head 1.202; access; symbols pkgsrc-2023Q4:1.201.0.2 pkgsrc-2023Q4-base:1.201 pkgsrc-2023Q3:1.196.0.4 pkgsrc-2023Q3-base:1.196 pkgsrc-2023Q2:1.196.0.2 pkgsrc-2023Q2-base:1.196 pkgsrc-2023Q1:1.195.0.4 pkgsrc-2023Q1-base:1.195 pkgsrc-2022Q4:1.195.0.2 pkgsrc-2022Q4-base:1.195 pkgsrc-2022Q3:1.194.0.2 pkgsrc-2022Q3-base:1.194 pkgsrc-2022Q2:1.191.0.2 pkgsrc-2022Q2-base:1.191 pkgsrc-2022Q1:1.190.0.4 pkgsrc-2022Q1-base:1.190 pkgsrc-2021Q4:1.190.0.2 pkgsrc-2021Q4-base:1.190 pkgsrc-2021Q3:1.188.0.2 pkgsrc-2021Q3-base:1.188 pkgsrc-2021Q2:1.187.0.2 pkgsrc-2021Q2-base:1.187 pkgsrc-2021Q1:1.183.0.4 pkgsrc-2021Q1-base:1.183 pkgsrc-2020Q4:1.183.0.2 pkgsrc-2020Q4-base:1.183 pkgsrc-2020Q3:1.182.0.2 pkgsrc-2020Q3-base:1.182 pkgsrc-2020Q2:1.180.0.2 pkgsrc-2020Q2-base:1.180 pkgsrc-2020Q1:1.175.0.2 pkgsrc-2020Q1-base:1.175 pkgsrc-2019Q4:1.172.0.4 pkgsrc-2019Q4-base:1.172 pkgsrc-2019Q3:1.171.0.2 pkgsrc-2019Q3-base:1.171 pkgsrc-2019Q2:1.167.0.2 pkgsrc-2019Q2-base:1.167 pkgsrc-2019Q1:1.165.0.2 pkgsrc-2019Q1-base:1.165 pkgsrc-2018Q4:1.164.0.2 pkgsrc-2018Q4-base:1.164 pkgsrc-2018Q3:1.163.0.2 pkgsrc-2018Q3-base:1.163 pkgsrc-2018Q2:1.160.0.2 pkgsrc-2018Q2-base:1.160 pkgsrc-2018Q1:1.158.0.2 pkgsrc-2018Q1-base:1.158 pkgsrc-2017Q4:1.156.0.2 pkgsrc-2017Q4-base:1.156 pkgsrc-2017Q3:1.155.0.4 pkgsrc-2017Q3-base:1.155 pkgsrc-2017Q2:1.154.0.2 pkgsrc-2017Q2-base:1.154 pkgsrc-2017Q1:1.153.0.2 pkgsrc-2017Q1-base:1.153 pkgsrc-2016Q4:1.151.0.2 pkgsrc-2016Q4-base:1.151 pkgsrc-2016Q3:1.148.0.2 pkgsrc-2016Q3-base:1.148 pkgsrc-2016Q2:1.147.0.2 pkgsrc-2016Q2-base:1.147 pkgsrc-2016Q1:1.144.0.2 pkgsrc-2016Q1-base:1.144 pkgsrc-2015Q4:1.141.0.2 pkgsrc-2015Q4-base:1.141 pkgsrc-2015Q3:1.140.0.4 pkgsrc-2015Q3-base:1.140 pkgsrc-2015Q2:1.140.0.2 pkgsrc-2015Q2-base:1.140 pkgsrc-2015Q1:1.138.0.2 pkgsrc-2015Q1-base:1.138 pkgsrc-2014Q4:1.137.0.2 pkgsrc-2014Q4-base:1.137 pkgsrc-2014Q3:1.135.0.2 pkgsrc-2014Q3-base:1.135 pkgsrc-2014Q2:1.133.0.2 pkgsrc-2014Q2-base:1.133 pkgsrc-2014Q1:1.128.0.2 pkgsrc-2014Q1-base:1.128 pkgsrc-2013Q4:1.127.0.2 pkgsrc-2013Q4-base:1.127 pkgsrc-2013Q3:1.125.0.2 pkgsrc-2013Q3-base:1.125 pkgsrc-2013Q2:1.124.0.2 pkgsrc-2013Q2-base:1.124 pkgsrc-2013Q1:1.122.0.2 pkgsrc-2013Q1-base:1.122 pkgsrc-2012Q4:1.119.0.2 pkgsrc-2012Q4-base:1.119 pkgsrc-2012Q3:1.115.0.4 pkgsrc-2012Q3-base:1.115 pkgsrc-2012Q2:1.115.0.2 pkgsrc-2012Q2-base:1.115 pkgsrc-2012Q1:1.113.0.2 pkgsrc-2012Q1-base:1.113 pkgsrc-2011Q4:1.111.0.2 pkgsrc-2011Q4-base:1.111 pkgsrc-2011Q3:1.110.0.2 pkgsrc-2011Q3-base:1.110 pkgsrc-2011Q2:1.109.0.2 pkgsrc-2011Q2-base:1.109 pkgsrc-2011Q1:1.106.0.2 pkgsrc-2011Q1-base:1.106 pkgsrc-2010Q4:1.103.0.2 pkgsrc-2010Q4-base:1.103 pkgsrc-2010Q3:1.102.0.4 pkgsrc-2010Q3-base:1.102 pkgsrc-2010Q2:1.102.0.2 pkgsrc-2010Q2-base:1.102 pkgsrc-2010Q1:1.100.0.2 pkgsrc-2010Q1-base:1.100 pkgsrc-2009Q4:1.98.0.2 pkgsrc-2009Q4-base:1.98 pkgsrc-2009Q3:1.95.0.6 pkgsrc-2009Q3-base:1.95 pkgsrc-2009Q2:1.95.0.4 pkgsrc-2009Q2-base:1.95 pkgsrc-2009Q1:1.95.0.2 pkgsrc-2009Q1-base:1.95 pkgsrc-2008Q4:1.93.0.2 pkgsrc-2008Q4-base:1.93 pkgsrc-2008Q3:1.92.0.4 pkgsrc-2008Q3-base:1.92 cube-native-xorg:1.92.0.2 cube-native-xorg-base:1.92 pkgsrc-2008Q2:1.91.0.6 pkgsrc-2008Q2-base:1.91 cwrapper:1.91.0.4 pkgsrc-2008Q1:1.91.0.2 pkgsrc-2008Q1-base:1.91 pkgsrc-2007Q4:1.88.0.2 pkgsrc-2007Q4-base:1.88 pkgsrc-2007Q3:1.86.0.2 pkgsrc-2007Q3-base:1.86 pkgsrc-2007Q2:1.84.0.2 pkgsrc-2007Q2-base:1.84 pkgsrc-2007Q1:1.81.0.2 pkgsrc-2007Q1-base:1.81 pkgsrc-2006Q4:1.80.0.2 pkgsrc-2006Q4-base:1.80 pkgsrc-2006Q3:1.79.0.2 pkgsrc-2006Q3-base:1.79 pkgsrc-2006Q2:1.76.0.2 pkgsrc-2006Q2-base:1.76 pkgsrc-2006Q1:1.74.0.2 pkgsrc-2006Q1-base:1.74 pkgsrc-2005Q4:1.71.0.2 pkgsrc-2005Q4-base:1.71 pkgsrc-2005Q3:1.65.0.2 pkgsrc-2005Q3-base:1.65 pkgsrc-2005Q2:1.57.0.2 pkgsrc-2005Q2-base:1.57 pkgsrc-2005Q1:1.55.0.2 pkgsrc-2005Q1-base:1.55 pkgsrc-2004Q4:1.50.0.6 pkgsrc-2004Q4-base:1.50 pkgsrc-2004Q3:1.50.0.4 pkgsrc-2004Q3-base:1.50 pkgsrc-2004Q2:1.50.0.2 pkgsrc-2004Q2-base:1.50 pkgsrc-2004Q1:1.44.0.2 pkgsrc-2004Q1-base:1.44 pkgsrc-2003Q4:1.42.0.2 pkgsrc-2003Q4-base:1.42 netbsd-1-6-1:1.31.0.2 netbsd-1-6-1-base:1.31 netbsd-1-6:1.29.0.6 netbsd-1-6-RELEASE-base:1.29 pkgviews:1.29.0.2 pkgviews-base:1.29 buildlink2:1.27.0.2 buildlink2-base:1.28 netbsd-1-5-PATCH003:1.27 netbsd-1-5-PATCH001:1.21 netbsd-1-5-RELEASE:1.15 netbsd-1-4-PATCH003:1.15 netbsd-1-4-PATCH002:1.12 comdex-fall-1999:1.6; locks; strict; comment @# @; 1.202 date 2023.12.29.17.06.24; author bsiegert; state Exp; branches; next 1.201; commitid 4EvRxaAz3bN0OnSE; 1.201 date 2023.11.16.08.55.38; author adam; state Exp; branches; next 1.200; commitid ZP9qTTYZ55vltOME; 1.200 date 2023.11.08.13.19.55; author wiz; state Exp; branches; next 1.199; commitid PsuHTklAIsF4bOLE; 1.199 date 2023.10.24.22.09.43; author wiz; state Exp; branches; next 