ static optionlist optionlist_config[] = {
+@@ -195,6 +195,9 @@ static optionlist optionlist_config[] = {
    { "local_from_prefix",        opt_stringptr,   &local_from_prefix },
    { "local_from_suffix",        opt_stringptr,   &local_from_suffix },
    { "local_interfaces",         opt_stringptr,   &local_interfaces },

exim-4.90.1-dynlookup-config.patch

@@ -1,8 +1,8 @@
 diff --git a/src/EDITME b/src/EDITME
-index df3dcc8..de01565 100644
+index ce2b047..8b773ea 100644
 --- a/src/EDITME
 +++ b/src/EDITME
-@@ -306,14 +306,16 @@ LOOKUP_DSEARCH=yes
+@@ -311,15 +311,17 @@ LOOKUP_DSEARCH=yes
  # LOOKUP_IBASE=yes
  LOOKUP_LDAP=yes
  LDAP_LIB_TYPE=OPENLDAP2
@@ -10,10 +10,11 @@ index df3dcc8..de01565 100644
 -LOOKUP_LIBS=-lldap -llber -lsqlite3 -L/usr/$(_lib)/mysql -lmysqlclient -lpq
 -LOOKUP_MYSQL=yes
 +LOOKUP_LIBS=-lldap -llber -lsqlite3
-+LOOKUP_MYSQL_INCLUDE=-I/usr/include/mysql
-+LOOKUP_MYSQL_LIBS=-lmysqlclient
++# LOOKUP_INCLUDE=-I/usr/include/mysql
++# LOOKUP_MYSQL_LIBS=-lmysqlclient
 +LOOKUP_PGSQL_LIBS=-lpq
 +LOOKUP_MYSQL=2
+ LOOKUP_MYSQL_PC=mariadb
  LOOKUP_NIS=yes
  LOOKUP_NISPLUS=yes
  # LOOKUP_ORACLE=yes

exim-4.90.1-environment.patch

@@ -1,7 +1,8 @@
 diff --git a/src/configure.default b/src/configure.default
+index b955c6e..590c664 100644
 --- a/src/configure.default
 +++ b/src/configure.default
-@@ -357,8 +357,8 @@ timeout_frozen_after = 7d
+@@ -360,8 +360,8 @@ timeout_frozen_after = 7d
  # Note that TZ is handled separately by the timezone runtime option
  # and TIMEZONE_DEFAULT buildtime option.
  

exim-4.90.1-greylist-conf.patch

@@ -1,5 +1,5 @@
 diff --git a/src/configure.default b/src/configure.default
-index 921c53b..a92c954 100644
+index 72675be..30ffc8c 100644
 --- a/src/configure.default
 +++ b/src/configure.default
 @@ -107,6 +107,7 @@ hostlist   relay_from_hosts = localhost
@@ -10,7 +10,7 @@ index 921c53b..a92c954 100644
  acl_smtp_rcpt = acl_check_rcpt
  acl_smtp_data = acl_check_data
  acl_smtp_mime = acl_check_mime
-@@ -368,6 +369,29 @@ timeout_frozen_after = 7d
+@@ -371,6 +372,29 @@ timeout_frozen_after = 7d
  
  begin acl
  
@@ -40,7 +40,7 @@ index 921c53b..a92c954 100644
  # This access control list is used for every RCPT command in an incoming
  # SMTP message. The tests are run in order until the address is either
  # accepted or denied.
-@@ -493,7 +517,8 @@ acl_check_rcpt:
+@@ -496,7 +520,8 @@ acl_check_rcpt:
    # There are no default checks on DNS black lists because the domains that
    # contain these lists are changing all the time. However, here are two
    # examples of how you can get Exim to perform a DNS black list lookup at this
@@ -50,7 +50,7 @@ index 921c53b..a92c954 100644
    #
    # deny    message       = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
    #         dnslists      = black.list.example
-@@ -501,6 +526,10 @@ acl_check_rcpt:
+@@ -504,6 +529,10 @@ acl_check_rcpt:
    # warn    dnslists      = black.list.example
    #         add_header    = X-Warning: $sender_host_address is in a black list at $dnslist_domain
    #         log_message   = found in $dnslist_domain
@@ -61,7 +61,7 @@ index 921c53b..a92c954 100644
    #############################################################################
  
