X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/9f1a75f126ae217a3a3568b106c9133b3c5c413a..1e835086d1592bdfbcd8577133965b78470840ac:/doc/doc-txt/ChangeLog diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 02ea32aa3..bad73cc7b 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -14,10 +14,106 @@ JH/02 Option default value updates: JH/03 Cache static regex pattern compilations, for use by ACLs. +JH/04 Bug 2903: avoid exit on an attempt to rewrite a malformed address. + Make the rewrite never match and keep the logging. Trust the + admin to be using verify=header-syntax (to actually reject the message). + +JH/05 Follow symlinks for placing a watch on TLS creds files. This means + (under Linux) we watch the dir containing the final file; previously + it would be the dir with the first symlink. We still do not monitor + the entire path. + +JH/06 Check for bad chars in rDNS for sender_host_name. The OpenBSD (at least) + dn_expand() is happy to pass them through. + +JH/07 OpenSSL Fix auto-reload of changed server OCSP proof. Previously, if + the file with the proof had an unchanged name, the new proof(s) were + loaded on top of the old ones (and nover used; the old ones were stapled). + +JH/08 Bug 2915: Fix use-after-free for $regex variables. Previously when + more than one message arrived in a single connection a reference from + the earlier message could be re-used. Often a sigsegv resulted. + These variables were introduced in Exim 4.87. + Debug help from Graeme Fowler. + +JH/09 Fix ${filter } for conditions that modify $value. Previously the + modified version would be used in construction the result, and a memory + error would occur. + +JH/10 GnuTLS: fix for (IOT?) clients offering no TLS extensions at all. + Find and fix by Jasen Betts. + +JH/11 OpenSSL: fix for ancient clients needing TLS support for versions earlier + than TLSv1,2, Previously, more-recent versions of OpenSSL were permitting + the systemwide configuration to override the Exim config. + +HS/01 Bug 2728: Introduce EDITME option "DMARC_API" to work around incompatible + API changes in libopendmarc. + +JH/12 Bug 2930: Fix daemon startup. When started from any process apart from + pid 1, in the normal "background daemon" mode, having to drop process- + group leadership also lost track of needing to create listener sockets. + +JH/13 Bug 2929: Fix using $recipients after ${run...}. A change made for 4.96 + resulted in the variable appearing empty. Find and fix by Ruben Jenster. + +JH/14 Bug 2933: Fix regex substring match variables for null matches. Since 4.96 + a capture group which obtained no text (eg. "(abc)*" matching zero + occurrences) could cause a segfault if the corresponding $ was + expanded. + +JH/15 Fix argument parsing for ${run } expansion. Previously, when an argument + included a close-brace character (eg. it itself used an expansion) an + error occurred. + +JH/16 Move running the smtp connect ACL to before, for TLS-on-connect ports, + starting TLS. Previously it was after, meaning that attackers on such + ports had to be screened using the host_reject_connection main config + option. The new sequence aligns better with the STARTTLS behaviour, and + permits defences against crypto-processing load attacks, even though it + is strictly an incompatible change. + Also, avoid sending any SMTP fail response for either the connect ACL + or host_reject_connection, for TLS-on-connect ports. + +JH/17 Permit the ACL "encrypted" condition to be used in a HELO/EHLO ACL, + Previously this was not permitted, but it makes reasonable sense. + While there, restore a restriction on using it from a connect ACL; given + the change JH/16 it could only return false (and before 4.91 was not + permitted). + +JH/18 Fix a fencepost error in logging. Previously (since 4.92) when a log line + was exactly sized compared to the log buffer, a crash occurred with the + misleading message "bad memory reference; pool not found". + Found and traced by Jasen Betts. + +JH/19 Bug 2911: Fix a recursion in DNS lookups. Previously, if the main option + dns_again_means_nonexist included an element causing a DNS lookup which + iteslf returned DNS_AGAIN, unbounded recursion occurred. Possible results + included (though probably not limited to) a process crash from stack + memory limit, or from excessive open files. Replace this with a paniclog + whine (as this is likely a configuration error), and returning + DNS_NOMATCH. + +JH/20 Bug 2954: (OpenSSL) Fix setting of explicit EC curve/group. Previously + this always failed, probably leading to the usual downgrade to in-clear + connections. + +JH/20 Fix TLSA lookups. Previously dns_again_means_nonexist would affect + SERVFAIL results, which breaks the downgrade resistance of DANE. Change + to not checking that list for these looks. + +JH/21 Bug 2434: Add connection-elapsed "D=" element to more connection + closure log lines. + +JH/23 Fix crash in string expansions. Previously, if an empty variable was + immediately followed by an expansion operator, a null-indirection read + was done, killing the process. + + Exim version 4.96 ----------------- -JH/01 Move the wait-for-next-tick (needed for unique messmage IDs) from +JH/01 Move the wait-for-next-tick (needed for unique message IDs) from after reception to before a subsequent reception. This should mean slightly faster delivery, and also confirmation of reception to senders.