Heiko Schlittermann (HS12-RIPE) [Sat, 1 May 2021 10:04:41 +0000 (12:04 +0200)]
Merge branch 'exim-4.92.3+fixes+qualys' into exim-4.92.3+fixes
Backported from 4.94.2
- minimal set of Qualys patches where appliciable
- cherry-picks for other patches
Testsuite (using GNUTLS) has the same failures as 4.92.3+fixes
Heiko Schlittermann (HS12-RIPE) [Fri, 30 Apr 2021 08:47:45 +0000 (10:47 +0200)]
Fix BDAT issue for body w/o trailing CRLF (again Bug 1974)
(cherry picked from commit
919111edac911ba9c15422eafd7c5bf14d416d26)
Heiko Schlittermann (HS12-RIPE) [Thu, 29 Apr 2021 22:37:53 +0000 (00:37 +0200)]
testsuite: reproduce BDAT with missing eol (Bug 1974)
(cherry picked from commit
e9cecc465a570c1a4f34b199eae6bdd0a52ee2b0)
Heiko Schlittermann (HS12-RIPE) [Sat, 1 May 2021 09:21:22 +0000 (11:21 +0200)]
testsuite: adjustments for CVE-2020-28014, CVE-2021-27216 (Arbitrary PID file creation)
Heiko Schlittermann (HS12-RIPE) [Thu, 25 Mar 2021 21:48:09 +0000 (22:48 +0100)]
CVE-2020-28014, CVE-2021-27216: Arbitrary PID file creation, clobbering, and deletion
Arbitrary PID file creation, clobbering, and deletion.
Patch provided by Qualys.
(cherry picked from commit
974f32939a922512b27d9f0a8a1cb5dec60e7d37)
(cherry picked from commit
43c6f0b83200b7082353c50187ef75de3704580a)
Heiko Schlittermann (HS12-RIPE) [Sat, 1 May 2021 09:07:11 +0000 (11:07 +0200)]
testsuite: adjustments for CVE-2020-28008 (spool dir attacks)
Heiko Schlittermann (HS12-RIPE) [Sun, 14 Mar 2021 11:16:57 +0000 (12:16 +0100)]
CVE-2020-28008: Assorted attacks in Exim's spool directory
We patch dbfn_open() by introducing two functions priv_drop_temp() and
priv_restore() (inspired by OpenSSH's functions temporarily_use_uid()
and restore_uid()), which temporarily drop and restore root privileges
thanks to seteuid(). This goes against Exim's developers' wishes ("Exim
(the project) doesn't trust seteuid to work reliably") but, to the best
of our knowledge, seteuid() works everywhere and is the only way to
securely fix dbfn_open().
(cherry picked from commit
18da59151dbafa89be61c63580bdb295db36e374)
(cherry picked from commit
b05dc3573f4cd476482374b0ac0393153d344338)
Qualys Security Advisory [Tue, 23 Feb 2021 16:33:03 +0000 (08:33 -0800)]
CVE-2020-28007: Link attack in Exim's log directory
We patch this vulnerability by opening (instead of just creating) the
log file in an unprivileged (exim) child process, and by passing this
file descriptor back to the privileged (root) parent process. The two
functions log_send_fd() and log_recv_fd() are inspired by OpenSSH's
functions mm_send_fd() and mm_receive_fd(); thanks!
This patch also fixes:
- a NULL-pointer dereference in usr1_handler() (this signal handler is
installed before process_log_path is initialized);
- a file-descriptor leak in dmarc_write_history_file() (two return paths
did not close history_file_fd).
Note: the use of log_open_as_exim() in dmarc_write_history_file() should
be fine because the documentation explicitly states "Make sure the
directory of this file is writable by the user exim runs as."
(cherry picked from commit
2502cc41d1d92c1413eca6a4ba035c21162662bd)
(cherry picked from commit
93e9a18fbf09deb59bd133986f4c89aeb2d2d86a)
Qualys Security Advisory [Mon, 22 Feb 2021 06:36:10 +0000 (22:36 -0800)]
CVE-2020-28019: Failure to reset function pointer after BDAT error
Based on Phil Pennock's commits
4715403e and
151ffd72, and Jeremy
Harris's commits
aa171254 and
9aceb5c2.