1.198; commitid MTsrqKm6aGrQAVJE; 1.198 date 2023.10.16.14.59.26; author prlw1; state Exp; branches; next 1.197; commitid ErIls2fb4g2btRIE; 1.197 date 2023.10.03.08.42.44; author prlw1; state Exp; branches; next 1.196; commitid 75PE97PzE9PtO9HE; 1.196 date 2023.04.19.08.10.41; author adam; state Exp; branches 1.196.4.1; next 1.195; commitid B8gCWhWtMX9vZGlE; 1.195 date 2022.11.23.16.20.33; author adam; state Exp; branches; next 1.194; commitid ju2K3LUYlTJKqQ2E; 1.194 date 2022.07.11.10.52.29; author abs; state Exp; branches; next 1.193; commitid CLtkNGlaIGdUXsLD; 1.193 date 2022.07.02.09.24.34; author adam; state Exp; branches; next 1.192; commitid 6BNpEDHQ5f4JLiKD; 1.192 date 2022.06.28.11.34.20; author wiz; state Exp; branches; next 1.191; commitid D2UoJrTHpoHEANJD; 1.191 date 2022.04.18.19.11.33; author adam; state Exp; branches; next 1.190; commitid eC9Na3jrfOOUpIAD; 1.190 date 2021.12.08.16.05.28; author adam; state Exp; branches; next 1.189; commitid 2PyWjHx5T8rqARjD; 1.189 date 2021.11.14.20.19.08; author adam; state Exp; branches; next 1.188; commitid 0JDQibYDvDKDMNgD; 1.188 date 2021.06.23.20.33.12; author nia; state Exp; branches; next 1.187; commitid L7RJ3CFGxS3ruiYC; 1.187 date 2021.05.24.19.52.40; author wiz; state Exp; branches; next 1.186; commitid qokaiStTApGMcrUC; 1.186 date 2021.05.11.09.53.20; author jperkin; state Exp; branches; next 1.185; commitid M1o0ibltzLeFkISC; 1.185 date 2021.05.04.20.29.38; author abs; state Exp; branches; next 1.184; commitid Dekev4S3oGvW4SRC; 1.184 date 2021.04.21.11.42.08; author adam; state Exp; branches; next 1.183; commitid fph0Axs0eT3az9QC; 1.183 date 2020.11.05.09.08.35; author ryoon; state Exp; branches 1.183.4.1; next 1.182; commitid VqGaBtHnBBcd5GuC; 1.182 date 2020.08.31.18.09.55; author wiz; state Exp; branches; next 1.181; commitid 7zxRbfOkDOoxbfmC; 1.181 date 2020.08.20.16.40.57; author gavan; state Exp; branches; next 1.180; commitid KelPSgAWxEco1PkC; 1.180 date 2020.06.02.08.24.14; author adam; state Exp; branches; next 1.179; commitid nisovMpvvZm3RCaC; 1.179 date 2020.06.01.19.42.48; author adam; state Exp; branches; next 1.178; commitid bbrw4GbeRWQnEyaC; 1.178 date 2020.04.25.12.48.57; author gavan; state Exp; branches; next 1.177; commitid 7oWB7qQi0iIhvL5C; 1.177 date 2020.04.14.19.34.39; author wiz; state Exp; branches; next 1.176; commitid BzqCG2jOSW5i9o4C; 1.176 date 2020.04.12.08.28.56; author adam; state Exp; branches; next 1.175; commitid 7jZFLCnc3RCww44C; 1.175 date 2020.03.26.13.30.10; author nia; state Exp; branches; next 1.174; commitid thTQdlQ02MHaKU1C; 1.174 date 2020.01.26.17.31.33; author rillig; state Exp; branches; next 1.173; commitid 4fBBvoSLJaGd0eUB; 1.173 date 2020.01.18.21.49.49; author jperkin; state Exp; branches; next 1.172; commitid JW4hJgY8ZdoTFdTB; 1.172 date 2019.12.09.18.46.00; author adam; state Exp; branches; next 1.171; commitid 5pSLddULU7EBX3OB; 1.171 date 2019.09.30.19.25.58; author wiedi; state Exp; branches; next 1.170; commitid f0Ex1xeQOr50r4FB; 1.170 date 2019.09.06.12.57.33; author wiedi; state Exp; branches; next 1.169; commitid Ul4pB1hVIjZz3XBB; 1.169 date 2019.08.11.13.21.27; author wiz; state Exp; branches; next 1.168; commitid Ifet9Pg6Qt99ZByB; 1.168 date 2019.07.28.21.17.28; author abs; state Exp; branches; next 1.167; commitid 9ab2lZOMuOxL6RwB; 1.167 date 2019.06.07.12.20.32; author tm; state Exp; branches 1.167.2.1; next 1.166; commitid g6fGnd6KRCJeMfqB; 1.166 date 2019.04.03.00.32.52; author ryoon; state Exp; branches; next 1.165; commitid pkuNrSZ2MZiLWPhB; 1.165 date 2019.02.24.20.31.00; author adam; state Exp; branches; next 1.164; commitid NXttGJJWATKBN3dB; 1.164 date 2018.12.09.18.52.35; author adam; state Exp; branches; next 1.163; commitid Pdg91emznUBdJ93B; 1.163 date 2018.08.22.09.45.25; author wiz; state Exp; branches; next 1.162; commitid YLub8g3ofvFGb6PA; 1.162 date 2018.07.20.03.34.19; author ryoon; state Exp; branches; next 1.161; commitid 09Go9qhjDl36dPKA; 1.161 date 2018.07.04.13.40.23; author jperkin; state Exp; branches; next 1.160; commitid NnIyRkdX3Lbg3PIA; 1.160 date 2018.04.23.07.28.18; author adam; state Exp; branches; next 1.159; commitid b5cnALq8nKFYkxzA; 1.159 date 2018.04.14.07.34.30; author adam; state Exp; branches; next 1.158; commitid OW5IgFIaJWdTEnyA; 1.158 date 2018.03.07.08.24.47; author adam; state Exp; branches; next 1.157; commitid 9RWJBrDT5SVY9vtA; 1.157 date 2018.01.28.20.10.54; author wiz; state Exp; branches; next 1.156; commitid QPx6fI8ZTJVRhGoA; 1.156 date 2017.11.30.16.45.30; author adam; state Exp; branches 1.156.2.1; next 1.155; commitid 2LNaDKcCKaKZ25hA; 1.155 date 2017.09.18.09.53.26; author maya; state Exp; branches; next 1.154; commitid BMfpJecGogsW6F7A; 1.154 date 2017.04.22.21.03.42; author