X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/b25bdce654559e4c832e0d557b986687edb2ccf0..5fa5f96fcfb9aa3c73e4ce9289a30be1e616e576:/doc/doc-txt/NewStuff?ds=inline diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index a732d9b2d..09e4dd283 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -9,6 +9,52 @@ test from the snapshots or the CVS before the documentation is updated. Once the documentation is updated, this file is reduced to a short list. +Version 4.76 +------------ + + 1. The global option "dns_use_edns0" may be set to coerce EDNS0 usage on + or off in the resolver library. + + +Version 4.75 +------------ + + 1. In addition to the existing LDAP and LDAP/SSL ("ldaps") support, there + is now LDAP/TLS support, given sufficiently modern OpenLDAP client + libraries. The following global options have been added in support of + this: ldap_ca_cert_dir, ldap_ca_cert_file, ldap_cert_file, ldap_cert_key, + ldap_cipher_suite, ldap_require_cert, ldap_start_tls. + + 2. The pipe transport now takes a boolean option, "freeze_signal", default + false. When true, if the external delivery command exits on a signal then + Exim will freeze the message in the queue, instead of generating a bounce. + + 3. Log filenames may now use %M as an escape, instead of %D (still available). + The %M pattern expands to yyyymm, providing month-level resolution. + + 4. The $message_linecount variable is now updated for the maildir_tag option, + in the same way as $message_size, to reflect the real number of lines, + including any header additions or removals from transport. + + 5. When contacting a pool of SpamAssassin servers configured in spamd_address, + Exim now selects entries randomly, to better scale in a cluster setup. + + +Version 4.74 +------------ + + 1. SECURITY FIX: privilege escalation flaw fixed. On Linux (and only Linux) + the flaw permitted the Exim run-time user to cause root to append to + arbitrary files of the attacker's choosing, with the content based + on content supplied by the attacker. + + 2. Exim now supports loading some lookup types at run-time, using your + platform's dlopen() functionality. This has limited platform support + and the intention is not to support every variant, it's limited to + dlopen(). This permits the main Exim binary to not be linked against + all the libraries needed for all the lookup types. + + Version 4.73 ------------ @@ -26,7 +72,7 @@ Version 4.73 2. A new pipe transport option, "permit_coredumps", may help with problem diagnosis in some scenarios. Note that Exim is typically installed as a setuid binary, which on most OSes will inhibit coredumps by default, - so that safety mechanism would have to be overriden for this option to + so that safety mechanism would have to be overridden for this option to be able to take effect. 3. ClamAV 0.95 is now required for ClamAV support in Exim, unless @@ -103,16 +149,16 @@ Version 4.73 12. [POSSIBLE CONFIG BREAKAGE] ALT_CONFIG_ROOT_ONLY is no longer optional and is forced on. This is mitigated by the new build option TRUSTED_CONFIG_LIST which defines a list of configuration files which - are trusted; if a config file is owned by root and matches a pathname in - the list, then it may be invoked by the Exim build-time user without Exim - relinquishing root privileges. + are trusted; one per line. If a config file is owned by root and matches + a pathname in the list, then it may be invoked by the Exim build-time + user without Exim relinquishing root privileges. 13. [POSSIBLE CONFIG BREAKAGE] The Exim user is no longer automatically trusted to supply -D overrides on the command-line. Going forward, we recommend using TRUSTED_CONFIG_LIST with shim configs that include the main config. As a transition mechanism, we are temporarily providing a work-around: the new build option WHITELIST_D_MACROS provides - a colon-separated list of macro names which may be overriden by the Exim + a colon-separated list of macro names which may be overridden by the Exim run-time user. The values of these macros are constrained to the regex ^[A-Za-z0-9_/.-]*$ (which explicitly does allow for empty values).