-$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.626 2010/06/06 02:46:13 pdp Exp $
-
Change log file for Exim from version 4.21
-------------------------------------------
+Exim version 4.78
+-----------------
+
+PP/01 Handle short writes when writing local log-files.
+ In practice, only affects FreeBSD (8 onwards).
+ Bugzilla 1053, with thanks to Dmitry Isaikin.
+
+NM/01 Bugzilla 949 - Documentation tweak
+
+NM/02 Bugzilla 1093 - eximstats DATA reject detection regexps
+ improved.
+
+NM/03 Bugzilla 1169 - primary_hostname spelling was incorrect in docs.
+
+PP/02 Implemented gsasl authenticator.
+
+PP/03 Implemented heimdal_gssapi authenticator with "server_keytab" option.
+
+PP/04 Local/Makefile support for (AUTH|LOOKUP)_*_PC=foo to use
+ `pkg-config foo` for cflags/libs.
+
+PP/05 Swapped $auth1/$auth2 for gsasl GSSAPI mechanism, to be more consistent
+ with rest of GSASL and with heimdal_gssapi.
+
+PP/06 Local/Makefile support for USE_(GNUTLS|OPENSSL)_PC=foo to use
+ `pkg-config foo` for cflags/libs for the TLS implementation.
+
+PP/07 New expansion variable $tls_bits; Cyrus SASL server connection
+ properties get this fed in as external SSF. A number of robustness
+ and debugging improvements to the cyrus_sasl authenticator.
+
+PP/08 cyrus_sasl server now expands the server_realm option.
+
+PP/09 Bugzilla 1214 - Log authentication information in reject log.
+ Patch by Jeremy Harris.
+
+PP/10 Added dbmjz lookup type.
+
+PP/11 Let heimdal_gssapi authenticator take a SASL message without an authzid.
+
+PP/12 MAIL args handles TAB as well as SP, for better interop with
+ non-compliant senders.
+ Analysis and variant patch by Todd Lyons.
+
+NM/04 Bugzilla 1237 - fix cases where printf format usage no indicated
+ Bug report from Lars Müller <lars@samba.org> (via SUSE),
+ Patch from Dirk Mueller <dmueller@suse.com>
+
+PP/13 tls_peerdn now print-escaped for spool files.
+ Observed some $tls_peerdn in wild which contained \n, which resulted
+ in spool file corruption.
+
+PP/14 TLS fixes for OpenSSL: support TLS 1.1 & 1.2; new "openssl_options"
+ values; set SSL_MODE_AUTO_RETRY so that OpenSSL will retry a read
+ or write after TLS renegotiation, which otherwise led to messages
+ "Got SSL error 2".
+
+TK/01 Bugzilla 1239 - fix DKIM verification when signature was not inserted
+ as a tracking header (ie: a signed header comes before the signature).
+ Patch from Wolfgang Breyha.
+
+JH/01 Bugzilla 660 - Multi-valued attributes from ldap now parseable as a
+ comma-sep list; embedded commas doubled.
+
+PP/15 LDAP: Check for errors of TLS initialisation, to give correct
+ diagnostics.
+ Report and patch from Dmitry Banschikov.
+
+PP/16 Removed "dont_insert_empty_fragments" fron "openssl_options".
+ Removed SSL_clear() after SSL_new() which led to protocol negotiation
+ failures. We appear to now support TLS1.1+ with Exim.
+
+PP/17 OpenSSL: new expansion var $tls_sni, which if used in tls_certificate
+ lets Exim select keys and certificates based upon TLS SNI from client.
+ Also option tls_sni on SMTP Transports. Also clear $tls_bits correctly
+ before an outbound SMTP session. New log_selector, +tls_sni.
+
+PP/18 Bugzilla 1122 - check localhost_number expansion for failure, avoid
+ NULL dereference. Report and patch from Alun Jones.
+
+PP/19 DNS resolver init changes for NetBSD compatibility. (Risk of breakage
+ on less well tested platforms). Obviates NetBSD pkgsrc patch-ac.
+ Not seeing resolver debug output on NetBSD, but suspect this is a
+ resolver implementation change.
+
+PP/20 Revert part of NM/04, it broke log_path containing %D expansions.
+ Left warnings. Added "eximon gdb" invocation mode.
+
+PP/21 Defaulting "accept_8bitmime" to true, not false.
+
+PP/22 Added -bw for inetd wait mode support.
