head 1.3; access; symbols pkgsrc-2013Q2:1.3.0.8 pkgsrc-2013Q2-base:1.3 pkgsrc-2012Q4:1.3.0.6 pkgsrc-2012Q4-base:1.3 pkgsrc-2011Q4:1.3.0.4 pkgsrc-2011Q4-base:1.3 pkgsrc-2011Q2:1.3.0.2 pkgsrc-2011Q2-base:1.3 pkgsrc-2011Q1:1.2.0.2 pkgsrc-2011Q1-base:1.2 pkgsrc-2010Q4:1.1.0.2; locks; strict; comment @# @; 1.3 date 2011.05.09.13.30.47; author adam; state dead; branches; next 1.2; 1.2 date 2011.03.22.13.52.19; author adam; state Exp; branches; next 1.1; 1.1 date 2011.01.12.07.52.44; author adam; state Exp; branches 1.1.2.1; next ; 1.1.2.1 date 2011.01.12.07.52.44; author tron; state dead; branches; next 1.1.2.2; 1.1.2.2 date 2011.01.22.10.56.43; author tron; state Exp; branches; next ; desc @@ 1.3 log @Changes 4.76: * The new ldap_require_cert option would segfault if used. Fixed. * Harmonised TLS library version reporting; only show if debugging. Layout now matches that introduced for other libraries in 4.74 PP/03. * New openssl_options items: no_sslv2 no_sslv3 no_ticket no_tlsv1 * New "dns_use_edns0" global option. * Don't segfault on misconfiguration of ref:name exim-user as uid. * Extra paranoia around buffer usage at the STARTTLS transition. nb: Exim is not vulnerable to http://www.kb.cert.org/vuls/id/555316 * Updated PolarSSL code to 0.14.2. * Catch divide-by-zero in ${eval:...}. * Condition negation of bool{}/bool_lax{} did not negate. Fixed. * CVE-2011-1764 - DKIM log line was subject to a format-string attack -- SECURITY: remote arbitrary code execution. * SECURITY - DKIM signature header parsing was double-expanded, second time unintentionally subject to list matching rules, letting the header cause arbitrary Exim lookups (of items which can occur in lists, *not* arbitrary string expansion). This allowed for information disclosure. * Fix another SIGFPE (x86) in ${eval:...} expansion, this time related to INT_MIN/-1 -- value coerced to INT_MAX. @ text @$NetBSD: patch-ba,v 1.2 2011/03/22 13:52:19 adam Exp $ --- src/lookups/ldap.c.orig 2011-03-22 11:32:30.000000000 +0000 +++ src/lookups/ldap.c @@@@ -481,7 +481,7 @@@@ if (lcp == NULL) { cert_option = LDAP_OPT_X_TLS_TRY; } - ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, cert_option); + ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option); } #endif @ 1.2 log @Changes 4.75: 1. In addition to the existing LDAP and LDAP/SSL ("ldaps") support, there is now LDAP/TLS support, given sufficiently modern OpenLDAP client libraries. The following global options have been added in support of this: ldap_ca_cert_dir, ldap_ca_cert_file, ldap_cert_file, ldap_cert_key, ldap_cipher_suite, ldap_require_cert, ldap_start_tls. 2. The pipe transport now takes a boolean option, "freeze_signal", default false. When true, if the external delivery command exits on a signal then Exim will freeze the message in the queue, instead of generating a bounce. 3. Log filenames may now use %M as an escape, instead of %D (still available). The %M pattern expands to yyyymm, providing month-level resolution. 4. The $message_linecount variable is now updated for the maildir_tag option, in the same way as $message_size, to reflect the real number of lines, including any header additions or removals from transport. 5. When contacting a pool of SpamAssassin servers configured in spamd_address, Exim now selects entries randomly, to better scale in a cluster setup. @ text @d1 1 a1 1 $NetBSD$ @ 1.1 log @Changes 4.73: * Date: & Message-Id: revert to normally being appended to a message, only prepend for the Resent-* case. Fixes regression introduced in Exim 4.70 by NM/22 for Bugzilla 607. * Include check_rfc2047_length in configure.default because we're seeing increasing numbers of administrators be bitten by this. * Added DISABLE_DKIM and comment to src/EDITME * Bugzilla 994: added openssl_options main configuration option. * Bugzilla 995: provide better SSL diagnostics on failed reads. * Bugzilla 834: provide a permit_coredump option for pipe transports. * Adjust NTLM authentication to handle SASL Initial Response. * If TLS negotiated an anonymous cipher, we could end up with SSL but without a peer certificate, leading