Change log file for Exim from version 4.21
-------------------------------------------
-Exim version 4.78
+Exim version 4.82
+-----------------
+
+PP/01 Add -bI: framework, and -bI:sieve for querying sieve capabilities.
+
+PP/02 Make -n do something, by making it not do something.
+ When combined with -bP, the name of an option is not output.
+
+PP/03 Added tls_dh_min_bits SMTP transport driver option, only honoured
+ by GnuTLS.
+
+PP/04 First step towards DNSSEC, provide $sender_host_dnssec for
+ $sender_host_name and config options to manage this, and basic check
+ routines.
+
+PP/05 DSCP support for outbound connections and control modifier for inbound.
+
+PP/06 Cyrus SASL: set local and remote IP;port properties for driver.
+ (Only plugin which currently uses this is kerberos4, which nobody should
+ be using, but we should make it available and other future plugins might
+ conceivably use it, even though it would break NAT; stuff *should* be
+ using channel bindings instead).
+
+PP/07 Handle "exim -L <tag>" to indicate to use syslog with tag as the process
+ name; added for Sendmail compatibility; requires admin caller.
+ Handle -G as equivalent to "control = suppress_local_fixups" (we used to
+ just ignore it); requires trusted caller.
+ Also parse but ignore: -Ac -Am -X<logfile>
+ Bugzilla 1117.
+
+TL/01 Bugzilla 1258 - Refactor MAIL FROM optional args processing.
+
+TL/02 Add +smtp_confirmation as a default logging option.
+
+TL/03 Bugzilla 198 - Implement remove_header ACL modifier.
+ Patch by Magnus Holmgren from 2007-02-20.
+
+TL/04 Bugzilla 1281 - Spec typo.
+ Bugzilla 1283 - Spec typo.
+ Bugzilla 1290 - Spec grammar fixes.
+
+TL/05 Bugzilla 1285 - Spec omission, fix docbook errors for spec.txt creation.
+
+JH/01 Bugzilla 1201 & 304 - New cutthrough-delivery feature, with TLS support.
+
+JH/02 Support "G" suffix to numbers in ${if comparisons.
+
+PP/08 Handle smtp transport tls_sni option forced-fail for OpenSSL.
+
+NM/01 Bugzilla 1197 - Spec typo
+ Bugzilla 1196 - Spec examples corrections
+
+JH/03 Add expansion operators ${listnamed:name} and ${listcount:string}
+
+PP/09 Add gnutls_enable_pkcs11 option.
+
+PP/10 Let Linux makefile inherit CFLAGS/CFLAGS_DYNAMIC.
+ Pulled from Debian 30_dontoverridecflags.dpatch by Andreas Metzler.
+
+JH/04 Add expansion item ${acl {name}{arg}...}, expansion condition
+ "acl {{name}{arg}...}", and optional args on acl condition
+ "acl = name arg..."
+
+JH/05 Permit multiple router/transport headers_add/remove lines.
+
+JH/06 Add dnsdb pseudo-lookup "a+" to do an "aaaa" + "a" combination.
+
+JH/07 Avoid using a waiting database for a single-message-only transport.
+ Performance patch from Paul Fisher. Bugzilla 1262.
+
+JH/08 Strip leading/trailing newlines from add_header ACL modifier data.
+ Bugzilla 884.
+
+JH/09 Add $headers_added variable, with content from use of ACL modifier
+ add_header (but not yet added to the message). Bugzilla 199.
+
+JH/10 Add 8bitmime log_selector, for 8bitmime status on the received line.
+ Pulled from Bugzilla 817 by Wolfgang Breyha.
+
+PP/11 SECURITY: protect DKIM DNS decoding from remote exploit.
+ CVE-2012-5671
+
+JH/11 Add A= logging on delivery lines, and a client_set_id option on
+ authenticators.
+
+JH/12 Add optional authenticated_sender logging to A= and a log_selector
+ for control.
+
+PP/12 Unbreak server_set_id for NTLM/SPA auth, broken by 4.80 PP/29.
+
+PP/13 Dovecot auth: log better reason to rejectlog if Dovecot did not
+ advertise SMTP AUTH mechanism to us, instead of a generic
+ protocol violation error. Also, make Exim more robust to bad
+ data from the Dovecot auth socket.
+
+
+Exim version 4.80.1
+-------------------
+
+PP/01 SECURITY: protect DKIM DNS decoding from remote exploit.
+ CVE-2012-5671
+ This, or similar/improved, will also be change PP/11 of 4.82.