adam; state Exp; branches; next 1.153; commitid FZEMSoU8Sj6ZBzOz; 1.153 date 2017.03.18.07.08.23; author adam; state Exp; branches; next 1.152; commitid wn8hiY0Mb2Zl70Kz; 1.152 date 2017.01.19.18.52.15; author agc; state Exp; branches; next 1.151; commitid ufZDMu4cgHZdRBCz; 1.151 date 2016.12.25.11.29.54; author wiedi; state Exp; branches; next 1.150; commitid 3YdV0EZC1krwemzz; 1.150 date 2016.12.04.05.17.32; author ryoon; state Exp; branches; next 1.149; commitid xSaWu3mShoBjQCwz; 1.149 date 2016.10.09.21.42.00; author wiz; state Exp; branches; next 1.148; commitid i0AJjxRbfKiS5wpz; 1.148 date 2016.07.09.06.38.29; author wiz; state Exp; branches; next 1.147; commitid dlqnocGpOoXV2Cdz; 1.147 date 2016.06.11.00.37.24; author wiedi; state Exp; branches; next 1.146; commitid Ti7qwZDEVcGYWY9z; 1.146 date 2016.04.11.19.01.56; author ryoon; state Exp; branches; next 1.145; commitid mgqGURJPmT1r1f2z; 1.145 date 2016.04.09.10.49.39; author adam; state Exp; branches; next 1.144; commitid v3BPkwoTlXoOmW1z; 1.144 date 2016.03.05.11.28.48; author jperkin; state Exp; branches; next 1.143; commitid 1LoxeQftu903HrXy; 1.143 date 2016.03.02.20.13.18; author wiedi; state Exp; branches; next 1.142; commitid Mlao8ajEEdyXH6Xy; 1.142 date 2016.01.10.20.55.56; author bsiegert; state Exp; branches; next 1.141; commitid 8uMOn52fxlC3CqQy; 1.141 date 2015.10.10.01.58.12; author ryoon; state Exp; branches 1.141.2.1; next 1.140; commitid 78BsYZiClqZSgvEy; 1.140 date 2015.06.12.10.50.18; author wiz; state Exp; branches; next 1.139; commitid B4JmCfaVUbiY38py; 1.139 date 2015.04.06.08.17.31; author adam; state Exp; branches; next 1.138; commitid dUs0ktQdJn8Wnvgy; 1.138 date 2015.02.14.07.33.19; author adam; state Exp; branches; next 1.137; commitid KxJey5Vq2OOqMW9y; 1.137 date 2014.10.20.13.39.56; author wiedi; state Exp; branches; next 1.136; commitid T0AlWzFCtxj9zWUx; 1.136 date 2014.10.07.16.47.29; author adam; state Exp; branches; next 1.135; commitid 7jTOvNj1CvwA1iTx; 1.135 date 2014.08.17.08.16.58; author adam; state Exp; branches; next 1.134; commitid 5fz9LOri8FK3QGMx; 1.134 date 2014.07.23.14.09.52; author adam; state Exp; branches; next 1.133; commitid d6AEuZgNyX1ZAvJx; 1.133 date 2014.06.14.10.18.05; author wiedi; state Exp; branches; next 1.132; commitid EJTMXqPaV2FiztEx; 1.132 date 2014.05.29.23.36.45; author wiz; state Exp; branches; next 1.131; commitid laryHfkCalgYtuCx; 1.131 date 2014.05.29.09.27.37; author adam; state Exp; branches; next 1.130; commitid UrBNpKosbOsQNpCx; 1.130 date 2014.04.30.10.21.08; author jperkin; state Exp; branches; next 1.129; commitid psx7ApbSm0hA1Hyx; 1.129 date 2014.04.09.07.27.11; author obache; state Exp; branches; next 1.128; commitid 3Qx65Ha86azyJYvx; 1.128 date 2014.02.12.23.18.07; author tron; state Exp; branches; next 1.127; commitid dfJj7CwMMWJzNRox; 1.127 date 2013.10.30.07.30.03; author adam; state Exp; branches; next 1.126; commitid 735RzrN9CSMIVhbx; 1.126 date 2013.10.19.09.07.07; author adam; state Exp; branches; next 1.125; commitid CGtwIKecGGJbPS9x; 1.125 date 2013.07.12.10.44.56; author jperkin; state Exp; branches; next 1.124; commitid vVOw5ngQ2VNQxaXw; 1.124 date 2013.05.31.12.41.13; author wiz; state Exp; branches; next 1.123; commitid hIeXGcx6VfKHwMRw; 1.123 date 2013.05.09.07.40.04; author adam; state Exp; branches; next 1.122; 1.122 date 2013.03.02.20.33.27; author wiz; state Exp; branches; next 1.121; 1.121 date 2013.02.06.23.22.44; author jperkin; state Exp; branches; next 1.120; 1.120 date 2013.01.26.21.38.07; author adam; state Exp; branches; next 1.119; 1.119 date 2012.12.16.01.52.20; author obache; state Exp; branches; next 1.118; 1.118 date 2012.10.30.20.12.20; author abs; state Exp; branches; next 1.117; 1.117 date 2012.10.08.12.19.10; author asau; state Exp; branches; next 1.116; 1.116 date 2012.10.03.21.56.23; author wiz; state Exp; branches; next 1.115; 1.115 date 2012.06.11.11.41.24; author adam; state Exp; branches 1.115.4.1; next 1.114; 1.114 date 2012.04.27.12.31.53; author obache; state Exp; branches; next 1.113; 1.113 date 2012.03.03.00.13.29; author wiz; state Exp; branches; next 1.112; 1.112 date 2012.01.24.09.11.06; author sbd; state Exp; branches; next 1.111; 1.111 date 2011.10.10.12.20.49; author adam; state Exp; branches; next 1.110; 1.110 date 2011.08.23.13.06.50; author obache; state Exp; branches; next 1.109; 1.109 date 2011.06.10.21.57.08; author obache; state Exp; branches; next 1.108; 1.108 date 2011.05.09.13.30.47; author adam; state Exp; branches; next 1.107; 1.107 date 2011.05.07.14.32.02; author drochner; state Exp; branches; next 1.106; 1.106 date 2011.03.22.13.52.19; author adam; state Exp; branches; next 1.105; 1.105 date 2011.01.27.07.48.51; author adam; state Exp; branches; next 1.104; 1.104 