Qualys Security Advisory [Mon, 22 Feb 2021 06:30:03 +0000 (22:30 -0800)]
Security: Avoid modification of constant data in dkim handling
Based on Heiko Schlittermann's commits
f880c7f3 and
c118c7f4. This
fixes:
6/ In src/pdkim/pdkim.c, pdkim_update_ctx_bodyhash() is sometimes called
with a global orig_data and hence canon_data, and the following line can
therefore modify data that should be constant:
773 canon_data->len = b->bodylength - b->signed_body_bytes;
For example, the following proof of concept sets lineending.len to 0
(this should not be possible):
(sleep 10; echo 'EHLO test'; sleep 3; echo 'MAIL FROM:<>'; sleep 3; echo 'RCPT TO:postmaster'; sleep 3; echo 'DATA'; date >&2; sleep 30; printf 'DKIM-Signature:a=rsa-sha1;c=simple/simple;l=0\r\n\r\n\r\nXXX\r\n.\r\n'; sleep 30) | nc -n -v 192.168.56.102 25
(gdb) print lineending
$1 = {data = 0x55e18035b2ad "\r\n", len = 2}
(gdb) print &lineending.len
$3 = (size_t *) 0x55e180385948 <lineending+8>
(gdb) watch *(size_t *) 0x55e180385948
Hardware watchpoint 1: *(size_t *) 0x55e180385948
Old value = 2
New value = 0
(gdb) print lineending
$5 = {data = 0x55e18035b2ad "\r\n", len = 0}
Qualys Security Advisory [Mon, 22 Feb 2021 06:24:13 +0000 (22:24 -0800)]
Security: Leave a clean smtp_out input buffer even in case of read error
Based on Heiko Schlittermann's commit
54895bc3. This fixes:
7/ In src/smtp_out.c, read_response_line(), inblock->ptr is not updated
when -1 is returned. This does not seem to have bad consequences, but is
maybe not the intended behavior.
Qualys Security Advisory [Mon, 22 Feb 2021 06:19:42 +0000 (22:19 -0800)]
Security: Avoid decrement of dkim_collect_input if already at 0
Based on Heiko Schlittermann's commit
bf2d6e58. This fixes:
5/ receive_msg() calls dkim_exim_verify_finish(), which sets
dkim_collect_input to 0 and calls pdkim_feed_finish(), which calls
pdkim_header_complete(), which decreases dkim_collect_input to UINT_MAX,
which reactivates the DKIM code.
As a result, pdkim_feed() is called again (through receive_getc at the
end of receive_msg()), but functions like pdkim_finish_bodyhash() and
exim_sha_finish() have already been called (in pdkim_feed_finish()).
This suggests a use-after-free.
But it seems that a use-after-free would happen only with
EVP_DigestFinal() (in exim_sha_finish()), which does not seem to be
reachable via DKIM (no SHA3). But we checked OpenSSL only, not GnuTLS.
Here is a proof of concept that triggers the bug (which came very close
to a security vulnerability):
(sleep 10; echo 'EHLO test'; sleep 3; echo 'MAIL FROM:<>'; sleep 3; echo 'RCPT TO:postmaster'; sleep 3; echo 'BDAT 42 LAST'; date >&2; sleep 30; printf 'not a valid header line\r\n
DKIM-Signature:\r\nXXX'; sleep 30) | nc -n -v 192.168.56.102 25
(gdb) print &dkim_collect_input
$2 = (unsigned int *) 0x55e180386d90 <dkim_collect_input>
(gdb) watch *(unsigned int *) 0x55e180386d90
Hardware watchpoint 1: *(unsigned int *) 0x55e180386d90
Old value = 0
New value =
4294967295
#0 0x000055e18031f805 in pdkim_header_complete (ctx=ctx@entry=0x55e181b9e8e0) at pdkim.c:1006
#1 0x000055e18032106c in pdkim_feed_finish (ctx=0x55e181b9e8e0, return_signatures=0x55e180386d78 <dkim_signatures>, err=err@entry=0x7ffe443e1d00) at pdkim.c:1490
#2 0x000055e1802a3280 in dkim_exim_verify_finish () at dkim.c:328
#3 0x000055e1802c9d1d in receive_msg (extract_recip=extract_recip@entry=0) at receive.c:3409
Qualys Security Advisory [Mon, 22 Feb 2021 06:13:18 +0000 (22:13 -0800)]
Security: Fix off-by-one in smtp transport (read response)
Based on Heiko Schlittermann's commit
1887a160. This fixes:
1/ In src/transports/smtp.c:
2281 int n = sizeof(sx->buffer);
2282 uschar * rsp = sx->buffer;
2283
2284 if (sx->esmtp_sent && (n = Ustrlen(sx->buffer)) < sizeof(sx->buffer)/2)
2285 { rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n; }
This should probably be either:
rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n - 1;
or:
rsp = sx->buffer + n; n = sizeof(sx->buffer) - n;
(not sure which) to avoid an off-by-one.
