|
|
|
|
Changelog for exim-mysql-4.92-154.1.x86_64.rpm :
* Sat Feb 16 2019 wullingerAATTrz.uni-kiel.de- update to exim 4.92 * ${l_header: } expansion * ${readsocket} now supports TLS * \"utf8_downconvert\" option (if built with SUPPORT_I18N) * \"pipelining\" log_selector * JSON variants for ${extract } expansion * \"noutf8\" debug option * TCP Fast Open support on MacOS- add workaround patch for compile time error on missing printf format annotation (gnu_printf.patch) * Mon Apr 16 2018 wullingerAATTrz.uni-kiel.de- update to 4.91 * DEFER rather than ERROR on redis cluster MOVED response. * Catch and remove uninitialized value warning in exiqsumm * Disallow \'/\' characters in queue names specified for the \"queue=\" ACL modifier. This matches the restriction on the commandline. * Fix pgsql lookup for multiple result-tuples with a single column. Previously only the last row was returned. * Bug 2217: Tighten up the parsing of DKIM signature headers. * Bug 2215: Fix crash associated with dnsdb lookup done from DKIM ACL. * Fix issue with continued-connections when the DNS shifts unreliably. * Bug 2214: Fix SMTP responses resulting from non-accept result of MIME ACL. * The \"support for\" informational output now, which built with Content Scanning support, has a line for the malware scanner interfaces compiled in. Interface can be individually included or not at build time. * The \"aveserver\", \"kavdaemon\" and \"mksd\" interfaces are now not included by the template makefile \"src/EDITME\". The \"STREAM\" support for an older ClamAV interface method is removed. * Bug 2223: Fix mysql lookup returns for the no-data case (when the number of rows affected is given instead). * The runtime Berkeley DB library version is now additionally output by \"exim -d -bV\". Previously only the compile-time version was shown. * Bug 2230: Fix cutthrough routing for nonfirst messages in an initiating SMTP connection. * Bug 2229: Fix cutthrough routing for nonstandard port numbers defined by routers. * Bug 2174: A timeout on connect for a callout was also erroneously seen as a timeout on read on a GnuTLS initiating connection, resulting in the initiating connection being dropped. * Relax results from ACL control request to enable cutthrough, in unsupported situations, from error to silently (except under debug) ignoring. * Fix Buffer overflow in base64d() (CVE-2018-6789) * Fix bug in DKIM verify: a buffer overflow could corrupt the malloc metadata, resulting in a crash in free(). * Fix broken Heimdal GSSAPI authenticator integration. * Bug 2113: Fix conversation closedown with the Avast malware scanner. * Bug 2239: Enforce non-usability of control=utf8_downconvert in the mail ACL. * Speed up macro lookups during configuration file read, by skipping non- macro text after a replacement (previously it was only once per line) and by skipping builtin macros when searching for an uppercase lead character. * DANE support moved from Experimental to mainline. The Makefile control for the build is renamed. * Fix memory leak during multi-message connections using STARTTLS. * Bug 2236: When a DKIM verification result is overridden by ACL, DMARC reported the original. Fix to report (as far as possible) the ACL result replacing the original. * Fix memory leak during multi-message connections using STARTTLS under OpenSSL * Bug 2242: Fix exim_dbmbuild to permit directoryless filenames. * Fix utf8_downconvert propagation through a redirect router. * Bug 2253: For logging delivery lines under PRDR, append the overall DATA response info to the (existing) per-recipient response info for the \"C=\" log element. * Bug 2251: Fix ldap lookups that return a single attribute having zero- length value. * Support Avast multiline protocol, this allows passing flags to newer versions of the scanner. * Ensure that variables possibly set during message acceptance are marked dead before release of memory in the daemon loop. * Bug 2250: Fix a longstanding bug in heavily-pipelined SMTP input (such as a multi-recipient message from a mailinglist manager). * The (EXPERIMENTAL_DMARC) variable $dmarc_ar_header is withdrawn, being replaced by the ${authresults } expansion. * Bug 2257: Fix pipe transport to not use a socket-only syscall. * Set a handler for SIGTERM and call exit(3) if running as PID 1. This allows proper process termination in container environments. * Bug 2258: Fix spool_wireformat in combination with LMTP transport. Previously the \"final dot\" had a newline after it; ensure it is CR,LF. * SPF: remove support for the \"spf\" ACL condition outcome values \"err_temp\" and \"err_perm\", deprecated since 4.83 when the RFC-defined words \" temperror\" and \"permerror\" were introduced. * Re-introduce enforcement of no cutthrough delivery on transports having transport-filters or DKIM-signing. * Cutthrough: for a final-dot response timeout (and nonunderstood responses) in defer=pass mode supply a 450 to the initiator. Previously the message would be spooled. * DANE: add dane_require_tls_ciphers SMTP Transport option; if unset, tls_require_ciphers is used as before. * Malware Avast: Better match the Avast multiline protocol. * Fix reinitialisation of DKIM logging variable between messages. * Bug 2255: Revert the disable of the OpenSSL session caching. * Add util/renew-opendmarc-tlds.sh script for safe renewal of public suffix list. * DKIM: accept Ed25519 pubkeys in SubjectPublicKeyInfo-wrapped form, since the IETF WG has not yet settled on that versus the original \"bare\" representation. * Fix syslog logging for syslog_timestamp=no and log_selector +millisec. Previously the millisecond value corrupted the output. Fix also for syslog_pid=no and log_selector +pid, for which the pid corrupted the output. * Thu Mar 15 2018 crrodriguezAATTopensuse.org- Replace xorg-x11-devel by individual pkgconfig() buildrequires. * Tue Feb 13 2018 kbabiochAATTsuse.com- update to 4.90.1 * Allow PKG_CONFIG_PATH to be set in Local/Makefile and use it correctly during configuration. Wildcards are allowed and expanded. * Shorten the log line for daemon startup by collapsing adjacent sets of identical IP addresses on different listening ports. Will also affect \"exiwhat\" output. * Tighten up the checking in isip4 (et al): dotted-quad components larger than 255 are no longer allowed. * Default openssl_options to include +no_ticket, to reduce load on peers. Disable the session-cache too, which might reduce our load. Since we currrectly use a new context for every connection, both as server and client, there is no benefit for these. * Add $SOURCE_DATE_EPOCH support for reproducible builds, per spec at . * Fix smtp transport use of limited max_rcpt under mua_wrapper. Previously the check for any unsuccessful recipients did not notice the limit, and erroneously found still-pending ones. * Pipeline CHUNKING command and data together, on kernels that support MSG_MORE. Only in-clear (not on TLS connections). * Avoid using a temporary file during transport using dkim. Unless a transport-filter is involved we can buffer the headers in memory for creating the signature, and read the spool data file once for the signature and again for transmission. * Enable use of sendfile in Linux builds as default. It was disabled in 4.77 as the kernel support then wasn\'t solid, having issues in 64bit mode. Now, it\'s been long enough. Add support for FreeBSD also. * Add commandline_checks_require_admin option. * Do pipelining under TLS. * For the \"sock\" variant of the malware scanner interface, accept an empty cmdline element to get the documented default one. Previously it was inaccessible. * Prevent repeated use of -p/-oMr * DKIM: enforce the DNS pubkey record \"h\" permitted-hashes optional field, if present. * DKIM: when a message has multiple signatures matching an identity given in dkim_verify_signers, run the dkim acl once for each. * Support IDNA2008. * The path option on a pipe transport is now expanded before use * Have the EHLO response advertise VRFY, if there is a vrfy ACL defined.- Several bug fixes- Fix for buffer overflow in base64decode() (bsc#1079832 CVE-2018-6789)- removed patches (included upstream now): * exim-CVE-2017-1000369.patch * exim-CVE-2017-16943.patch * exim-CVE-2017-16944.patch * exim-4.86.2-mariadb_102_compile_fix.patch * Thu Nov 30 2017 wullingerAATTrz.uni-kiel.de- add exim-CVE-2017-16944.patch: backport of commit 178ecb70987f024f0e775d87c2f8b2cf587dd542 fix for CVE-2017-16944 (#bsc1069859) * Mon Nov 27 2017 dmuellerAATTsuse.com- update to 4.88: drops fix-CVE-2016-9963-31c02defdc5118834e801d4fe8f11c1d9b5ebadf.patch, exim-4.86.2+fixes-867e8fe25dbfb1e31493488ad695bde55b890397.patch- remove exim4-manpages.tar.bz2: upstream does not exist anymore- update keyring * Mon Nov 27 2017 kstreitovaAATTsuse.com- add exim-4.86.2-mariadb_102_compile_fix.patch to fix compilation with the mariadb 10.2 (in our case the build with libmariadb library from the mariadb-connector-c package) * upstream commits: a12400fd4493b676e71613ab429e731f777ebd1e and 31beb7972466a33a88770eacbce13490f2ddadc2 * Mon Nov 27 2017 meissnerAATTsuse.com- exim-CVE-2017-16943.patch: fixed possible code execution (CVE-2017-16943 bsc#1069857) * Thu