+
+
+Exim version 4.77
+-----------------
+
+PP/01 Solaris build fix for Oracle's LDAP libraries.
+ Bugzilla 1109, patch from Stephen Usher.
+
+TF/01 HP/UX build fix: avoid arithmetic on a void pointer.
+
+TK/01 DKIM Verification: Fix relaxed canon for empty headers w/o
+ whitespace trailer
+
+TF/02 Fix a couple more cases where we did not log the error message
+ when unlink() failed. See also change 4.74-TF/03.
+
+TF/03 Make the exiwhat support code safe for signals. Previously Exim might
+ lock up or crash if it happened to be inside a call to libc when it
+ got a SIGUSR1 from exiwhat.
+
+ The SIGUSR1 handler appends the current process status to the process
+ log which is later printed by exiwhat. It used to use the general
+ purpose logging code to do this, but several functions it calls are
+ not safe for signals.
+
+ The new output code in the SIGUSR1 handler is specific to the process
+ log, and simple enough that it's easy to inspect for signal safety.
+ Removing some special cases also simplifies the general logging code.
+ Removing the spurious timestamps from the process log simplifies
+ exiwhat.
+
+TF/04 Improved ratelimit ACL condition.
+
+ The /noupdate option has been deprecated in favour of /readonly which
+ has clearer semantics. The /leaky, /strict, and /readonly update modes
+ are mutually exclusive. The update mode is no longer included in the
+ database key; it just determines when the database is updated. (This
+ means that when you upgrde Exim will forget old rate measurements.)
+
+ Exim now checks that the per_* options are used with an update mode that
+ makes sense for the current ACL. For example, when Exim is processing a
+ message (e.g. acl_smtp_rcpt or acl_smtp_data, etc.) you can specify
+ per_mail/leaky or per_mail/strict; otherwise (e.g. in acl_smtp_helo) you
+ must specify per_mail/readonly. If you omit the update mode it defaults to
+ /leaky where that makes sense (as before) or /readonly where required.
+
+ The /noupdate option is now undocumented but still supported for
+ backwards compatibility. It is equivalent to /readonly except that in
+ ACLs where /readonly is required you may specify /leaky/noupdate or
+ /strict/noupdate which are treated the same as /readonly.
+
+ A useful new feature is the /count= option. This is a generalization
+ of the per_byte option, so that you can measure the throughput of other
+ aggregate values. For example, the per_byte option is now equivalent
+ to per_mail/count=${if >{0}{$message_size} {0} {$message_size} }.
+
+ The per_rcpt option has been generalized using the /count= mechanism
+ (though it's more complicated than the per_byte equivalence). When it is
+ used in acl_smtp_rcpt, the per_rcpt option adds recipients to the
+ measured rate one at a time; if it is used later (e.g. in acl_smtp_data)
+ or in a non-SMTP ACL it adds all the recipients in one go. (The latter
+ /count=$recipients_count behaviour used to work only in non-SMTP ACLs.)
+ Note that using per_rcpt with a non-readonly update mode in more than
+ one ACL will cause the recipients to be double-counted. (The per_mail
+ and per_byte options don't have this problem.)
+
+ The handling of very low rates has changed slightly. If the computed rate
+ is less than the event's count (usually one) then this event is the first
+ after a long gap. In this case the rate is set to the same as this event's
+ count, so that the first message of a spam run is counted properly.
+
+ The major new feature is a mechanism for counting the rate of unique
+ events. The new per_addr option counts the number of different
+ recipients that someone has sent messages to in the last time period. It
+ behaves like per_rcpt if all the recipient addresses are different, but
+ duplicate recipient addresses do not increase the measured rate. Like
+ the /count= option this is a general mechanism, so the per_addr option
+ is equivalent to per_rcpt/unique=$local_part@$domain. You can, for
+ example, measure the rate that a client uses different sender addresses
+ with the options per_mail/unique=$sender_address. There are further
+ details in the main documentation.
+
+TF/05 Removed obsolete $Cambridge$ CVS revision strings.
+
+TF/06 Removed a few PCRE remnants.
+
+TF/07 Automatically extract Exim's version number from tags in the git
+ repository when doing development or release builds.
+
+PP/02 Raise smtp_cmd_buffer_size to 16kB.
+ Bugzilla 879. Patch from Paul Fisher.