Qualys Security Advisory [Mon, 22 Feb 2021 06:09:06 +0000 (22:09 -0800)]
Security: Always exit when LOG_PANIC_DIE is set
Qualys Security Advisory [Mon, 22 Feb 2021 06:05:37 +0000 (22:05 -0800)]
Security: Check overrun rcpt_count integer
Based on Heiko Schlittermann's commit
e5cb5e61. This fixes:
4/ In src/smtp_in.c:
4966 case RCPT_CMD:
4967 HAD(SCH_RCPT);
4968 rcpt_count++;
....
5123 if (rcpt_count > recipients_max && recipients_max > 0)
In theory this recipients_max check can be bypassed, because the int
rcpt_count can overflow (become negative). In practice this would either
consume too much memory or generate too much network traffic, but maybe
it should be fixed anyway.
Qualys Security Advisory [Mon, 22 Feb 2021 06:00:31 +0000 (22:00 -0800)]
Security: Safeguard against relative names for msglog files.
Based on Heiko Schlittermann's commit
4f0ac4ad. This fixes:
3/ In src/deliver.c:
333 static int
334 open_msglog_file(uschar *filename, int mode, uschar **error)
335 {
336 if (Ustrstr(filename, US"/../"))
337 log_write(0, LOG_MAIN|LOG_PANIC,
338 "Attempt to open msglog file path with upward-traversal: '%s'\n", filename);
Should this be LOG_PANIC_DIE instead of LOG_PANIC? Right now it will log
the /../ attempt but will open the file anyway.
Qualys Security Advisory [Mon, 22 Feb 2021 05:53:55 +0000 (21:53 -0800)]
CVE-2020-28012: Missing close-on-exec flag for privileged pipe
Qualys Security Advisory [Mon, 22 Feb 2021 05:49:30 +0000 (21:49 -0800)]
CVE-2020-28024: Heap buffer underflow in smtp_ungetc()
Qualys Security Advisory [Mon, 22 Feb 2021 05:45:19 +0000 (21:45 -0800)]
CVE-2020-28009: Integer overflow in get_stdinput()
Qualys Security Advisory [Mon, 22 Feb 2021 05:26:53 +0000 (21:26 -0800)]
CVE-2020-28015+28021: New-line injection into spool header file
Qualys Security Advisory [Mon, 22 Feb 2021 05:17:31 +0000 (21:17 -0800)]
CVE-2020-28026: Line truncation and injection in spool_read_header()
This also fixes:
2/ In src/spool_in.c:
462 while ( (len = Ustrlen(big_buffer)) == big_buffer_size-1
463 && big_buffer[len-1] != '\n'
464 )
465 { /* buffer not big enough for line; certs make this possible */
466 uschar * buf;
467 if (big_buffer_size >= BIG_BUFFER_SIZE*4) goto SPOOL_READ_ERROR;
468 buf = store_get_perm(big_buffer_size *= 2, FALSE);
469 memcpy(buf, big_buffer, --len);
The --len in memcpy() chops off a useful byte (we know for sure that
big_buffer[len-1] is not a '\n' because we entered the while loop).
Qualys Security Advisory [Mon, 22 Feb 2021 03:53:43 +0000 (19:53 -0800)]
CVE-2020-28022: Heap out-of-bounds read and write in extract_option()
Based on Phil Pennock's commit
c5017adf.
Qualys Security Advisory [Mon, 22 Feb 2021 03:46:55 +0000 (19:46 -0800)]
CVE-2020-28017: Integer overflow in receive_add_recipient()
Based on Phil Pennock's commit
e3b441f7.
Qualys Security Advisory [Mon, 22 Feb 2021 03:40:21 +0000 (19:40 -0800)]
Security: Refuse negative and large store allocations
Based on Phil Pennock's commits
b34d3046 and
e6c1606a.
Qualys Security Advisory [Mon, 22 Feb 2021 03:28:28 +0000 (19:28 -0800)]
CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()
Based on Phil Pennock's commit
8a50c88a.
Qualys Security Advisory [Mon, 22 Feb 2021 03:22:33 +0000 (19:22 -0800)]
CVE-2020-28011: Heap buffer overflow in queue_run()
Qualys Security Advisory [Mon, 22 Feb 2021 03:17:32 +0000 (19:17 -0800)]
CVE-2020-28010: Heap out-of-bounds write in main()
Based on Phil Pennock's commit
0f57feb4.
Qualys Security Advisory [Mon, 22 Feb 2021 03:11:55 +0000 (19:11 -0800)]
CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()
Extracted from Jeremy Harris's commit
afaf5a50.
