Date: Thu, 27 Jan 2011 02:53:59 +0100 From: Alexander Wittig <alexander@wittig.name> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/154323: [PATCH] update mail/exim to 4.74 Message-ID: <E1PiH3f-000LTr-4J@hotzenplotz.wittig.name> Resent-Message-ID: <201101270200.p0R20Ka6082859@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 154323 >Category: ports >Synopsis: [PATCH] update mail/exim to 4.74 >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Thu Jan 27 02:00:19 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Alexander Wittig >Release: FreeBSD 8.2-PRERELEASE amd64 >Organization: >Environment: System: FreeBSD hotzenplotz.wittig.name 8.2-PRERELEASE FreeBSD 8.2-PRERELEASE #0: Wed Jan 19 00:39:51 CET 2011 root@hotzenplotz.wittig.name:/usr/obj/usr/src/sys/ALEX amd64 >Description: Update mail/exim to version 4.74 from 4.73 currently in ports. This fixes a privilege escalation vulnerability, but I'm not sure it applies to FreeBSD (CVE-2011-0017) Changes according to the Changelog (http://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.74): TF/01 Failure to get a lock on a hints database can have serious consequences so log it to the panic log. TF/02 Log LMTP confirmation messages in the same way as SMTP, controlled using the smtp_confirmation log selector. TF/03 Include the error message when we fail to unlink a spool file. DW/01 Bugzilla 139: Support dynamically loaded lookups as modules. With thanks to Steve Haslam, Johannes Berg & Serge Demonchaux for maintaining out-of-tree patches for some time. PP/01 Bugzilla 139: Documentation and portability issues. Avoid GNU Makefile-isms, let Exim continue to build on BSD. Handle per-OS dynamic-module compilation flags. PP/02 Let /dev/null have normal permissions. The 4.73 fixes were a little too stringent and complained about the permissions on /dev/null. Exempt it from some checks. Reported by Andreas M. Kirchwitz. PP/03 Report version information for many libraries, including Exim version information for dynamically loaded libraries. Created version.h, now support a version extension string for distributors who patch heavily. Dynamic module ABI change. PP/04 CVE-2011-0017 - check return value of setuid/setgid. This is a privilege escalation vulnerability whereby the Exim run-time user can cause root to append content of the attacker's choosing to arbitrary files. PP/05 Bugzilla 1041: merged DCC maintainer's fixes for return code. (Wolfgang Breyha) PP/06 Bugzilla 1071: fix delivery logging with untrusted macros. If dropping privileges for untrusted macros, we disabled normal logging on the basis that it would fail; for the Exim run-time user, this is not the case, and it resulted in successful deliveries going unlogged. Fixed. Reported by Andreas Metzler. >How-To-Repeat: >Fix: Since all the heavy lifting was done in the update to 4.73, it seems just bumping the version (as the attached patch does) will do the job. Tested for two days with my set of options and it works fine. I also included a spiffy feature I saw in the security/openssl port which causes "make makesum" to always fetch all dist files, not just the ones needed for the currently selected options. --- patch begins here --- diff -uN /usr/ports/mail/exim/Makefile exim.new/Makefile --- /usr/ports/mail/exim/Makefile 2011-01-10 11:53:13.000000000 +0100 +++ exim.new/Makefile 2011-01-27 02:50:42.000000000 +0100 @@ -42,23 +42,26 @@ .endif .endif -.if defined(WITH_SA_EXIM) +.if defined(WITH_SA_EXIM) || make(makesum) || defined(FETCH_ALL) MASTER_SITES+= http://marc.merlins.org/linux/exim/files/:sa_exim \ SF/sa-exim/sa-exim/${SA_EXIM_VERSION}:sa_exim MASTER_SITE_SUBDIR+= sa-exim/:sa_exim DISTFILES+= sa-exim-${SA_EXIM_VERSION}.tar.gz:sa_exim .endif -.if defined(WITH_SO_1024) +.if defined(WITH_SO_1024) || make(makesum) || defined(FETCH_ALL) MASTER_SITES+= ftp://ftp.renatasystems.org/pub/FreeBSD/ports/distfiles/:so_1024 DISTFILES+= spamooborona1024-src-${SO_1024_VERSION}.tar.gz:so_1024 +.endif + +.if defined(WITH_SO_1024) LDFLAGS+= -lz PLIST_SUB+= SO_1024="" .else PLIST_SUB+= SO_1024="@comment " .endif -EXIM_VERSION= 4.73 +EXIM_VERSION= 4.74 SA_EXIM_VERSION=4.2 SO_1024_VERSION=3.2 diff -uN /usr/ports/mail/exim/distinfo exim.new/distinfo --- /usr/ports/mail/exim/distinfo 2011-01-09 12:19:24.000000000 +0100 +++ exim.new/distinfo 2011-01-27 02:40:37.000000000 +0100 @@ -1,5 +1,5 @@ -SHA256 (exim/exim-4.73.tar.bz2) = a78f4a153f36ad13acf7fb9a3a99c1bc785d38bd757553704c9590afcc00bfd6 -SIZE (exim/exim-4.73.tar.bz2) = 1592788 +SHA256 (exim/exim-4.74.tar.bz2) = e55b51c87e0be920f7f5aee830261566a4def8820f318d14a822fe2ae2ff8e40 +SIZE (exim/exim-4.74.tar.bz2) = 1588636 SHA256 (exim/sa-exim-4.2.tar.gz) = 72e0a735547f18b05785e6c58a71d24623858f0f5234a5dc0e24cb453999e99a SIZE (exim/sa-exim-4.2.tar.gz) = 66575 SHA256 (exim/spamooborona1024-src-3.2.tar.gz) = ab22a430f3860460045f6b213c68c89700a0cd10cbb6c7a808ece326c53787ee Common subdirectories: /usr/ports/mail/exim/files and exim.new/files --- patch ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1PiH3f-000LTr-4J>