+
+PP/03 Implement SSL-on-connect outbound with protocol=smtps on smtp transport.
+ Heavily based on revision 40f9a89a from Simon Arlott's tree.
+ Bugzilla 97.
+
+PP/04 Use .dylib instead of .so for dynamic library loading on MacOS.
+
+PP/05 Variable $av_failed, true if the AV scanner deferred.
+ Bugzilla 1078. Patch from John Horne.
+
+PP/06 Stop make process more reliably on build failure.
+ Bugzilla 1087. Patch from Heiko Schlittermann.
+
+PP/07 Make maildir_use_size_file an _expandable_ boolean.
+ Bugzilla 1089. Patch from Heiko Schlittermann.
+
+PP/08 Handle ${run} returning more data than OS pipe buffer size.
+ Bugzilla 1131. Patch from Holger Weiß.
+
+PP/09 Handle IPv6 addresses with SPF.
+ Bugzilla 860. Patch from Wolfgang Breyha.
+
+PP/10 GnuTLS: support TLS 1.2 & 1.1.
+ Bugzilla 1156.
+ Use gnutls_certificate_verify_peers2() [patch from Andreas Metzler].
+ Bugzilla 1095.
+
+PP/11 match_* no longer expand right-hand-side by default.
+ New compile-time build option, EXPAND_LISTMATCH_RHS.
+ New expansion conditions, "inlist", "inlisti".
+
+PP/12 fix uninitialised greeting string from PP/03 (smtps client support).
+
+PP/13 shell and compiler warnings fixes for RC1-RC4 changes.
+
+PP/14 fix log_write() format string regression from TF/03.
+ Bugzilla 1152. Patch from Dmitry Isaikin.
+
+
+Exim version 4.76
+-----------------
+
+PP/01 The new ldap_require_cert option would segfault if used. Fixed.
+
+PP/02 Harmonised TLS library version reporting; only show if debugging.
+ Layout now matches that introduced for other libraries in 4.74 PP/03.
+
+PP/03 New openssl_options items: no_sslv2 no_sslv3 no_ticket no_tlsv1
+
+PP/04 New "dns_use_edns0" global option.
+
+PP/05 Don't segfault on misconfiguration of ref:name exim-user as uid.
+ Bugzilla 1098.
+
+PP/06 Extra paranoia around buffer usage at the STARTTLS transition.
+ nb: Exim is not vulnerable to http://www.kb.cert.org/vuls/id/555316
+
+TK/01 Updated PolarSSL code to 0.14.2.
+ Bugzilla 1097. Patch from Andreas Metzler.
+
+PP/07 Catch divide-by-zero in ${eval:...}.
+ Fixes bugzilla 1102.
+
+PP/08 Condition negation of bool{}/bool_lax{} did not negate. Fixed.
+ Bugzilla 1104.
+
+TK/02 Bugzilla 1106: CVE-2011-1764 - DKIM log line was subject to a
+ format-string attack -- SECURITY: remote arbitrary code execution.
+
+TK/03 SECURITY - DKIM signature header parsing was double-expanded, second
+ time unintentionally subject to list matching rules, letting the header
+ cause arbitrary Exim lookups (of items which can occur in lists, *not*
+ arbitrary string expansion). This allowed for information disclosure.
+
+PP/09 Fix another SIGFPE (x86) in ${eval:...} expansion, this time related to
+ INT_MIN/-1 -- value coerced to INT_MAX.
+
+
+Exim version 4.75
+-----------------
+
+NM/01 Workround for PCRE version dependency in version reporting
+ Bugzilla 1073
+
+TF/01 Update valgrind.h and memcheck.h to copies from valgrind-3.6.0.
+ This fixes portability to compilers other than gcc, notably
+ Solaris CC and HP-UX CC. Fixes Bugzilla 1050.
+
+TF/02 Bugzilla 139: Avoid using the += operator in the modular lookup
+ makefiles for portability to HP-UX and POSIX correctness.
+
+PP/01 Permit LOOKUP_foo enabling on the make command-line.
+ Also via indented variable definition in the Makefile.
+ (Debugging by Oliver Heesakkers).
+
+PP/02 Restore caching of spamd results with expanded spamd_address.
+ Patch from author of expandable spamd_address patch, Wolfgang Breyha.