date 2011.01.12.07.52.44; author adam; state Exp; branches; next 1.103; 1.103 date 2010.11.08.13.59.11; author adam; state Exp; branches 1.103.2.1; next 1.102; 1.102 date 2010.06.06.14.15.30; author adam; state Exp; branches; next 1.101; 1.101 date 2010.06.02.13.04.04; author adam; state Exp; branches; next 1.100; 1.100 date 2010.01.31.21.06.29; author heinz; state Exp; branches; next 1.99; 1.99 date 2010.01.15.20.48.08; author zafer; state Exp; branches; next 1.98; 1.98 date 2009.12.30.13.24.50; author abs; state Exp; branches; next 1.97; 1.97 date 2009.12.07.14.29.09; author adam; state Exp; branches; next 1.96; 1.96 date 2009.11.17.06.39.32; author adam; state Exp; branches; next 1.95; 1.95 date 2009.02.13.15.28.03; author abs; state Exp; branches; next 1.94; 1.94 date 2009.01.12.18.59.24; author abs; state Exp; branches; next 1.93; 1.93 date 2008.11.10.17.21.36; author wiz; state Exp; branches; next 1.92; 1.92 date 2008.09.07.11.24.27; author wiz; state Exp; branches; next 1.91; 1.91 date 2008.01.31.13.05.36; author rillig; state Exp; branches; next 1.90; 1.90 date 2008.01.18.05.08.24; author tnn; state Exp; branches; next 1.89; 1.89 date 2008.01.14.18.57.38; author adam; state Exp; branches; next 1.88; 1.88 date 2007.12.15.16.04.41; author adam; state Exp; branches; next 1.87; 1.87 date 2007.10.14.19.14.57; author adam; state Exp; branches; next 1.86; 1.86 date 2007.09.11.18.16.01; author abs; state Exp; branches; next 1.85; 1.85 date 2007.07.04.20.54.42; author jlam; state Exp; branches; next 1.84; 1.84 date 2007.06.24.10.55.40; author abs; state Exp; branches; next 1.83; 1.83 date 2007.06.08.13.11.56; author wiz; state Exp; branches; next 1.82; 1.82 date 2007.05.18.14.24.11; author abs; state Exp; branches; next 1.81; 1.81 date 2007.01.10.12.54.36; author abs; state Exp; branches; next 1.80; 1.80 date 2006.11.20.11.56.42; author abs; state Exp; branches; next 1.79; 1.79 date 2006.09.16.07.09.22; author schwarz; state Exp; branches; next 1.78; 1.78 date 2006.08.30.21.11.37; author abs; state Exp; branches; next 1.77; 1.77 date 2006.08.08.15.24.01; author abs; state Exp; branches; next 1.76; 1.76 date 2006.06.14.22.43.39; author abs; state Exp; branches; next 1.75; 1.75 date 2006.04.23.00.12.38; author jlam; state Exp; branches; next 1.74; 1.74 date 2006.01.08.18.35.09; author xtraeme; state Exp; branches; next 1.73; 1.73 date 2005.12.29.06.21.49; author jlam; state Exp; branches; next 1.72; 1.72 date 2005.12.27.21.22.02; author reed; state Exp; branches; next 1.71; 1.71 date 2005.12.05.20.50.30; author rillig; state Exp; branches; next 1.70; 1.70 date 2005.10.16.14.10.57; author abs; state Exp; branches; next 1.69; 1.69 date 2005.10.09.10.43.49; author abs; state Exp; branches; next 1.68; 1.68 date 2005.10.07.10.28.34; author abs; state Exp; branches; next 1.67; 1.67 date 2005.10.03.20.20.18; author abs; state Exp; branches; next 1.66; 1.66 date 2005.10.03.18.45.50; author abs; state Exp; branches; next 1.65; 1.65 date 2005.09.10.23.11.40; author abs; state Exp; branches; next 1.64; 1.64 date 2005.08.29.18.31.48; author reed; state Exp; branches; next 1.63; 1.63 date 2005.08.29.18.29.05; author reed; state Exp; branches; next 1.62; 1.62 date 2005.08.23.11.48.48; author rillig; state Exp; branches; next 1.61; 1.61 date 2005.07.21.03.06.13; author grant; state Exp; branches; next 1.60; 1.60 date 2005.07.20.06.32.29; author grant; state Exp; branches; next 1.59; 1.59 date 2005.07.16.01.19.12; author jlam; state Exp; branches; next 1.58; 1.58 date 2005.07.12.04.07.41; author grant; state Exp; branches; next 1.57; 1.57 date 2005.05.17.17.06.11; author abs; state Exp; branches 1.57.2.1; next 1.56; 1.56 date 2005.05.10.22.52.06; author abs; state Exp; branches; next 1.55; 1.55 date 2005.02.17.22.50.06; author reed; state Exp; branches; next 1.54; 1.54 date 2005.02.13.01.16.44; author grant; state Exp; branches; next 1.53; 1.53 date 2005.02.03.12.58.03; author abs; state Exp; branches; next 1.52; 1.52 date 2004.12.28.02.47.44; author reed; state Exp; branches; next 1.51; 1.51 date 2004.12.28.01.42.19; author reed; state Exp; branches; next 1.50; 1.50 date 2004.06.06.22.10.51; author abs; state Exp; branches; next 1.49; 1.49 date 2004.06.04.23.21.34; author reed; state Exp; branches; next 1.48; 1.48 date 2004.06.04.00.10.34; author reed; state Exp; branches; next 1.47; 1.47 date 2004.05.07.18.12.58; author abs; state Exp; branches; next 1.46; 1.46 date 2004.05.07.17.47.32; author abs; state Exp; branches; next 1.45; 1.45 date 2004.05.07.11.54.35; author wiz; state Exp; branches; next 1.44; 1.44 date 2004.03.26.02.27.43; author wiz; state Exp; branches 1.44.2.1; next 1.43; 1.43 date 2004.03.05.12.28.45; author abs; state Exp; branches; next 1.42; 1.42 date 