Qualys Security Advisory [Mon, 22 Feb 2021 03:05:56 +0000 (19:05 -0800)]
CVE-2020-28018: Use-after-free in tls-openssl.c
Qualys Security Advisory [Mon, 22 Feb 2021 02:54:16 +0000 (18:54 -0800)]
CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()
Jeremy Harris [Sat, 19 Oct 2019 21:25:27 +0000 (22:25 +0100)]
CHUNKING: fix all-RCPTs-rejected, non-pipelined. Bug 2454
(cherry picked from commit
c5040dfdb523ce2a14efbdfa0d3eb69d3afef65a)
Jeremy Harris [Sat, 12 Oct 2019 13:12:56 +0000 (14:12 +0100)]
Fix errorcheck in smtp transport
Jeremy Harris [Fri, 20 Sep 2019 09:23:46 +0000 (10:23 +0100)]
Testsuite: avoid picking 0.0.0.0 as the HOSTIPV4; permit 10.0/8 apart from 10.250.0/16
Solaris leaves 0.0.0.0 lying around (for not-UP interfaces)
The suite only needs testspace under 10.250.0/16 so we can permit the ret,
making testing on many NATted 10.0/8 subnets possible.
(cherry picked from commit
5c03403d88afcde2bb3f543296b0fca6f05c9f2c)
(cherry picked from commit
bcbca153505de435c881e71297fde83c3ac02cc1)
Heiko Schlittermann (HS12-RIPE) [Fri, 6 Sep 2019 04:57:11 +0000 (06:57 +0200)]
fixup! exim_dbmbuild: handle { '\\', '\0' } sequence.
Credits to Qualys for double checking and reporting.
(cherry picked from commit
cdc7f9a9667ecf31d803fc8d1a31b466284360bd)
Heiko Schlittermann (HS12-RIPE) [Thu, 5 Sep 2019 12:56:22 +0000 (14:56 +0200)]
exim_dbmbuild: handle { '\\', '\0' } sequence.
This fix matches the change introduced for CVE-2019-15846, but
isn't considered as a security issue, exim_dbmbuild is not designed to
to run on untrusted data.
Thanks to Thomas Hoger (RedHat) for pointing out.
(cherry picked from commit
66935633816a88460f5222f40dc29d1a4e877978)
Jeremy Harris [Tue, 27 Aug 2019 16:44:52 +0000 (17:44 +0100)]
Fix ${domain:} for a bare local-part input. Bug 2375
Broken-by: cebd5bd2ab
(cherry picked from commit
c5b0340697326238b0e2afd9d341185077d60d35)
(cherry picked from commit
92b922fae5bbd5a70da4c5aa2f43a457842c30eb)
(cherry picked from commit
deda0b271ccd27ae76bd69ad1c1d0ef73e20091d)
Bruce Lee [Tue, 30 Jul 2019 21:43:14 +0000 (22:43 +0100)]
Auth: handle socket read errors in Dovecot authenticator
(cherry picked from commit
c9f1be94cc304f0343c93b66efa41a747d307fb1)
(cherry picked from commit
4ba26a040b8765dea7134c883d046418a8b053a1)
(cherry picked from commit
2ac2eff3c9914a9c77b03db64b31819f361576b9)
Jeremy Harris [Sun, 28 Jul 2019 13:47:29 +0000 (14:47 +0100)]
Fix crash after TLS channel shutdown
(cherry picked from commit
bd231acd0f24e4c27c6d6885f48c24360700ec7f)
(cherry picked from commit
513adf9d59bd8d9515a3c6b9c092a2c376cc6102)
(cherry picked from commit
c8535a954a3ec877083b39088f385ed3174abab7)
Jeremy Harris [Sat, 29 Jun 2019 18:37:57 +0000 (19:37 +0100)]
Fix bounce generation under RFC 3461 request. Bug 2411
Broken-by: ea97267cea
(cherry picked from commit
df98a6ff2e70887890690ffbf8a8ad583d7d7e38)
(cherry picked from commit
b4a37a77271a8f6efc887d68265eb7867eff6170)
(cherry picked from commit
145416c70b2e4422f0ff03f402da33a4a4db29e2)
(cherry picked from commit
ee2d305425037fc3bc00e6e44e990a88a92433ab)
Jeremy Harris [Wed, 26 Jun 2019 10:17:52 +0000 (11:17 +0100)]
Fix DSN Final-Recipient: field
(cherry picked from commits
436bda2ac0c4 and
98d4eb7a84)
(cherry picked from commit
6b88f51ac13b4fa834796ce12d12c55c95eacc4a)
(cherry picked from commit
ce4d8eca9d3940bb439cdb74a250090fee5538d4)
(cherry picked from commit
f41bc530a8b1a66e811e5c3b4da3df72ecba0e1d)
Phil Pennock [Wed, 5 Jun 2019 09:35:28 +0000 (05:35 -0400)]
Unbreak heimdal_gssapi auth driver
Commit
251b9eb46 broke heimdal_gssapi by changing the function
definition in the `.c` without changing the declaration in the `.h`.