+
+PP/03 Build issue: lookups-Makefile now exports LC_ALL=C
+ Improves build reliability. Fix from: Frank Elsner
+
+NM/02 Fix wide character breakage in the rfc2047 coding
+ Fixes bug 1064. Patch from Andrey N. Oktyabrski
+
+NM/03 Allow underscore in dnslist lookups
+ Fixes bug 1026. Patch from Graeme Fowler
+
+PP/04 Bugzilla 230: Support TLS-enabled LDAP (in addition to ldaps).
+ Code patches from Adam Ciarcinski of NetBSD.
+
+NM/04 Fixed exiqgrep to cope with mailq missing size issue
+ Fixes bug 943.
+
+PP/05 Bugzilla 1083: when lookup expansion defers, escape the output which
+ is logged, to avoid truncation. Patch from John Horne.
+
+PP/06 Bugzilla 1042: implement freeze_signal on pipe transports.
+ Patch from Jakob Hirsch.
+
+PP/07 Bugzilla 1061: restrict error messages sent over SMTP to not reveal
+ SQL string expansion failure details.
+ Patch from Andrey Oktyabrski.
+
+PP/08 Bugzilla 486: implement %M datestamping in log filenames.
+ Patch from Simon Arlott.
+
+PP/09 New lookups functionality failed to compile on old gcc which rejects
+ extern declarations in function scope.
+ Patch from Oliver Fleischmann
+
+PP/10 Use sig_atomic_t for flags set from signal handlers.
+ Check getgroups() return and improve debugging.
+ Fixed developed for diagnosis in bug 927 (which turned out to be
+ a kernel bug).
+
+PP/11 Bugzilla 1055: Update $message_linecount for maildir_tag.
+ Patch from Mark Zealey.
+
+PP/12 Bugzilla 1056: Improved spamd server selection.
+ Patch from Mark Zealey.
+
+PP/13 Bugzilla 1086: Deal with maildir quota file races.
+ Based on patch from Heiko Schlittermann.
+
+PP/14 Bugzilla 1019: DKIM multiple signature generation fix.
+ Patch from Uwe Doering, sign-off by Michael Haardt.
+
+NM/05 Fix to spam.c to accommodate older gcc versions which dislike
+ variable declaration deep within a block. Bug and patch from
+ Dennis Davis.
+
+PP/15 lookups-Makefile IRIX compatibilty coercion.
+
+PP/16 Make DISABLE_DKIM build knob functional.
+
+NM/06 Bugzilla 968: child_open_uid: restore default SIGPIPE handler
+ Patch by Simon Arlott
+
+TF/03 Fix valgrind.h portability to C89 compilers that do not support
+ variable argument macros. Our copy now differs from upstream.
+
+
+Exim version 4.74
+-----------------
+
+TF/01 Failure to get a lock on a hints database can have serious
+ consequences so log it to the panic log.
+
+TF/02 Log LMTP confirmation messages in the same way as SMTP,
+ controlled using the smtp_confirmation log selector.
+
+TF/03 Include the error message when we fail to unlink a spool file.
+
+DW/01 Bugzilla 139: Support dynamically loaded lookups as modules.
+ With thanks to Steve Haslam, Johannes Berg & Serge Demonchaux
+ for maintaining out-of-tree patches for some time.
+
+PP/01 Bugzilla 139: Documentation and portability issues.
+ Avoid GNU Makefile-isms, let Exim continue to build on BSD.
+ Handle per-OS dynamic-module compilation flags.
+
+PP/02 Let /dev/null have normal permissions.
+ The 4.73 fixes were a little too stringent and complained about the
+ permissions on /dev/null. Exempt it from some checks.
+ Reported by Andreas M. Kirchwitz.
+
+PP/03 Report version information for many libraries, including
+ Exim version information for dynamically loaded libraries. Created
+ version.h, now support a version extension string for distributors
+ who patch heavily. Dynamic module ABI change.
+
+PP/04 CVE-2011-0017 - check return value of setuid/setgid. This is a
+ privilege escalation vulnerability whereby the Exim run-time user
+ can cause root to append content of the attacker's choosing to
+ arbitrary files.
+
+PP/05 Bugzilla 1041: merged DCC maintainer's fixes for return code.
+ (Wolfgang Breyha)
+
+PP/06 Bugzilla 1071: fix delivery logging with untrusted macros.
+ If dropping privileges for untrusted macros, we disabled normal logging
+ on the basis that it would fail; for the Exim run-time user, this is not
+ the case, and it resulted in successful deliveries going unlogged.