+
+
+Exim version 4.80
-----------------
PP/01 Handle short writes when writing local log-files.
non-compliant senders.
Analysis and variant patch by Todd Lyons.
-NM/04 Bugzilla 1237 - fix cases where printf format usage no indicated
+NM/04 Bugzilla 1237 - fix cases where printf format usage not indicated
Bug report from Lars Müller <lars@samba.org> (via SUSE),
Patch from Dirk Mueller <dmueller@suse.com>
JH/01 Bugzilla 660 - Multi-valued attributes from ldap now parseable as a
comma-sep list; embedded commas doubled.
+JH/02 Refactored ACL "verify =" logic to table-driven dispatch.
+
PP/15 LDAP: Check for errors of TLS initialisation, to give correct
diagnostics.
Report and patch from Dmitry Banschikov.
PP/24 Fixed headers_only on smtp transports (was not sending trailing dot).
Bugzilla 1246, report and most of solution from Tomasz Kusy.
+JH/03 ${eval } now uses 64-bit and supports a "g" suffix (like to "k" and "m").
+ This may cause build issues on older platforms.
+
+PP/25 Revamped GnuTLS support, passing tls_require_ciphers to
+ gnutls_priority_init, ignoring Exim options gnutls_require_kx,
+ gnutls_require_mac & gnutls_require_protocols (no longer supported).
+ Added SNI support via GnuTLS too.
+ Made ${randint:..} supplier available, if using not-too-old GnuTLS.
+
+PP/26 Added EXPERIMENTAL_OCSP for OpenSSL.
+
+PP/27 Applied dnsdb SPF support patch from Janne Snabb.
+ Applied second patch from Janne, implementing suggestion to default
+ multiple-strings-in-record handling to match SPF spec.
+
+JH/04 Added expansion variable $tod_epoch_l for a higher-precision time.
+
+PP/28 Fix DCC dcc_header content corruption (stack memory referenced,
+ read-only, out of scope).
+ Patch from Wolfgang Breyha, report from Stuart Northfield.
+
+PP/29 Fix three issues highlighted by clang analyser static analysis.
+ Only crash-plausible issue would require the Cambridge-specific
+ iplookup router and a misconfiguration.
+ Report from Marcin Mirosław.
+
+PP/30 Another attempt to deal with PCRE_PRERELEASE, this one less buggy.
+
+PP/31 %D in printf continues to cause issues (-Wformat=security), so for
+ now guard some of the printf checks behind WANT_DEEPER_PRINTF_CHECKS.
+ As part of this, removing so much warning spew let me fix some minor
+ real issues in debug logging.
+
+PP/32 GnuTLS was always using default tls_require_ciphers, due to a missing
+ assignment on my part. Fixed.
+
+PP/33 Added tls_dh_max_bits option, defaulting to current hard-coded limit
+ of NSS, for GnuTLS/NSS interop. Problem root cause diagnosis by
+ Janne Snabb (who went above and beyond: thank you).
+
+PP/34 Validate tls_require_ciphers on startup, since debugging an invalid
+ string otherwise requires a connection and a bunch more work and it's
+ relatively easy to get wrong. Should also expose TLS library linkage
+ problems.
+
+PP/35 Pull in <features.h> on Linux, for some portability edge-cases of
+ 64-bit ${eval} (JH/03).
+
+PP/36 Define _GNU_SOURCE in exim.h; it's needed for some releases of
+ GNU libc to support some of the 64-bit stuff, should not lead to
+ conflicts. Defined before os.h is pulled in, so if a given platform
+ needs to override this, it can.
+
+PP/37 Unbreak Cyrus SASL auth: SSF retrieval was incorrect, Exim thought
+ protection layer was required, which is not implemented.
+ Bugzilla 1254, patch from Wolfgang Breyha.
+
+PP/38 Overhaul DH prime handling, supply RFC-specified DH primes as built
+ into Exim, default to IKE id 23 from RFC 5114 (2048 bit). Make
+ tls_dhparam take prime identifiers. Also unbreak combination of
+ OpenSSL+DH_params+TLSSNI.
+
+PP/39 Disable SSLv2 by default in OpenSSL support.
+
Exim version 4.77
-----------------
NM/33 Bugzilla 898: Transport filter timeout fix.
Patch by Todd Rinaldo.
-NM/34 Bugzilla 901: Fix sign/unsigned and UTF mistmatches.
+NM/34 Bugzilla 901: Fix sign/unsigned and UTF mismatches.
Patch by Serge Demonchaux.
NM/35 Bugzilla 39: Base64 decode bug fixes.