Was part of 4.92.
Make corresponding `.h` change to reflect newer internal API.
(cherry picked from commit
6ee110613402e8562c03b4a11c3ffbdbd47bd153)
(cherry picked from commit
40fe3ea73eb7524a6143755854633ed8392d39b4)
(cherry picked from commit
171adf11d72efb4781a3028a849e0ed6e521a4fa)
(cherry picked from commit
250dc372cfb64dfb21db2e7bd67ed28822aa132d)
Jeremy Harris [Fri, 7 Jun 2019 10:54:10 +0000 (11:54 +0100)]
Fix detection of 32b platform at build time. Bug 2405
(cherry picked from commit
26dd3aa007b3b77969610c031f59388e0953bd00)
(cherry picked from commit
da7f749864e0807f796b8fa19573484c92bdc5c2)
(cherry picked from commit
a8e52cc464c132b8c88718af4367a01538d65b5a)
(cherry picked from commit
d508b5ca595a418667a1ae10e6cadf48a901c6f3)
Jeremy Harris [Tue, 4 Jun 2019 17:13:21 +0000 (18:13 +0100)]
Use dsn_from for success-DSN messages. Bug 2404
(cherry picked from commit
87abcb247b4444bab5fd0bcb212ddb26d5fd9191)
(cherry picked from commit
454bab46ae6812e29652d10c390451c962a6f806)
(cherry picked from commit
9eebb5a0ed51584c18af8b08a27695b806980775)
(cherry picked from commit
09898a2fe75f7044f9f46bd01dcd0e2f22f61d0d)
Jeremy Harris [Sun, 19 May 2019 11:12:36 +0000 (12:12 +0100)]
GnuTLS: fix the advertising of acceptable certs by the server. Bug 2389
(cherry picked from commit
12d95aa62042377fc9f603245a17a43142972447)
(cherry picked from commit
44893ba5249c6c6d5a0d62a1cc57ba3fbf7185b4)
(cherry picked from commit
7eb6988c118847820de130c9317f851983e0ba8b)
(cherry picked from commit
7894bfc6ccf7157dc5d8a11e297fb71968dd2904)
Jeremy Harris [Fri, 10 May 2019 14:35:58 +0000 (15:35 +0100)]
Fix listing a named queue by a non-admin user. Bug 2398
(cherry picked from commit
e5903596a0)
(cherry picked from commit
affc23f0d27bfbca773094146d7e62872ed2895b)
(cherry picked from commit
772e1c684e79465df71157cdccc57739bb841cae)
(cherry picked from commit
fbf6767e15a0367d3f3a8462bc3a87d96bf7b71a)
Jeremy Harris [Tue, 7 May 2019 21:55:41 +0000 (22:55 +0100)]
GnuTLS: fix $tls_out_ocsp under hosts_request_ocsp
(cherry picked from commit
7a501c874f028f689c44999ab05bb0d39da46941)
(cherry picked from commit
5e64b73ef7cdaf20b998b3345a588b462fd30bfb)
(cherry picked from commit
31700e5410af3d27654ff0a32c20d30b1a1e10c3)
(cherry picked from commit
6712694eae57a7d3544c6f0d8a6c03cd246fdb48)
Jeremy Harris [Fri, 26 Apr 2019 10:16:47 +0000 (11:16 +0100)]
Jeremy Harris [Thu, 25 Apr 2019 17:41:52 +0000 (18:41 +0100)]
Jeremy Harris [Thu, 25 Apr 2019 17:24:33 +0000 (18:24 +0100)]
GnuTLS 3.6.7 cipher strings
(cherry picked from commits
d9acfc1ce6,
57eb2f6463,
b9c6f63cd5)
WARNING: This changes user-visible and configuration-visible behaviour.
Read the ChangeLog!