2003.11.25.10.21.58; author abs; state Exp; branches; next 1.41; 1.41 date 2003.11.12.03.39.40; author jschauma; state Exp; branches; next 1.40; 1.40 date 2003.09.02.12.19.36; author abs; state Exp; branches; next 1.39; 1.39 date 2003.09.02.11.14.16; author abs; state Exp; branches; next 1.38; 1.38 date 2003.09.02.10.33.38; author abs; state Exp; branches; next 1.37; 1.37 date 2003.08.02.17.00.08; author jmmv; state Exp; branches; next 1.36; 1.36 date 2003.07.17.21.45.58; author grant; state Exp; branches; next 1.35; 1.35 date 2003.06.23.16.12.48; author jmc; state Exp; branches; next 1.34; 1.34 date 2003.06.16.21.40.21; author jmc; state Exp; branches; next 1.33; 1.33 date 2003.05.03.12.16.28; author dmcmahill; state Exp; branches; next 1.32; 1.32 date 2003.04.27.17.21.59; author cjep; state Exp; branches; next 1.31; 1.31 date 2002.12.09.11.38.04; author ad; state Exp; branches; next 1.30; 1.30 date 2002.10.25.12.18.15; author wiz; state Exp; branches; next 1.29; 1.29 date 2002.07.02.14.41.20; author wiz; state Exp; branches; next 1.28; 1.28 date 2002.06.19.16.02.26; author ad; state Exp; branches; next 1.27; 1.27 date 2001.12.19.17.11.02; author ad; state Exp; branches 1.27.2.1; next 1.26; 1.26 date 2001.08.13.08.11.55; author ad; state Exp; branches; next 1.25; 1.25 date 2001.07.14.18.17.21; author ad; state Exp; branches; next 1.24; 1.24 date 2001.07.11.14.58.42; author ad; state Exp; branches; next 1.23; 1.23 date 2001.07.11.13.18.27; author ad; state Exp; branches; next 1.22; 1.22 date 2001.06.26.00.21.47; author wiz; state Exp; branches; next 1.21; 1.21 date 2001.02.25.04.17.58; author hubertf; state Exp; branches; next 1.20; 1.20 date 2001.02.17.18.24.45; author wiz; state Exp; branches; next 1.19; 1.19 date 2001.01.29.11.34.30; author wiz; state Exp; branches; next 1.18; 1.18 date 2001.01.26.05.21.45; author hubertf; state Exp; branches; next 1.17; 1.17 date 2001.01.24.21.07.35; author ad; state Exp; branches; next 1.16; 1.16 date 2000.11.28.19.24.42; author ad; state Exp; branches; next 1.15; 1.15 date 2000.08.07.02.26.08; author wiz; state Exp; branches; next 1.14; 1.14 date 2000.08.04.14.55.09; author ad; state Exp; branches; next 1.13; 1.13 date 2000.07.26.12.30.06; author ad; state Exp; branches; next 1.12; 1.12 date 2000.02.15.16.54.26; author ad; state Exp; branches; next 1.11; 1.11 date 2000.01.21.12.53.42; author ad; state Exp; branches; next 1.10; 1.10 date 2000.01.09.01.29.30; author wiz; state Exp; branches; next 1.9; 1.9 date 99.12.10.00.26.14; author ad; state Exp; branches; next 1.8; 1.8 date 99.12.01.11.20.25; author ad; state Exp; branches; next 1.7; 1.7 date 99.11.25.18.05.02; author ad; state Exp; branches; next 1.6; 1.6 date 99.10.06.23.02.35; author ad; state Exp; branches; next 1.5; 1.5 date 99.09.22.08.52.05; author ad; state Exp; branches; next 1.4; 1.4 date 99.09.22.08.29.39; author ad; state Exp; branches; next 1.3; 1.3 date 99.09.18.21.08.46; author ad; state Exp; branches; next 1.2; 1.2 date 99.09.18.20.28.25; author ad; state Exp; branches; next 1.1; 1.1 date 99.09.07.13.22.50; author ad; state Exp; branches; next ; 1.196.4.1 date 2023.10.12.15.28.14; author bsiegert; state Exp; branches; next 1.196.4.2; commitid cW7pphoErkfULlIE; 1.196.4.2 date 2023.10.23.18.30.09; author bsiegert; state Exp; branches; next ; commitid 4brSX7XAu0ooqMJE; 1.183.4.1 date 2021.05.07.19.05.18; author bsiegert; state Exp; branches; next ; commitid rTaZTMjZffm4wfSC; 1.167.2.1 date 2019.08.09.13.25.41; author bsiegert; state Exp; branches; next 1.167.2.2; commitid 3ye87qXKiMX17myB; 1.167.2.2 date 2019.09.06.18.43.35; author bsiegert; state Exp; branches; next ; commitid H8nRt3XZNJ5iYYBB; 1.156.2.1 date 2018.03.08.20.22.06; author spz; state Exp; branches; next ; commitid 1z5xemMwUu0c6HtA; 1.141.2.1 date 2016.03.03.20.22.52; author bsiegert; state Exp; branches; next ; commitid oE0xishnFuifJeXy; 1.115.4.1 date 2012.11.04.12.07.02; author spz; state Exp; branches; next ; 1.103.2.1 date 2011.01.22.10.56.42; author tron; state Exp; branches; next ; 1.57.2.1 date 2005.07.22.16.42.27; author snj; state Exp; branches; next 1.57.2.2; 1.57.2.2 date 2005.07.27.05.25.45; author snj; state Exp; branches; next ; 1.44.2.1 date 2004.05.30.08.54.13; author grant; state Exp; branches; next 1.44.2.2; 1.44.2.2 date 2004.05.30.08.58.27; author grant; state Exp; branches; next ; 1.27.2.1 date 2002.06.23.18.51.09; author jlam; state Exp; branches; next ; desc @@ 1.202 log @exim: update to 4.97.1 (security) This is a patch release of 4.97 containing fixes for CVE-2023-51766. @ text @# $NetBSD: Makefile,v 1.201 2023/11/16 08:55:38 adam Exp $ DISTNAME= exim-4.97.1 CATEGORIES= mail net MASTER_SITES= https://ftp.exim.org/pub/exim/exim4/ MASTER_SITES+= https://ftp.exim.org/pub/exim/exim4/fixes/ MASTER_SITES+= ftp://ftp.exim.org/pub/exim/exim4/ MASTER_SITES+= ftp://ftp.exim.org/pub/exim/exim4/fixes/ EXTRACT_SUFX= .tar.xz MAINTAINER= abs@@NetBSD.org HOMEPAGE= https://www.exim.org/ COMMENT= The Exim mail transfer agent, a replacement for sendmail LICENSE= gnu-gpl-v2 CONFLICTS+= exim-exiscan-[0-9]* DEPENDS+= p5-File-FcntlLock>=0.22:../../sysutils/p5-File-FcntlLock USE_TOOLS+= perl:run USE_LANGUAGES= c99 BUILD_DEFS+= VARBASE MAKE_ENV+= SSLBASE=${SSLBASE:Q} MAKE_ENV+= INST_CHOWN=${CHOWN:Q} MAKE_FLAGS+= FULLECHO='' MAKE_JOBS_SAFE= no .include "../../mk/bsd.prefs.mk" BUILD_DEFS+= EXIM_DB EXIM_MAX_INCLUDE_SIZE PKG_GROUPS= ${EXIM_GROUP} PKG_USERS= ${EXIM_USER}:${EXIM_GROUP} PKG_GROUPS_VARS+= EXIM_GROUP PKG_USERS_VARS+= EXIM_USER PKG_GECOS.${EXIM_USER}= Exim mail server user PKG_HOME.${EXIM_USER}= ${VARBASE}/mail PKG_SHELL.${EXIM_USER}= ${NOLOGIN} FILES_SUBST+= EXIM_GROUP=${EXIM_GROUP} FILES_SUBST+= EXIM_USER=${EXIM_USER} PKG_SYSCONFSUBDIR= exim EXAMPLESDIR= ${PREFIX}/share/examples/exim CONF_FILES= ${EXAMPLESDIR}/aliases ${PKG_SYSCONFDIR}/aliases CONF_FILES+= ${EXAMPLESDIR}/configure ${PKG_SYSCONFDIR}/configure MESSAGE_SUBST+= EXAMPLESDIR="${EXAMPLESDIR}" PLIST_SUBST+= DISTNAME=${DISTNAME} RCD_SCRIPTS= exim OWN_DIRS_PERMS= ${VARBASE}/log/exim ${EXIM_USER} ${EXIM_GROUP} 0750 OWN_DIRS_PERMS+= ${VARBASE}/spool/exim ${EXIM_USER} ${EXIM_GROUP} 0750 SPECIAL_PERMS+= sbin/${PKGSRC_EXIM_VERSION} ${SETUID_ROOT_PERMS} # pay attention to CPPFLAGS as well CFLAGS+= ${CPPFLAGS} LDFLAGS.NetBSD+= -lexecinfo PKGSRC_EXIM_VERSION= ${DISTNAME}-1 SUBST_CLASSES+= exim SUBST_STAGE.exim= pre-configure SUBST_MESSAGE.exim= Faking exim version information in exim_install SUBST_FILES.exim= scripts/exim_install SUBST_VARS.exim= PKGSRC_EXIM_VERSION SUBST_CLASSES+= cflags SUBST_STAGE.cflags= pre-configure SUBST_MESSAGE.cflags= Fixing hard-coded CFLAGS SUBST_FILES.cflags= OS/Makefile-* SUBST_SED.cflags= -e '/^CFLAGS=/d' SUBST_SED.cflags+= -e 's/-D_XOPEN_SOURCE /-D_XOPEN_SOURCE=600 /' SUBST_SED.cflags+= -e 's/-D_XOPEN_SOURCE_EXTENDED=1 //' INSTALL_ARG= INSTALL_ARG=-no_chown INSTALL_ENV+= ${INSTALL_ARG:Q} .include "options.mk" post-extract: mv ${WRKSRC}/OS/unsupported/*-* ${WRKSRC}/OS/ mkdir ${WRKSRC}/Local cp ${WRKSRC}/src/EDITME ${WRKSRC}/Local/Makefile.pkgsrc cp ${WRKSRC}/exim_monitor/EDITME ${WRKSRC}/Local/eximon.conf.pkgsrc pre-configure: ${SED} -e 's:@@PREFIX@@:${PREFIX}:' \ -e 's:@@PKG_SYSCONFDIR@@:${PKG_SYSCONFDIR}:' \ -e 's:@@EXIM_USER@@:${EXIM_USER}:' \ -e 's:@@EXIM_GROUP@@:${EXIM_GROUP}:' \ -e 's:@@EXIM_USE_DB_CONFIG@@:${EXIM_USE_DB_CONFIG}:' \ -e 's:@@EXIM_DBMLIB@@:${EXIM_DBMLIB}:' \ -e 's:@@EXIM_INCLUDE@@:${EXIM_INCLUDE}:' \ -e 's:@@LOOKUP_LIBS@@:${LOOKUP_LIBS}:' \ -e 's:@@CHOWN@@:${CHOWN}:' \ -e 's:@@CHGRP@@:${CHGRP}:' \ -e 's:@@CHMOD@@:${CHMOD}:' \ -e 's:@@MV@@:${MV}:' \ -e 's:@@RM@@:${RM}:' \ -e 's:@@TOUCH@@:${TOUCH}:' \ -e 's:@@PERL5@@:${PERL5}:' \ -e 's:@@VARBASE@@:${VARBASE}:' \ < ${WRKSRC}/Local/Makefile.pkgsrc \ > ${WRKSRC}/Local/Makefile .for opt in ${LOCAL_MAKEFILE_OPTIONS} ${ECHO} ${opt} >> ${WRKSRC}/Local/Makefile .endfor .if !empty(EXIM_MAX_INCLUDE_SIZE) ${ECHO} MAX_INCLUDE_SIZE=${EXIM_MAX_INCLUDE_SIZE} >> ${WRKSRC}/Local/Makefile .endif ${SED} -e 's:@@PREFIX@@:${PREFIX}:' \ -e 's:@@PKG_SYSCONFDIR@@:${PKG_SYSCONFDIR}:' \ < ${WRKSRC}/Local/eximon.conf.pkgsrc \ > ${WRKSRC}/Local/eximon.conf post-build: ${SED} -e 's:@@PREFIX@@:${PREFIX}:' \ ${FILESDIR}/mailer.conf.exim \ > ${WRKDIR}/mailer.conf INSTALLATION_DIRS+= ${PKGMANDIR}/man8 sbin share/examples/exim share/doc/exim post-install: ${INSTALL_DATA} ${WRKDIR}/mailer.conf ${DESTDIR}${EXAMPLESDIR} ${INSTALL_DATA} ${WRKSRC}/doc/exim.8 \ ${DESTDIR}${PREFIX}/${PKGMANDIR}/man8/exim.8 ${INSTALL_DATA} ${WRKSRC}/doc/spec.txt \ ${DESTDIR}${PREFIX}/share/doc/exim .include "../../converters/libiconv/buildlink3.mk" .include "../../devel/pcre2/buildlink3.mk" .include "../../mk/bsd.pkg.mk" @ 1.201 log @exim exim-html: updated to 4.97 Exim version 4.97 ----------------- JH/01 The hosts_connection_nolog main option now also controls "no MAIL in SMTP connection" log lines. JH/02 Option default value updates: - queue_fast_ramp (main) true (was false) - remote_max_parallel (main) 4 (was 2) JH/03 Cache static regex pattern compilations, for use by ACLs. JH/04 Bug 2903: avoid exit on an attempt to rewrite a malformed address. Make the rewrite never match and keep the logging. Trust the admin to be using verify=header-syntax (to actually reject the message). JH/05 Follow symlinks for placing a watch on TLS creds files. This means (under Linux) we watch the dir containing the final file; previously it would be the dir with the first symlink. We still do not monitor the entire path. JH/06 Check for bad chars in rDNS for sender_host_name. The