    #############################################################################
-@@ -514,6 +543,10 @@ acl_check_rcpt:
+@@ -517,6 +546,10 @@ acl_check_rcpt:
    # require verify = csa
    #############################################################################
  
@@ -72,7 +72,7 @@ index 921c53b..a92c954 100644
    # At this point, the address has passed all the checks that have been
    # configured, so we accept it unconditionally.
  
-@@ -546,6 +579,12 @@ acl_check_data:
+@@ -549,6 +582,12 @@ acl_check_data:
    # deny    condition  = ${if !def:h_Message-ID: {1}}
    #         message    = RFC2822 says that all mail SHOULD have a Message-ID header.\n\
    #                      Most messages without it are spam, so your mail has been rejected.
@@ -85,7 +85,7 @@ index 921c53b..a92c954 100644
  
    # Deny if the message contains a virus. Before enabling this check, you
    # must install a virus scanner and set the av_scanner option above.
-@@ -580,8 +619,30 @@ acl_check_data:
+@@ -583,8 +622,30 @@ acl_check_data:
    #         message   = Your message scored $spam_score SpamAssassin point. Report follows:\n\
    #  	    	        $spam_report
  

exim-4.90.1-pamconfig.patch

@@ -1,5 +1,5 @@
 diff --git a/src/configure.default b/src/configure.default
-index d588898..61bdae8 100644
+index 1138335..0675b40 100644
 --- a/src/configure.default
 +++ b/src/configure.default
 @@ -142,7 +142,7 @@ acl_smtp_data = acl_check_data
@@ -20,9 +20,9 @@ index d588898..61bdae8 100644
 +tls_certificate = /etc/pki/tls/certs/exim.pem
 +tls_privatekey = /etc/pki/tls/private/exim.pem
  
- # In order to support roaming users who wish to send email from anywhere,
- # you may want to make Exim listen on other ports as well as port 25, in
-@@ -162,8 +162,8 @@ acl_smtp_data = acl_check_data
+ # For OpenSSL, prefer EC- over RSA-authenticated ciphers
+ # tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAULT
+@@ -165,8 +165,8 @@ acl_smtp_data = acl_check_data
  # them you should also allow TLS-on-connect on the traditional but
  # non-standard port 465.
  
@@ -33,7 +33,7 @@ index d588898..61bdae8 100644
  
  
  # Specify the domain you want to be added to all unqualified addresses
-@@ -221,6 +221,24 @@ never_users = root
+@@ -224,6 +224,24 @@ never_users = root
  
  host_lookup = *
  
@@ -58,7 +58,7 @@ index d588898..61bdae8 100644
  
  # The settings below cause Exim to make RFC 1413 (ident) callbacks
  # for all incoming SMTP calls. You can limit the hosts to which these
-@@ -844,7 +862,7 @@ begin authenticators
+@@ -847,7 +865,7 @@ begin authenticators
  #  driver                     = plaintext
  #  server_set_id              = $auth2
  #  server_prompts             = :
@@ -67,7 +67,7 @@ index d588898..61bdae8 100644
  #  server_advertise_condition = ${if def:tls_in_cipher }
  
  # LOGIN authentication has traditional prompts and responses. There is no
-@@ -856,7 +874,7 @@ begin authenticators
+@@ -859,7 +877,7 @@ begin authenticators
  #  driver                     = plaintext
  #  server_set_id              = $auth1
  #  server_prompts             = <| Username: | Password:

exim-4.90.1-procmail.patch

@@ -1,8 +1,8 @@
 diff --git a/src/configure.default b/src/configure.default
-index ecc3d6e..1e3c63f 100644
+index 8b4575c..2cce34b 100644
 --- a/src/configure.default
 +++ b/src/configure.default
-@@ -732,6 +732,12 @@ userforward:
+@@ -735,6 +735,12 @@ userforward:
    pipe_transport = address_pipe
    reply_transport = address_reply
  
