X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/ef3a1a30b2d5edba53f1a8c8d1dc594940cb39c1..5d03669979a0faed6caec3d32f7caac9321eb160:/doc/doc-txt/ChangeLog?ds=inline diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index d99370a7e..8ef8b0b6c 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -1,8 +1,28 @@ Change log file for Exim from version 4.21 ------------------------------------------- +This document describes *changes* to previous versions, that might +affect Exim's operation, with an unchanged configuration file. For new +options, and new features, see the NewStuff file next to this ChangeLog. + + +Exim version 4.89 +------------------- + +JH/01 Bug 1922: Support IDNA2008. This has slightly different conversion rules + than -2003 did; needs libidn2 in addition to linidn. + +JH/02 The path option on a pipe transport is now expanded before use. + +PP/01 GitHub PR 50: Do not call ldap_start_tls_s on ldapi:// connections. + Patch provided by "Björn", documentation fix added too. + +JH/03 Bug 2003: fix Proxy Protocol v2 handling: the address size field was + missing a wire-to-host endian conversion. + Exim version 4.88 ----------------- + JH/01 Use SIZE on MAIL FROM in a cutthrough connection, if the destination supports it and a size is available (ie. the sending peer gave us one). @@ -24,7 +44,7 @@ JH/04 Bug 1810: make continued-use of an open smtp transport connection non-noisy when a race steals the message being considered. JH/05 If main configuration option tls_certificate is unset, generate a - selfsigned certificate for inbound TLS connections. + self-signed certificate for inbound TLS connections. JH/06 Bug 165: hide more cases of password exposure - this time in expansions in rewrites and routers. @@ -65,9 +85,88 @@ JH/16 DANE: treat a TLSA lookup response having all non-TLSA RRs, the same as one having no matching records. Previously we deferred the message that needed the lookup. +JH/17 Fakereject: previously logged as a norml message arrival "<="; now + distinguished as "(=". + +JH/18 Bug 1867: make the fail_defer_domains option on a dnslookup router work + for missing MX records. Previously it only worked for missing A records. + +JH/19 Bug 1850: support Radius libraries that return REJECT_RC. + +JH/20 Bug 1872: Ensure that acl_smtp_notquit is run when the connection drops + after the data-go-ahead and data-ack. Patch from Jason Betts. + +JH/21 Bug 1846: Send DMARC forensic reports for reject and quaratine results, + even for a "none" policy. Patch from Tony Meyer. + +JH/22 Fix continued use of a connection for further deliveries. If a port was + specified by a router, it must also match for the delivery to be + compatible. + +JH/23 Bug 1874: fix continued use of a connection for further deliveries. + When one of the recipients of a message was unsuitable for the connection + (has no matching addresses), we lost track of needing to mark it + deferred. As a result mail would be lost. + +JH/24 Bug 1832: Log EHLO response on getting conn-close response for HELO. + +JH/25 Decoding ACL controls is now done using a binary search; the source code + takes up less space and should be simpler to maintain. Merge the ACL + condition decode tables also, with similar effect. + +JH/26 Fix problem with one_time used on a redirect router which returned the + parent address unchanged. A retry would see the parent address marked as + delivered, so not attempt the (identical) child. As a result mail would + be lost. + +JH/27 Fix a possible security hole, wherein a process operating with the Exim + UID can gain a root shell. Credit to http://www.halfdog.net/ for + discovery and writeup. Ubuntu bug 1580454; no bug raised against Exim + itself :( + +JH/28 Enable {spool,log} filesystem space and inode checks as default. + Main config options check_{log,spool}_{inodes,space} are now + 100 inodes, 10MB unless set otherwise in the configuration. + +JH/29 Fix the connection_reject log selector to apply to the connect ACL. + Previously it only applied to the main-section connection policy + options. + +JH/30 Bug 1897: fix callouts connection fallback from TLS to cleartext. + +PP/01 Changed default Diffie-Hellman parameters to be Exim-specific, created + by me. Added RFC7919 DH primes as an alternative. + +PP/02 Unbreak build via pkg-config with new hash support when crypto headers + are not in the system include path. + +JH/31 Fix longstanding bug with aborted TLS server connection handling. Under + GnuTLS, when a session startup failed (eg because the client disconnected) + Exim did stdio operations after fclose. This was exposed by a recent + change which nulled out the file handle after the fclose. + +JH/32 Bug 1909: Fix OCSP proof verification for cases where the proof is + signed directly by the cert-signing cert, rather than an intermediate + OCSP-signing cert. This is the model used by LetsEncrypt. + +JH/33 Bug 1914: Ensure socket is nonblocking before draining after SMTP QUIT. + +HS/01 Fix leak in verify callout under GnuTLS, about 3MB per recipient on + an incoming connection. + +HS/02 Bug 1802: Do not half-close the connection after sending a request + to rspamd. + +HS/03 Use "auto" as the default EC curve parameter. For OpenSSL < 1.0.2 + fallback to "prime256v1". + +JH/34 SECURITY: Use proper copy of DATA command in error message. + Could leak key material. Remotely exploitable. CVE-2016-9963. + Exim version 4.87 ----------------- + JH/01 Bug 1664: Disable OCSP for GnuTLS library versions at/before 3.3.16 and 3.4.4 - once the server is enabled to respond to an OCSP request it does even when not requested, resulting in a stapling non-aware @@ -264,9 +363,9 @@ JH/48 Bug 1807: Fix ${extract } for the numeric/3-string case. While preparsing extraction. Accept either. - Exim version 4.86 ----------------- + JH/01 Bug 1545: The smtp transport option "retry_include_ip_address" is now expanded. @@ -389,6 +488,7 @@ HS/03 Add perl_taintmode main config option Exim version 4.85 ----------------- + TL/01 When running the test suite, the README says that variables such as no_msglog_check are global and can be placed anywhere in a specific test's script, however it was observed that placement needed to be near