Nov 23 2017 rbrownAATTsuse.com- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468) * Mon Oct 09 2017 dimstarAATTopensuse.org- Explicitly buildrequire libnsl-devel on suse_version >= 1330: libnsl used to be an integrated part of glibc. Since the build system / makefiles explicitly reference libnsl, it is our own duty to ensure we have our deps in place. * Tue Jul 04 2017 meissnerAATTsuse.com- specify users with ref:mail, to make them dynamic. bsc#1046971 * Mon Jun 19 2017 meissnerAATTsuse.com- exim-CVE-2017-1000369.patch: Fixed memory leaks that could be exploited to \"stack crash\" local privilege escalation (bsc#1044692)- Require user(mail) group(mail) to meet new users handling in TW.- Prerequire permissions (fixes rpmlint). * Mon Apr 24 2017 wullingerAATTrz.uni-kiel.de- conditionally disable DANE on SuSE versions with OpenSSL < 1.0- exim-4.86.2+fixes-867e8fe25dbfb1e31493488ad695bde55b890397.patch: import exim-4_86_2+fixes branch + fix CVE-2016-1531 when installed setuid root, allows local users to gain privileges via the perl_startup argument. + fix Bug 1805: store the initial working directory, expand $initial_cwd + fix Bug 1671: segfault after delivery (https://bugs.exim.org/show_bug.cgi?id=1671) + Don\'t issue env warning if env is empty- fix-CVE-2016-9963-31c02defdc5118834e801d4fe8f11c1d9b5ebadf.patch: DKIM information leakage * Mon Apr 04 2016 e.istominAATTedss.ee- Makefile tuning: + add sqlite support + disable WITH_OLD_DEMIME + enable AUTH_CYRUS_SASL + enable AUTH_TLS + enable SYSLOG_LONG_LINES + enable SUPPORT_PAM + MAX_NAMED_LIST=64 + enable EXPERIMENTAL_DMARC + enable EXPERIMENTAL_EVENT + enable EXPERIMENTAL_PROXY + enable EXPERIMENTAL_CERTNAMES + enable EXPERIMENTAL_DSN + enable EXPERIMENTAL_DANE + enable EXPERIMENTAL_SOCKS + enable EXPERIMENTAL_INTERNATIONAL * Wed Mar 02 2016 lmuelleAATTsuse.com- Update to 4.86.2 + Fix minor portability issues for *BSD and OS/X. * Mon Feb 29 2016 lmuelleAATTsuse.com- Update to 4.86.1 + Add support for keep_environment and add_environment options; CVE-2016-1531; (boo#968844). * Wed Feb 03 2016 opensuseAATTcboltz.de- Move AppArmor profile to /usr/share/apparmor/extra-profiles/, which is the directory for inactive profiles since AppArmor 2.9 * Fri Dec 11 2015 lmuelleAATTsuse.com- Update the Exim Maintainers Keyring file \'exim.keyring\'.- Use URL for the source line of the main tar ball. * Fri Oct 02 2015 michal.hruseckyAATTopensuse.org- Update to 4.86 * Support for using the system standard CA bundle. * New expansion items $config_file, $config_dir, containing the file and directory name of the main configuration file. Also $exim_version. * New \"malware=\" support for Avast. * New \"spam=\" variant option for Rspamd. * Assorted options on malware= and spam= scanners. * A commandline option to write a comment into the logfile. * If built with EXPERIMENTAL_SOCKS feature enabled, the smtp transport can be configured to make connections via socks5 proxies. * If built with EXPERIMENTAL_INTERNATIONAL, support is included for the transmission of UTF-8 envelope addresses. * If built with EXPERIMENTAL_INTERNATIONAL, an expansion item for a commonly used encoding of Maildir folder names. * A logging option for slow DNS lookups. * New ${env {}} expansion. * A non-SMTP authenticator using information from TLS client certificates. * Main option \"tls_eccurve\" for selecting an Elliptic Curve for TLS. Patch originally by Wolfgang Breyha. * Main option \"dns_trust_aa\" for trusting your local nameserver at the same level as DNSSEC.- Dropped exim-enable_ecdh_openssl.patch as included in upstream * Wed May 06 2015 lmuelleAATTsuse.com- Fix the systemd service file by not passing EXIM_ARGS as one single argument by removing the curly brackets (shell syntax). * Fri Apr 17 2015 lmuelleAATTsuse.com- Install fitting eximstats.conf depending on SUSE version; (bsc#926861).- Add attribute dir to /etc/apache2 and /etc/apache2/conf.d in the file list. * Fri Mar 13 2015 lmuelleAATTsuse.com- Replace the fixed ExecStart arguments by ${EXIM_ARGS} as defined in /etc/sysconfig/exim; (bsc#922145). * Sat Jan 24 2015 lmuelleAATTsuse.com- Set CFLAGS_OPT_WERROR only on post-5 CentOS and RHEL systems. * Sat Jan 24 2015 lmuelleAATTsuse.com- Drop BuildRequires xorg-x11-server-sdk for non SUSE systems in particular to build on RHEL 6 again. * Sat Jan 24 2015 lmuelleAATTsuse.com- Let ld know the path to mysqlclient. * Sat Jan 24 2015 lmuelleAATTsuse.com- update to 4.85 + When running the test suite, the README says that variables such as no_msglog_check are global and can be placed anywhere in a specific