to a segfault because of an assumption that peers always have certificates. Be a little more paranoid. * Bugzilla 926: switch ClamAV to use the new zINSTREAM API for content filtering; old API available if built with WITH_OLD_CLAMAV_STREAM=yes NB: ClamAV planning to remove STREAM in "middle of 2010". CL also introduces -bmalware, various -d+acl logging additions and more caution in buffer sizes. * Implemented reverse_ip expansion operator. * Bugzilla 937: provide a "debug" ACL control. * Bugzilla 922: Documentation dusting, patch provided by John Horne. * Bugzilla 973: Implement --version. * Bugzilla 752: Refuse to build/run if Exim user is root/0. * Build without WITH_CONTENT_SCAN. Path from Andreas Metzler. * Bugzilla 816: support multiple condition rules on Routers. * Add bool_lax{} expansion operator and use that for combining multiple condition rules, instead of bool{}. Make both bool{} and bool_lax{} ignore trailing whitespace. * prevent non-panic DKIM error from being sent to paniclog * added tcp_wrappers_daemon_name to allow host entries other than "exim" to be used * Fix malware regression for cmdline scanner introduced in PP/08. Notification from Dr Andrew Aitchison. * Change ClamAV response parsing to be more robust and to handle ClamAV's ExtendedDetectionInfo response format. * OpenSSL 1.0.0a compatibility const-ness change, should be backwards compatible. @ text @d3 1 a3 1 --- src/lookups/ldap.c.orig 2009-11-16 19:50:38.000000000 +0000 d5 6 a10 1 @@@@ -445,6 +445,60 @@@@ if (lcp == NULL) d12 1 a12 1 #endif /* LDAP_OPT_X_TLS */ a13 68 + #ifdef LDAP_OPT_X_TLS_CACERTFILE + if (eldap_ca_cert_file != NULL) + { + ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE, eldap_ca_cert_file); + } + #endif + #ifdef LDAP_OPT_X_TLS_CACERTDIR + if (eldap_ca_cert_dir != NULL) + { + ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, eldap_ca_cert_dir); + } + #endif + #ifdef LDAP_OPT_X_TLS_CERTFILE + if (eldap_cert_file != NULL) + { + ldap_set_option(ld, LDAP_OPT_X_TLS_CERTFILE, eldap_cert_file); + } + #endif + #ifdef LDAP_OPT_X_TLS_KEYFILE + if (eldap_cert_key != NULL) + { + ldap_set_option(ld, LDAP_OPT_X_TLS_KEYFILE, eldap_cert_key); + } + #endif + #ifdef LDAP_OPT_X_TLS_CIPHER_SUITE + if (eldap_cipher_suite != NULL) + { + ldap_set_option(ld, LDAP_OPT_X_TLS_CIPHER_SUITE, eldap_cipher_suite); + } + #endif + #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT + if (eldap_require_cert != NULL) + { + int cert_option = LDAP_OPT_X_TLS_NEVER; + if (Ustrcmp(eldap_require_cert, "hard") == 0) + { + cert_option = LDAP_OPT_X_TLS_HARD; + } + else if (Ustrcmp(eldap_require_cert, "demand") == 0) + { + cert_option = LDAP_OPT_X_TLS_DEMAND; + } + else if (Ustrcmp(eldap_require_cert, "allow") == 0) + { + cert_option = LDAP_OPT_X_TLS_ALLOW; + } + else if (Ustrcmp(eldap_require_cert, "try") == 0) + { + cert_option = LDAP_OPT_X_TLS_TRY; + } + ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, cert_option); + } + #endif + /* Now add this connection to the chain of cached connections */ lcp = store_get(sizeof(LDAP_CONNECTION)); @@@@ -481,6 +535,10 @@@@ if (!lcp->bound || { DEBUG(D_lookup) debug_printf("%sbinding with user=%s password=%s\n", (lcp->bound)? "re-" : "", user, password); + if (eldap_start_tls) + { + ldap_start_tls_s(lcp->ld, NULL, NULL); + } if ((msgid = ldap_bind(lcp->ld, CS user, CS password, LDAP_AUTH_SIMPLE)) == -1) { @ 1.1.2.1 log @file patch-ba was added on branch pkgsrc-2010Q4 on 2011-01-22 10:56:43 +0000 @ text @d1 76 @ 1.1.2.2 log @Pullup ticket #3330 - requested by gls mail/exim: security update Revisions pulled up: - mail/exim/Makefile 1.104 - mail/exim/distinfo 1.47 - mail/exim/patches/patch-aa 1.21 - mail/exim/patches/patch-ba 1.1 - mail/exim/patches/patch-bb 1.1 - mail/exim/patches/patch-bc 1.1 - mail/exim/patches/patch-bd 1.1 --- Module Name: pkgsrc Committed By: adam Date: Wed Jan 12 07:52:45 UTC 2011 Modified Files: pkgsrc/mail/exim: Makefile distinfo pkgsrc/mail/exim/patches: patch-aa Added Files: pkgsrc/mail/exim/patches: patch-ba patch-bb patch-bc patch-bd Log Message: Changes 4.73: * Date: & Message-Id: revert to