OpenBSD (at least) dn_expand() is happy to pass them through. JH/07 OpenSSL Fix auto-reload of changed server OCSP proof. Previously, if the file with the proof had an unchanged name, the new proof(s) were loaded on top of the old ones (and nover used; the old ones were stapled). JH/08 Bug 2915: Fix use-after-free for $regex variables. Previously when more than one message arrived in a single connection a reference from the earlier message could be re-used. Often a sigsegv resulted. These variables were introduced in Exim 4.87. Debug help from Graeme Fowler. JH/09 Fix ${filter } for conditions that modify $value. Previously the modified version would be used in construction the result, and a memory error would occur. JH/10 GnuTLS: fix for (IOT?) clients offering no TLS extensions at all. Find and fix by Jasen Betts. JH/11 OpenSSL: fix for ancient clients needing TLS support for versions earlier than TLSv1,2, Previously, more-recent versions of OpenSSL were permitting the systemwide configuration to override the Exim config. HS/01 Bug 2728: Introduce EDITME option "DMARC_API" to work around incompatible API changes in libopendmarc. JH/12 Bug 2930: Fix daemon startup. When started from any process apart from pid 1, in the normal "background daemon" mode, having to drop process- group leadership also lost track of needing to create listener sockets. JH/13 Bug 2929: Fix using $recipients after ${run...}. A change made for 4.96 resulted in the variable appearing empty. Find and fix by Ruben Jenster. JH/14 Bug 2933: Fix regex substring match variables for null matches. Since 4.96 a capture group which obtained no text (eg. "(abc)*" matching zero occurrences) could cause a segfault if the corresponding $ was expanded. JH/15 Fix argument parsing for ${run } expansion. Previously, when an argument included a close-brace character (eg. it itself used an expansion) an error occurred. JH/16 Move running the smtp connect ACL to before, for TLS-on-connect ports, starting TLS. Previously it was after, meaning that attackers on such ports had to be screened using the host_reject_connection main config option. The new sequence aligns better with the STARTTLS behaviour, and permits defences against crypto-processing load attacks, even though it is strictly an incompatible change. Also, avoid sending any SMTP fail response for either the connect ACL or host_reject_connection, for TLS-on-connect ports. JH/17 Permit the ACL "encrypted" condition to be used in a HELO/EHLO ACL, Previously this was not permitted, but it makes reasonable sense. While there, restore a restriction on using it from a connect ACL; given the change JH/16 it could only return false (and before 4.91 was not permitted). JH/18 Fix a fencepost error in logging. Previously (since 4.92) when a log line was exactly sized compared to the log buffer, a crash occurred with the misleading message "bad memory reference; pool not found". Found and traced by Jasen Betts. JH/19 Bug 2911: Fix a recursion in DNS lookups. Previously, if the main option dns_again_means_nonexist included an element causing a DNS lookup which itself returned DNS_AGAIN, unbounded recursion occurred. Possible results included (though probably not limited to) a process crash from stack memory limit, or from excessive open files. Replace this with a paniclog whine (as this is likely a configuration error), and returning DNS_NOMATCH. JH/20 Bug 2954: (OpenSSL) Fix setting of explicit EC curve/group. Previously this always failed, probably leading to the usual downgrade to in-clear connections. JH/21 Fix TLSA lookups. Previously dns_again_means_nonexist would affect SERVFAIL results, which breaks the downgrade resistance of DANE. Change to not checking that list for these lookups. JH/22 Bug 2434: Add connection-elapsed "D=" element to more connection closure log lines. JH/23 Fix crash in string expansions. Previously, if an empty variable was immediately followed by an expansion operator, a null-indirection read was done, killing the process. JH/24 Bug 2997: When built with EXPERIMENTAL_DSN_INFO, bounce messages can include an SMTP response string which is longer than that supported by the delivering transport. Alleviate by wrapping such lines before column 80. JH/25 Bug 2827: Restrict size of References: header in bounce messages to 998 chars (RFC limit). Previously a limit of 12 items was made, which with a not-impossible References: in the message being bounced could still be over-large and get stopped in the transport. JH/26 For a ${readsocket } in TLS mode, send a TLS Close Alert before the TCP close. Previously a bare socket close was done. JH/27 Fix ${srs_encode ..