(cherry picked from commit
656b804e099a4704bd6071241a85bc1e0cc85887)
(cherry picked from commit
bf9375eaa85bfa0dbb973aa03accbe5f21808732)
(cherry picked from commit
d3a0dde57754d2b434957c126e1a22e2094cbbf1)
Jeremy Harris [Thu, 25 Apr 2019 09:35:18 +0000 (10:35 +0100)]
Testsuite: output changes resulting
Broken-by: 67ea939cf0
(cherry picked from commit
42e0d3fe36ac7270609a3389f5204a252bcf7d79)
(cherry picked from commit
62e8cac93cff841d8d657363ece7a4367ccc94b3)
(cherry picked from commit
abcd3b69cb147bb6206d5a7013b27909c1e0288a)
(cherry picked from commit
0fca1008dd8d9eecdb6218a4d4ea0f7bfe29502c)
Heiko Schlittermann (HS12-RIPE) [Fri, 12 Apr 2019 14:16:57 +0000 (16:16 +0200)]
Docs: Remove GNUmake idioms from Makefile, give power to "mv"
On at least one *BSD system, /tmp is owned by root:wheel and
files created there are owned by <creator>:wheel. The following
mv /tmp/<tmpfile> to an existing file with other permissions fails
for the non-privileged user.
This cherry was picked just for the sake of some build farm animals.
(cherry picked from commit
efab32198fdf1a469b2d8b28dcf264d6fc7b8e65)
(cherry picked from commit
8120bdf12e2008621c0a3c4f965075528a0b0005)
(cherry picked from commit
980b106561b5b7ad9dd4c501d05a4f9083ef7417)
Jeremy Harris [Thu, 4 Apr 2019 13:33:28 +0000 (14:33 +0100)]
Jeremy Harris [Fri, 5 Apr 2019 12:38:54 +0000 (13:38 +0100)]
Fix build with recent LibreSSL, when including DANE. Bug 2386
(cherry picked from commit
c19ab167ac and
1fbf41cdf6
(cherry picked from commit
0d82437ff97668a34a67b4ba398d1294ec016d3a)
(cherry picked from commit
09cc73f04332f420e07f4bc8bb2e2466c2460067)
(cherry picked from commit
f627fcf379d9453326672016168e2e73f6c42916)
Jeremy Harris [Fri, 22 Mar 2019 15:00:23 +0000 (15:00 +0000)]
Jeremy Harris [Thu, 21 Mar 2019 20:01:03 +0000 (20:01 +0000)]
Harden plaintext authenticator
Cherry-picked from:
f9fc942757
(cherry picked from commit
e5b942ae007d0533fbd599c64d550f3a8355b940)
(cherry picked from commit
7556111f007c98f11adfa27c492d73b775886d9d)
(cherry picked from commit
3063baa25c0a8103438ee73051e61f82476861b3)
Jeremy Harris [Tue, 19 Mar 2019 15:33:31 +0000 (15:33 +0000)]
OpenSSL: Fix aggregation of messages.
Broken-by: a5ffa9b475
(cherry picked from commit
c09dbcfb71f4b9a42cbfd8a20e0be6bfa1b12488)
(cherry picked from commit
332ebeaf8139b2b75f475880fc14b63c7c45c706)
(cherry picked from commit
1bd4207a399775cf842607930e76c14ac54327df)
(cherry picked from commit
412885bdba907588c5ac8ea789e673c3198d381a)
Jeremy Harris [Mon, 18 Mar 2019 00:31:43 +0000 (00:31 +0000)]
Jeremy Harris [Thu, 14 Mar 2019 12:26:34 +0000 (12:26 +0000)]
Jeremy Harris [Tue, 19 Feb 2019 14:45:27 +0000 (14:45 +0000)]
Docs: Add note on lsearch for IPv4-mapped IPv6 addresses
Cherry-picked from:
52af443324,
c77d3d85fe
(cherry picked from commit
8dde16b89efe2138f92cbfa6c59fb31dc80ec22a)
(cherry picked from commit
a457174087afff3685856e295bd8ffcfefe0e05e)
(cherry picked from commit
8eb8355567a56d3be58aae59741a60824a105110)
Jasen Betts [Mon, 18 Feb 2019 13:52:16 +0000 (13:52 +0000)]
Fix expansions for RFC 822 addresses having comments in local-part and/or domain. Bug 2375
(cherry picked from commit
e2ff8e24f41caca3623228b1ec66a3f3961ecad6)
(cherry picked from commit
f634b80846cc7ffcab65c9855bcb35312f0232e8)
(cherry picked from commit
cebd5bd2ab84c7815a9b99c0f0f16e829af7b4bc)
(cherry picked from commit
27662d806b99c9369e564f6f33769836c27085df)
Jeremy Harris [Sat, 16 Feb 2019 12:59:23 +0000 (12:59 +0000)]
GnuTLS: Fix client detection of server reject of client cert under TLS1.3