normally being appended to a message, only prepend for the Resent-* case. Fixes regression introduced in Exim 4.70 by NM/22 for Bugzilla 607. * Include check_rfc2047_length in configure.default because we're seeing increasing numbers of administrators be bitten by this. * Added DISABLE_DKIM and comment to src/EDITME * Bugzilla 994: added openssl_options main configuration option. * Bugzilla 995: provide better SSL diagnostics on failed reads. * Bugzilla 834: provide a permit_coredump option for pipe transports. * Adjust NTLM authentication to handle SASL Initial Response. * If TLS negotiated an anonymous cipher, we could end up with SSL but without a peer certificate, leading to a segfault because of an assumption that peers always have certificates. Be a little more paranoid. * Bugzilla 926: switch ClamAV to use the new zINSTREAM API for content filtering; old API available if built with WITH_OLD_CLAMAV_STREAM=yes NB: ClamAV planning to remove STREAM in "middle of 2010". CL also introduces -bmalware, various -d+acl logging additions and more caution in buffer sizes. * Implemented reverse_ip expansion operator. * Bugzilla 937: provide a "debug" ACL control. * Bugzilla 922: Documentation dusting, patch provided by John Horne. * Bugzilla 973: Implement --version. * Bugzilla 752: Refuse to build/run if Exim user is root/0. * Build without WITH_CONTENT_SCAN. Path from Andreas Metzler. * Bugzilla 816: support multiple condition rules on Routers. * Add bool_lax{} expansion operator and use that for combining multiple condition rules, instead of bool{}. Make both bool{} and bool_lax{} ignore trailing whitespace. * prevent non-panic DKIM error from being sent to paniclog * added tcp_wrappers_daemon_name to allow host entries other than "exim" to be used * Fix malware regression for cmdline scanner introduced in PP/08. Notification from Dr Andrew Aitchison. * Change ClamAV response parsing to be more robust and to handle ClamAV's ExtendedDetectionInfo response format. * OpenSSL 1.0.0a compatibility const-ness change, should be backwards compatible. @ text @a0 76 $NetBSD: patch-ba,v 1.1 2011/01/12 07:52:44 adam Exp $ --- src/lookups/ldap.c.orig 2009-11-16 19:50:38.000000000 +0000 +++ src/lookups/ldap.c @@@@ -445,6 +445,60 @@@@ if (lcp == NULL) } #endif /* LDAP_OPT_X_TLS */ + #ifdef LDAP_OPT_X_TLS_CACERTFILE + if (eldap_ca_cert_file != NULL) + { + ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE, eldap_ca_cert_file); + } + #endif + #ifdef LDAP_OPT_X_TLS_CACERTDIR + if (eldap_ca_cert_dir != NULL) + { + ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, eldap_ca_cert_dir); + } + #endif + #ifdef LDAP_OPT_X_TLS_CERTFILE + if (eldap_cert_file != NULL) + { + ldap_set_option(ld, LDAP_OPT_X_TLS_CERTFILE, eldap_cert_file); + } + #endif + #ifdef LDAP_OPT_X_TLS_KEYFILE + if (eldap_cert_key != NULL) + { + ldap_set_option(ld, LDAP_OPT_X_TLS_KEYFILE, eldap_cert_key); + } + #endif + #ifdef LDAP_OPT_X_TLS_CIPHER_SUITE + if (eldap_cipher_suite != NULL) + { + ldap_set_option(ld, LDAP_OPT_X_TLS_CIPHER_SUITE, eldap_cipher_suite); + } + #endif + #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT + if (eldap_require_cert != NULL) + { + int cert_option = LDAP_OPT_X_TLS_NEVER; + if (Ustrcmp(eldap_require_cert, "hard") == 0) + { + cert_option = LDAP_OPT_X_TLS_HARD; + } + else if (Ustrcmp(eldap_require_cert, "demand") == 0) + { + cert_option = LDAP_OPT_X_TLS_DEMAND; + } + else if (Ustrcmp(eldap_require_cert, "allow") == 0) + { + cert_option = LDAP_OPT_X_TLS_ALLOW; + } + else if (Ustrcmp(eldap_require_cert, "try") == 0) + { + cert_option = LDAP_OPT_X_TLS_TRY; + } + ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, cert_option); + } + #endif + /* Now add this connection to the chain of cached connections */ lcp = store_get(sizeof(LDAP_CONNECTION)); @@@@ -481,6 +535,10 @@@@ if (!lcp->bound || { DEBUG(D_lookup) debug_printf("%sbinding with user=%s password=%s\n", (lcp->bound)? "re-" : "", user, password); + if (eldap_start_tls) + { + ldap_start_tls_s(lcp->ld, NULL, NULL); + } if ((msgid = ldap_bind(lcp->ld, CS user, CS password, LDAP_AUTH_SIMPLE)) == -1) { @