@@ -15,7 +15,7 @@ index ecc3d6e..1e3c63f 100644
  
  # This router matches local user mailboxes. If the router fails, the error
  # message is "Unknown user".
-@@ -773,6 +779,16 @@ remote_smtp:
+@@ -776,6 +782,16 @@ remote_smtp:
    driver = smtp
    message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
  

exim-4.90.1-rhl.patch

@@ -1,8 +1,8 @@
 diff --git a/src/configure.default b/src/configure.default
-index 985f1d0..8b6162b 100644
+index 1dc9b91..562d0be 100644
 --- a/src/configure.default
 +++ b/src/configure.default
-@@ -630,7 +630,7 @@ system_aliases:
+@@ -633,7 +633,7 @@ system_aliases:
    driver = redirect
    allow_fail
    allow_defer
@@ -11,7 +11,7 @@ index 985f1d0..8b6162b 100644
  # user = exim
    file_transport = address_file
    pipe_transport = address_pipe
-@@ -731,8 +731,8 @@ local_delivery:
+@@ -734,8 +734,8 @@ local_delivery:
    delivery_date_add
    envelope_to_add
    return_path_add

exim-4.90.1-smarthost-config.patch

@@ -1,8 +1,8 @@
 diff --git a/src/configure.default b/src/configure.default
-index a92c954..13599ae 100644
+index 30ffc8c..b955c6e 100644
 --- a/src/configure.default
 +++ b/src/configure.default
-@@ -840,6 +840,15 @@ remote_smtp:
+@@ -843,6 +843,15 @@ remote_smtp:
    driver = smtp
    message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
  
@@ -18,7 +18,7 @@ index a92c954..13599ae 100644
  # This transport invokes procmail to deliver mail
  procmail:
    driver = pipe
-@@ -948,6 +957,21 @@ begin rewrite
+@@ -951,6 +960,21 @@ begin rewrite
  #                   AUTHENTICATION CONFIGURATION                     #
  ######################################################################
  
@@ -40,7 +40,7 @@ index a92c954..13599ae 100644
  # The following authenticators support plaintext username/password
  # authentication using the standard PLAIN mechanism and the traditional
  # but non-standard LOGIN mechanism, with Exim acting as the server.
-@@ -963,7 +987,7 @@ begin rewrite
+@@ -966,7 +990,7 @@ begin rewrite
  # The default RCPT ACL checks for successful authentication, and will accept
  # messages from authenticated users from anywhere on the Internet.
  

exim-4.90.1-spamdconf.patch

@@ -1,5 +1,7 @@
---- a/src/configure.default.spamd	2016-12-25 21:06:57.453758443 +0000
-+++ b/src/configure.default	2016-12-25 21:07:49.940188407 +0000
+diff --git a/src/configure.default b/src/configure.default
+index 0675b40..8b4575c 100644
+--- a/src/configure.default
++++ b/src/configure.default
 @@ -109,6 +109,7 @@ hostlist   relay_from_hosts = localhost
  
  acl_smtp_rcpt = acl_check_rcpt
@@ -17,7 +19,7 @@
  
  
  # For spam scanning, there is a similar option that defines the interface to
-@@ -431,7 +432,8 @@ acl_check_rcpt:
+@@ -434,7 +435,8 @@ acl_check_rcpt:
    accept  local_parts   = postmaster
            domains       = +local_domains
  
@@ -27,7 +29,7 @@
  
    require verify        = sender
  
-@@ -535,27 +537,63 @@ acl_check_data:
+@@ -538,27 +540,63 @@ acl_check_data:
                         got $max_received_linelength
            condition  = ${if > {$max_received_linelength}{998}}
  