+ Fixed. Reported by Andreas Metzler.
+
+
Exim version 4.73
-----------------
PP/04 Bugzilla 995: provide better SSL diagnostics on failed reads.
-PP/05 Bugzilla 834: provide a permit_codedump option for pipe transports.
+PP/05 Bugzilla 834: provide a permit_coredump option for pipe transports.
PP/06 Adjust NTLM authentication to handle SASL Initial Response.
PP/07 If TLS negotiated an anonymous cipher, we could end up with SSL but
- without a peer certificate (I believe), leading to a segfault because of
- an assumption that peers always have certificates. Be a little more
+ without a peer certificate, leading to a segfault because of an
+ assumption that peers always have certificates. Be a little more
paranoid. Problem reported by Martin Tscholak.
PP/08 Bugzilla 926: switch ClamAV to use the new zINSTREAM API for content
filtering; old API available if built with WITH_OLD_CLAMAV_STREAM=yes
NB: ClamAV planning to remove STREAM in "middle of 2010".
+ CL also introduces -bmalware, various -d+acl logging additions and
+ more caution in buffer sizes.
PP/09 Implemented reverse_ip expansion operator.
PP/13 Bugzilla 752: Refuse to build/run if Exim user is root/0.
+PP/14 Build without WITH_CONTENT_SCAN. Path from Andreas Metzler.
+
+PP/15 Bugzilla 816: support multiple condition rules on Routers.
+
+PP/16 Add bool_lax{} expansion operator and use that for combining multiple
+ condition rules, instead of bool{}. Make both bool{} and bool_lax{}
+ ignore trailing whitespace.
+
+JJ/02 prevent non-panic DKIM error from being sent to paniclog
+
+JJ/03 added tcp_wrappers_daemon_name to allow host entries other than
+ "exim" to be used
+
+PP/17 Fix malware regression for cmdline scanner introduced in PP/08.
+ Notification from Dr Andrew Aitchison.
+
+PP/18 Change ClamAV response parsing to be more robust and to handle ClamAV's
+ ExtendedDetectionInfo response format.
+ Notification from John Horne.
+
+PP/19 OpenSSL 1.0.0a compatibility const-ness change, should be backwards
+ compatible.
+
+PP/20 Added a CONTRIBUTING file. Fixed the documentation build to use http:
+ XSL and documented dependency on system catalogs, with examples of how
+ it normally works.
+
+DW/21 Added Valgrind hooks in store.c to help it capture out-of-bounds store
+ access.
+
+DW/22 Bugzilla 1044: CVE-2010-4345 - partial fix: restrict default behaviour
+ of CONFIGURE_OWNER and CONFIGURE_GROUP options to no longer allow a
+ configuration file which is writeable by the Exim user or group.
+
+DW/23 Bugzilla 1044: CVE-2010-4345 - part two: extend checks for writeability
+ of configuration files to cover files specified with the -C option if
+ they are going to be used with root privileges, not just the default
+ configuration file.
+
+DW/24 Bugzilla 1044: CVE-2010-4345 - part three: remove ALT_CONFIG_ROOT_ONLY
+ option (effectively making it always true).
+
+DW/25 Add TRUSTED_CONFIG_PREFIX_FILE option to allow alternative configuration
+ files to be used while preserving root privileges.
+
+DW/26 Set FD_CLOEXEC on SMTP sockets after forking in the daemon, to ensure
+ that rogue child processes cannot use them.
+
+PP/27 Bugzilla 1047: change the default for system_filter_user to be the Exim
+ run-time user, instead of root.
+
+PP/28 Add WHITELIST_D_MACROS option to let some macros be overridden by the
+ Exim run-time user without dropping privileges.
+
+DW/29 Remove use of va_copy() which breaks pre-C99 systems. Duplicate the
+ result string, instead of calling string_vformat() twice with the same
+ arguments.
+
+DW/30 Allow TRUSTED_CONFIG_PREFIX_FILE only for Exim or CONFIGURE_OWNER, not
+ for other users. Others should always drop root privileges if they use
+ -C on the command line, even for a whitelisted configure file.
+
+DW/31 Turn TRUSTED_CONFIG_PREFIX_FILE into TRUSTED_CONFIG_FILE. No prefixes.
+
+NM/01 Fixed bug #1002 - Message loss when using multiple deliveries
+
Exim version 4.72
-----------------