test\'s script, however it was observed that placement needed to be near the beginning for it to behave that way. Changed the runtest perl script to read through the entire script once to detect and set these variables, reset to the beginning of the script, and then run through the script parsing/test process like normal. + Expand the EXPERIMENTAL_TPDA feature. Several different events now cause callback expansion. + Bugzilla 1518: Clarify \"condition\" processing in routers; that syntax errors in an expansion can be treated as a string instead of logging or causing an error, due to the internal use of bool_lax instead of bool when processing it. + Add EXPERIMENTAL_DANE, allowing for using the DNS as trust-anchor for server certificates when making smtp deliveries. + Support secondary-separator specifier for MX, SRV, TLSA lookups. + Add ${sort {list}{condition}{extractor}} expansion item. + Bugzilla 1216: Add -M (related messages) option to exigrep. + GitHub Issue 18: Adjust logic testing for true/false in redis lookups. Merged patch from Sebastian Wiedenroth. + Fix results-pipe from transport process. Several recipients, combined with certificate use, exposed issues where response data items split over buffer boundaries were not parsed properly. This eventually resulted in duplicates being sent. This issue only became common enough to notice due to the introduction of conection certificate information, the item size being so much larger. Found and fixed by Wolfgang Breyha. + Bug 1533: Fix truncation of items in headers_remove lists. A fixed size buffer was used, resulting in syntax errors when an expansion exceeded it. + Add support for directories of certificates when compiled with a GnuTLS version 3.3.6 or later. + Rename the TPDA expermimental facility to Event Actions. The #ifdef is EXPERIMENTAL_EVENT, the main-configuration and transport options both become \"event_action\", the variables become $event_name, $event_data and $event_defer_errno. There is a new variable $verify_mode, usable in routers, transports and related events. The tls:cert event is now also raised for inbound connections, if the main configuration event_action option is defined. + In test suite, disable OCSP for old versions of openssl which contained early OCSP support, but no stapling (appears to be less than 1.0.0). + When compiled with OpenSSL and EXPERIMENTAL_CERTNAMES, the checks on server certificate names available under the smtp transport option \"tls_verify_cert_hostname\" now do not permit multi-component wildcard matches. + Time-related extraction expansions from certificates now use the main option \"timezone\" setting for output formatting, and are consistent between OpenSSL and GnuTLS compilations. Bug 1541. + Fix a crash in mime ACL when meeting a zero-length, quoted or RFC2047- encoded parameter in the incoming message. Bug 1558. + Bug 1527: Autogrow buffer used in reading spool files. Since they now include certificate info, eximon was claiming there were spoolfile syntax errors. + Bug 1521: Fix ldap lookup for single-attr request, multiple-attr return. + Log delivery-related information more consistently, using the sequence \"H= []\" wherever possible. + Bug 1547: Omit RFCs from release. Draft and RFCs have licenses which are problematic for Debian distribution, omit them from the release tarball. + Updates and fixes to the EXPERIMENTAL_DSN feature. + Fix string representation of time values on 64bit time_t anchitectures. Bug 1561. + Fix a null-indirection in certextract expansions when a nondefault output list separator was used. * Sun Dec 21 2014 michal.hruseckyAATTopensuse.org- Enable SPF * Sun Dec 21 2014 michal.hruseckyAATTopensuse.org- Fix service file; (boo#935601)- Using bcond for mysql, pgsql and ldap- mysql, pgsql and ldap enabled by default * Fri Dec 05 2014 lmuelleAATTsuse.com- Removed executable permission bits from exim.service file; (boo#935601). * Wed Nov 26 2014 lmuelleAATTsuse.com- Remove dependency on gpg-offline as signature checking is implemented in the source validator. * Wed Nov 26 2014 lmuelleAATTsuse.com- update to 4.84 + Re-add a \'return NULL\' to silence complaints from static checkers that were complaining about end of non-void function with no return; (beo#1506); obsoletes silence-static-checkers.patch. + Fix parsing of quoted parameter values in MIME headers. This was a regression intruduced in 4.83 by another bugfix; (beo#1513). + Fix broken compilation when EXPERIMENTAL_DSN is enabled. + Fix exipick for enhanced spoolfile specification used when EXPERIMENTAL_DNS is enabled; (beo#1509).
|
|
|