@@ -50,17 +52,17 @@
 -  # Add headers to a message if it is judged to be spam. Before enabling this,
 -  # you must install SpamAssassin. You may also need to set the spamd_address
 -  # option above.
--  #
++  # Bypass SpamAssassin checks if the message is too large.
+   #
 -  # warn    spam       = nobody
 -  #         add_header = X-Spam_score: $spam_score\n\
 -  #                      X-Spam_score_int: $spam_score_int\n\
 -  #                      X-Spam_bar: $spam_bar\n\
 -  #                      X-Spam_report: $spam_report
-+  # Bypass SpamAssassin checks if the message is too large.
-+  #
 +  # accept  condition  = ${if >={$message_size}{100000} {1}}
 +  #         add_header = X-Spam-Note: SpamAssassin run bypassed due to message size
-+
+ 
+-  # Accept the message.
 +  # Run SpamAssassin, but allow for it to fail or time out. Add a warning message
 +  # and accept the mail if that happens. Add an X-Spam-Flag: header if the SA
 +  # score exceeds the SA system threshold.
@@ -76,8 +78,7 @@
 +  #
 +  # warn    add_header = X-Spam-Score: $spam_score ($spam_bar)\n\
 +  #                      X-Spam-Report: $spam_report
- 
--  # Accept the message.
++
 +  # And reject if the SpamAssassin score is greater than ten
 +  #
 +  # deny    condition = ${if >{$spam_score_int}{100} {1}}

exim.spec

@@ -13,8 +13,8 @@
 
 Summary: The exim mail transfer agent
 Name: exim
-Version: 4.89
-Release: 7%{?dist}
+Version: 4.90.1
+Release: 3%{?dist}
 License: GPLv2+
 Url: http://www.exim.org/
 Group: System Environment/Daemons
@@ -46,42 +46,35 @@ Source24: exim.service
 Source25: exim-gen-cert
 Source26: clamd.exim.service
 
-Patch4: exim-4.88-rhl.patch
-Patch6: exim-4.89-config.patch
+Patch4: exim-4.90.1-rhl.patch
+Patch6: exim-4.90.1-config.patch
 Patch8: exim-4.82-libdir.patch
-Patch12: exim-4.88-cyrus.patch
-Patch13: exim-4.88-pamconfig.patch
-Patch14: exim-4.87-spamdconf.patch
-Patch18: exim-4.89-dlopen-localscan.patch
-Patch19: exim-4.88-procmail.patch
-Patch20: exim-4.88-allow-filter.patch
+Patch12: exim-4.90.1-cyrus.patch
+Patch13: exim-4.90.1-pamconfig.patch
+Patch14: exim-4.90.1-spamdconf.patch
+Patch18: exim-4.90.1-dlopen-localscan.patch
+Patch19: exim-4.90.1-procmail.patch
+Patch20: exim-4.90.1-allow-filter.patch
 Patch21: exim-4.87-localhost-is-local.patch
-Patch22: exim-4.88-greylist-conf.patch
-Patch23: exim-4.88-smarthost-config.patch
-Patch25: exim-4.87-dynlookup-config.patch
-# Upstream ticket: http://bugs.exim.org/show_bug.cgi?id=1584
+Patch22: exim-4.90.1-greylist-conf.patch
+Patch23: exim-4.90.1-smarthost-config.patch
+Patch25: exim-4.90.1-dynlookup-config.patch
 Patch26: exim-4.85-pic.patch
-Patch27: exim-4.89-environment.patch
-# Backported from upstream:
-# https://github.com/Exim/exim/commit/65e061b76867a9ea7aeeb535341b790b90ae6c21
-Patch28: exim-4.89-CVE-2017-1000369.patch
-# Backported from upstream:
-# https://git.exim.org/exim.git/commitdiff/14de8063d82edc5bf003ed50abdea55ac542679b
-Patch29: exim-4.89-calloutsize.patch
-Patch30: exim-4.89-mariadb-macro-fix.patch
-Patch31: exim-4.89-CVE-2017-16943.patch
+Patch27: exim-4.90.1-environment.patch
+Patch28: exim-4.90.1-dec64table-read-fix.patch
 