(cherry picked from commit
fc243e944ec00b59b75f41d07494116f925d58b4)
(cherry picked from commit
c15523829ba17cce5829e2976aa1ff928965d948)
(cherry picked from commit
c18e2c3b059f6bfd1c6e9a65ffc8243a4d8034fe)
(cherry picked from commit
c07419f2eda0c1a3f2fe7282de9da2e661b8b068)
Jeremy Harris [Sat, 16 Feb 2019 15:47:52 +0000 (15:47 +0000)]
Jeremy Harris [Thu, 14 Feb 2019 17:14:34 +0000 (17:14 +0000)]
Fix info on using local_scan() in the default Makefile
Broken-by: 9723f96673
(cherry picked from commit
882bc1704d33aa34873e3a0f72e657b0cc2985e5)
(cherry picked from commit
cb25b75af850d664fc005d24fbad0e58bf79d4c7)
(cherry picked from commit
2c7c4a9c23950044507a78956ca2c23f9c6a9491)
(cherry picked from commit
0799ba118b9c83731c1db34affcf9fecc10fd627)
Jeremy Harris [Thu, 14 Feb 2019 16:44:46 +0000 (16:44 +0000)]
Jeremy Harris [Tue, 12 Feb 2019 16:52:51 +0000 (16:52 +0000)]
Fix transport buffer size handling
Broken-by: 59932f7dcd
(cherry picked from commit
05bf16f6217e93594929c8bbbbbc852caf3ed374)
(cherry picked from commit
1cfa7822ca8928f95160df8742af11fff888ae7e)
(cherry picked from commit
0654d3440d8735221a58f96f5343fbe243171711)
(cherry picked from commit
926fce6aaacb525c10c864d4064b1cd086e0dd5a)
Jeremy Harris [Sun, 10 Feb 2019 20:25:59 +0000 (20:25 +0000)]
Testsuite: account for (now) properly working Perl locale
(cherry picked from commit
efc8902f16c92a74d06870f2556cb36c84dd4d93)
(cherry picked from commit
ec8db648d3af8af2d9e6cbd4896159235c0f1e49)
(cherry picked from commit
a8761d62664f96259d815ab84a7a734829972fb3)
(cherry picked from commit
3ba6086fcf3dd298203e688309bbaafc6cadf0c9)
Jeremy Harris [Sat, 9 Feb 2019 16:56:59 +0000 (16:56 +0000)]
Heiko Schlittermann (HS12-RIPE) [Sat, 28 Sep 2019 21:17:41 +0000 (23:17 +0200)]
Docs: Update CVE text about the 4.92.3 release CVE-2019-16928
Heiko Schlittermann (HS12-RIPE) [Sat, 28 Sep 2019 16:50:26 +0000 (18:50 +0200)]
Testsuite: src/client.c: handle long lines read back from the server
Increase the buffer for reading data back from the server, and read
at least until a '\n' appears in the input.
(cherry picked from commit
bb71a66f55c3dd047dd5973c08365a967910f5e1)
Jeremy Harris [Fri, 27 Sep 2019 11:21:49 +0000 (12:21 +0100)]
Fix buffer overflow in string_vformat. CVE-2019-16928 Bug 2449
Add CVE announcement
(cherry picked from commit
478effbfd9c3cc5a627fc671d4bf94d13670d65f)
(cherry picked from commit
c34650401d2d35a6ec3ba1c1a88d395f77030300)
Heiko Schlittermann (HS12-RIPE) [Mon, 19 Aug 2019 12:45:48 +0000 (14:45 +0200)]
string.c: do not interpret '\\' before '\0' (CVE-2019-15846)
Add documents about CVE-2019-15846
Add testcase for CVE-2019-15846
Update Changelog
Add Announcements
Heiko Schlittermann (HS12-RIPE) [Sun, 21 Jul 2019 20:58:13 +0000 (22:58 +0200)]
Update security contact
Heiko Schlittermann (HS12-RIPE) [Sat, 20 Jul 2019 09:43:49 +0000 (11:43 +0200)]
Add security postings for future reference
Jeremy Harris [Fri, 5 Jul 2019 14:38:15 +0000 (15:38 +0100)]
Avoid re-expansion in ${sort } CVE-2019-13917 OVE-
20190718-0006
(cherry picked from commit
5c887f836e4d8e3f79da1c15565b56b40d9bd0dd)
Mad Alex [Wed, 30 Jan 2019 13:57:36 +0000 (13:57 +0000)]
Fix dkim_verify_signers option. Bug 2366
Testsuite coverage by jgh.
Broken-by: d342446f29
Jeremy Harris [Tue, 29 Jan 2019 15:27:26 +0000 (15:27 +0000)]
Docs: clarify quoting for $pipe_addresses
The texinfo output version has single-quotes round a variable,
so the sentence saying "precisely the text" was difficult to
interpret.
