Change log file for Exim from version 4.21
-------------------------------------------
+This document describes *changes* to previous versions, that might
+affect Exim's operation, with an unchanged configuration file. For new
+options, and new features, see the NewStuff file next to this ChangeLog.
+
+
+Exim version 4.89
+-------------------
+
+JH/01 Bug 1922: Support IDNA2008. This has slightly different conversion rules
+ than -2003 did; needs libidn2 in addition to linidn.
+
+JH/02 The path option on a pipe transport is now expanded before use.
+
+PP/01 GitHub PR 50: Do not call ldap_start_tls_s on ldapi:// connections.
+ Patch provided by "Björn", documentation fix added too.
+
Exim version 4.88
-----------------
+
JH/01 Use SIZE on MAIL FROM in a cutthrough connection, if the destination
supports it and a size is available (ie. the sending peer gave us one).
non-noisy when a race steals the message being considered.
JH/05 If main configuration option tls_certificate is unset, generate a
- selfsigned certificate for inbound TLS connections.
+ self-signed certificate for inbound TLS connections.
JH/06 Bug 165: hide more cases of password exposure - this time in expansions
in rewrites and routers.
JH/24 Bug 1832: Log EHLO response on getting conn-close response for HELO.
-JH/25 Decoding ACL controls is now done using a binary search; the sourcecode
+JH/25 Decoding ACL controls is now done using a binary search; the source code
takes up less space and should be simpler to maintain. Merge the ACL
condition decode tables also, with similar effect.
+JH/26 Fix problem with one_time used on a redirect router which returned the
+ parent address unchanged. A retry would see the parent address marked as
+ delivered, so not attempt the (identical) child. As a result mail would
+ be lost.
+
+JH/27 Fix a possible security hole, wherein a process operating with the Exim
+ UID can gain a root shell. Credit to http://www.halfdog.net/ for
+ discovery and writeup. Ubuntu bug 1580454; no bug raised against Exim
+ itself :(
+
+JH/28 Enable {spool,log} filesystem space and inode checks as default.
+ Main config options check_{log,spool}_{inodes,space} are now
+ 100 inodes, 10MB unless set otherwise in the configuration.
+
+JH/29 Fix the connection_reject log selector to apply to the connect ACL.
+ Previously it only applied to the main-section connection policy
+ options.
+
+JH/30 Bug 1897: fix callouts connection fallback from TLS to cleartext.
+
+PP/01 Changed default Diffie-Hellman parameters to be Exim-specific, created
+ by me. Added RFC7919 DH primes as an alternative.
+
+PP/02 Unbreak build via pkg-config with new hash support when crypto headers
+ are not in the system include path.
+
+JH/31 Fix longstanding bug with aborted TLS server connection handling. Under
+ GnuTLS, when a session startup failed (eg because the client disconnected)
+ Exim did stdio operations after fclose. This was exposed by a recent
+ change which nulled out the file handle after the fclose.
+
+JH/32 Bug 1909: Fix OCSP proof verification for cases where the proof is
+ signed directly by the cert-signing cert, rather than an intermediate
+ OCSP-signing cert. This is the model used by LetsEncrypt.
+
+JH/33 Bug 1914: Ensure socket is nonblocking before draining after SMTP QUIT.
+
+HS/01 Fix leak in verify callout under GnuTLS, about 3MB per recipient on
+ an incoming connection.
+
+HS/02 Bug 1802: Do not half-close the connection after sending a request
+ to rspamd.
+
+HS/03 Use "auto" as the default EC curve parameter. For OpenSSL < 1.0.2
+ fallback to "prime256v1".
+
+JH/34 SECURITY: Use proper copy of DATA command in error message.
+ Could leak key material. Remotely exploitable. CVE-2016-9963.
+
Exim version 4.87
-----------------
+
JH/01 Bug 1664: Disable OCSP for GnuTLS library versions at/before 3.3.16
and 3.4.4 - once the server is enabled to respond to an OCSP request
it does even when not requested, resulting in a stapling non-aware
extraction. Accept either.
-
Exim version 4.86
-----------------
+
JH/01 Bug 1545: The smtp transport option "retry_include_ip_address" is now
expanded.
Exim version 4.85
-----------------
+
TL/01 When running the test suite, the README says that variables such as
no_msglog_check are global and can be placed anywhere in a specific
test's script, however it was observed that placement needed to be near