 Requires: /etc/pki/tls/certs /etc/pki/tls/private
 Requires: /etc/aliases
 Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
 BuildRequires: libdb-devel openssl-devel openldap-devel pam-devel
 BuildRequires: pcre-devel sqlite-devel tcp_wrappers-devel cyrus-sasl-devel
-BuildRequires: openldap-devel openssl-devel mariadb-connector-c-devel postgresql-devel
+BuildRequires: openldap-devel openssl-devel mysql-devel postgresql-devel
 BuildRequires: libXaw-devel libXmu-devel libXext-devel libX11-devel libSM-devel
 BuildRequires: perl-devel
 BuildRequires: perl-generators
 BuildRequires: libICE-devel libXpm-devel libXt-devel perl(ExtUtils::Embed)
-BuildRequires: systemd-units libgsasl-devel
+# mariadb-devel for mariadb pkgconfig
+BuildRequires: systemd-units libgsasl-devel mariadb-devel
 
 %description
 Exim is a message transfer agent (MTA) developed at the University of
@@ -216,10 +209,8 @@ greylisting unconditional.
 %patch25 -p1 -b .dynconfig
 %patch26 -p1 -b .fpic
 %patch27 -p1 -b .environment
-%patch28 -p1 -b .CVE-2017-1000369
-%patch29 -p1 -b .calloutsize
-%patch30 -p1 -b .mariadb-macro-fix
-%patch31 -p1 -b .CVE-2017-16943
+# Backported from upstream
+%patch28 -p1 -b .dec64table-read-fix
 
 cp src/EDITME Local/Makefile
 sed -i 's@^# LOOKUP_MODULE_DIR=.*@LOOKUP_MODULE_DIR=%{_libdir}/exim/%{version}-%{release}/lookups@' Local/Makefile
@@ -600,14 +591,30 @@ test "$1"  = 0 || %{_initrddir}/clamd.exim condrestart >/dev/null 2>&1 || :
 %{_sysconfdir}/cron.daily/greylist-tidy.sh
 
 %changelog
-* Mon Nov 27 2017 Jaroslav Škarvada <jskarvad@redhat.com> - 4.89-7
+* Wed Mar 14 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 4.90.1-3
+- Fixed dec64table OOB read in b64decode
+
+* Fri Feb 16 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 4.90.1-2
+- Fixed mysql module
+
+* Tue Feb 13 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 4.90.1-1
+- New version
+  Resolves: rhbz#1527710
+- Fixed buffer overflow in utility function
+  Resolves: CVE-2018-6789
+- Updated and defuzzified patches
+- Dropped mariadb-macro-fix patch (not needed)
+- Dropped CVE-2017-1000369, calloutsize, CVE-2017-16943,
+  CVE-2017-16944 patches (all upstreamed)
+
+* Fri Dec  1 2017 Jaroslav Škarvada <jskarvad@redhat.com> - 4.89-7
+- Fixed denial of service
+  Resolves: CVE-2017-16944
+
+* Mon Nov 27 2017 Jaroslav Škarvada <jskarvad@redhat.com> - 4.89-6
 - Fixed use-after-free
   Resolves: CVE-2017-16943
 
-* Fri Nov 10 2017 Jaroslav Škarvada <jskarvad@redhat.com> - 4.89-6
-- Used mariadb-connector-c-devel instead of mysql-devel
-  Resolves: rhbz#1494094
-
 * Fri Aug 18 2017 Jaroslav Škarvada <jskarvad@redhat.com> - 4.89-5
 - Fixed compilation with the mariadb-10.2
   Resolves: rhbz#1467312

sources

@@ -1 +1 @@
-SHA512 (exim-4.89.tar.xz) = ce5faef3847a5baf1b4fec1ffe46ce7efaafb24e63bcc52a61f38e8312a88eccaa816c3947ba428bef3eed38b1e91e606f6ed07bc0a3e14c6a6ed0ecb41eb9fa
+SHA512 (exim-4.90.1.tar.xz) = b4830a2e03023b2bafc9e62535f467bb61b0f1398b6b3af0a7ef6f49e6cba60a9496e6762d0898b7ac1c2823db8cf96ed9f37e26b05809b4ba01725d9e72b806