Odihambo Washington [Tue, 29 Jan 2019 11:10:26 +0000 (11:10 +0000)]
Docs: correct spamd port
Heiko Schlittermann (HS12-RIPE) [Sun, 27 Jan 2019 18:53:31 +0000 (19:53 +0100)]
configure.default: spacing, de-tabbing
Jeremy Harris [Sat, 12 Jan 2019 20:47:23 +0000 (20:47 +0000)]
Add basic framework for PRDR use with per-user content filters to example config.
Mostly commented-out and with dummy lookups since we do not know what sorts
of filtering may be employed.
(cherry picked from commit
b220576b3ba5396af6b3e0f45739f269079f8fc5)
Heiko Schlittermann (HS12-RIPE) [Tue, 22 Jan 2019 21:33:47 +0000 (22:33 +0100)]
mk_exim_release: tidy
Jeremy Harris [Thu, 24 Jan 2019 21:35:22 +0000 (21:35 +0000)]
Docs: crossref list-separator changing
Jeremy Harris [Thu, 24 Jan 2019 21:21:29 +0000 (21:21 +0000)]
Docs: crossref dlfunc API
Jeremy Harris [Thu, 10 Jan 2019 21:15:11 +0000 (21:15 +0000)]
More checks on header line length during reception
Jeremy Harris [Sat, 5 Jan 2019 19:11:18 +0000 (19:11 +0000)]
Docs: tweak TLS authenticator chapter
Jeremy Harris [Fri, 4 Jan 2019 11:29:19 +0000 (11:29 +0000)]
Docs: missing options
Broken-by: b3ef41c94a
Jeremy Harris [Thu, 3 Jan 2019 21:20:33 +0000 (21:20 +0000)]
Docs: tweak new-drivers chapter
Jeremy Harris [Mon, 31 Dec 2018 13:58:26 +0000 (13:58 +0000)]
PIPE_CONNECT: fix feature-cache refresh
Jeremy Harris [Fri, 28 Dec 2018 20:40:33 +0000 (20:40 +0000)]
Docs: clarify logging from filter
Heiko Schlittermann (HS12-RIPE) [Wed, 26 Dec 2018 11:04:29 +0000 (12:04 +0100)]
Update Changelog for GnuTLS and TLS 1.3 Bug 2359
Fix is in
4896a3192ffac48885347460377edcd893eb9600
Andreas Metzler [Mon, 24 Dec 2018 16:11:41 +0000 (16:11 +0000)]
GnuTLS: repeat lowlevel read and write operations while they request retry
(cherry picked from commit
06faf21f3a84a3ac4aa4f7b1512087423d8c8541)
Heiko Schlittermann (HS12-RIPE) [Tue, 25 Dec 2018 19:38:42 +0000 (20:38 +0100)]
mk_exim_release: more perlish
Heiko Schlittermann (HS12-RIPE) [Tue, 25 Dec 2018 18:17:12 +0000 (19:17 +0100)]
mk_exim_release: integrate signing and checksumming
Jeremy Harris [Sat, 22 Dec 2018 13:36:07 +0000 (13:36 +0000)]
DKIM: better debug for key/signature size mismatch
Jeremy Harris [Fri, 21 Dec 2018 15:36:42 +0000 (15:36 +0000)]
OpenSSL: clear any leftover errors from the stack after SSL_accept succeeds
Heiko Schlittermann (HS12-RIPE) [Thu, 20 Dec 2018 22:06:38 +0000 (23:06 +0100)]
mk_exim_release: output an useful error message when used for older versions
Older releases can't be built with the newer mk_exim_release script,
as there are interdependencies with scripts/reversion and version.sh
Heiko Schlittermann (HS12-RIPE) [Thu, 20 Dec 2018 21:40:53 +0000 (22:40 +0100)]
Recent commit is thanks to Josh Soref
I managed to drop his name, sorry for that.
Heiko Schlittermann (HS12-RIPE) [Thu, 20 Dec 2018 21:25:23 +0000 (22:25 +0100)]
Grammar changes in docs
Heiko Schlittermann (HS12-RIPE) [Thu, 20 Dec 2018 21:11:52 +0000 (22:11 +0100)]
Fix copyright year and exim website URL schema
klemens [Sun, 16 Apr 2017 18:49:32 +0000 (20:49 +0200)]
spelling fixes
Jeremy Harris [Thu, 20 Dec 2018 17:48:52 +0000 (17:48 +0000)]
Docs: tweaks
git://git.exim.org / exim.git / log