}. Previously it would give a bad result for one day every 1024 days. JH/28 Bug 2996: Fix a crash in the smtp transport. When finding that the message being considered for delivery was already being handled by another process, and having an SMTP connection already open, the function to close it tried to use an uninitialized variable. This would afftect high-volume sites more, especially when running mailing-list-style loads. Pollution of logs was the major effect, as the other process delivered the message. Found and partly investigated by Graeme Fowler. JH/29 Change format of the internal ID used for message identification. The old version only supported 31 bits for a PID element; the new 64 (on systems which can use Base-62 encoding, which is all currently supported ones but not Darwin (MacOS) or Cygwin, which have case-insensitive filesystems and must use Base-36). The new ID is 23 characters rather than 16, and is visible in various places - notably logs, message headers, and spool file names. Various of the ancillary utilities also have to know the format. As well as the expanded PID portion, the sub-second part of the time recorded in the ID is expanded to support finer precision. Theoretically this permits a receive rate from a single comms channel of better than the previous 2000/sec. The major timestamp part of the ID is not changed; at 6 characters it is usable until about year 3700. Updating from previously releases is fully supported: old-format spool files are still usable, and the utilities support both formats. New message will use the new format. The one hints-DB file type which uses message-IDs (the transport wait- DB) will be discarded if an old-format ID is seen; new ones will be built with only new-format IDs. Optionally, a utility can be used to convert spool files from old to new, but this is only an efficiency measure not a requirement for operation Downgrading from new to old requires running a provided utility, having first stopped all operations. This will convert any spool files from new back to old (losing time-precision and PID information) and remove any wait- hints databases. JH/30 Bug 3006: Fix handling of JSON strings having embedded commas. Previously we treated them as item separators when parsing for a list item, but they need to be protected by the doublequotes. While there, add handling for backslashes. JH/31 Bug 2998: Fix ${utf8clean:...} to disallow UTF-16 surrogate codepoints. Found and fixed by Jasen Betts. No testcase for this as my usual text editor insists on emitting only valid UTF-8. JH/32 Fix "tls_dhparam = none" under GnuTLS. At least with 3.7.9 this gave a null-indirection SIGSEGV for the receive process. JH/33 Fix free for live variable $value created by a ${run ...} expansion during -bh use. Internal checking would spot this and take a panic. JH/34 Bug 3013: Fix use of $recipients within arguments for ${run...}. In 4.96 this would expand to empty. JH/35 Bug 3014: GnuTLS: fix expiry date for an auto-generated server certificate. Find and fix by Andreas Metzler. JH/36 Add ARC info to DMARC hostory records. JH/37 Bug 3016: Avoid sending DSN when message was accepted under fakereject or fakedefer. Previously the sender could discover that the message had in fact been accepted. JH/38 Taint-track intermediate values from the peer in multi-stage authentation sequences. Previously the input was not noted as being tainted; notably this resulted in behaviour of LOGIN vs. PLAIN being inconsistent under bad coding of authenticators. JH/39 Bug 3023: Fix crash induced by some combinations of zero-length strings and ${tr...}. Found and diagnosed by Heiko Schlichting. JH/40 Bug 2999: Fix a possible OOB write in the external authenticator, which could be triggered by externally-supplied input. Found by Trend Micro. CVE-2023-42115 JH/41 Bug 3000: Fix a possible OOB write in the SPA authenticator, which could be triggered by externally-controlled input. Found by Trend Micro. CVE-2023-42116 JH/42 Bug 3001: Fix a possible OOB read in the SPA authenticator, which could be triggered by externally-controlled input. Found by Trend Micro. CVE-2023-42114 JH/43 Bug 2903: avoid exit on an attempt to rewrite a malformed address. Make the rewrite never match and keep the logging. Trust the admin to be using verify=header-syntax (to actually reject the message). JH/44 Bug 3033: Harden dnsdb lookups against crafted DNS responses. CVE-2023-42219 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.200 2023/11/08 13:19:55 wiz Exp $ d3 1 a3 1 DISTNAME= exim-4.97 @ 1.200 log @*: recursive bump for icu 74.1 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.199 2023/10/24 22:09:43 wiz Exp $ d3 1 a3 2 DISTNAME= exim-4.96.2 PKGREVISION= 2 d18 2 d62 1 d91 1 a91 1 sed -e 's:@@PREFIX@@:${PREFIX}:' \ d115 1 a115 1 sed -e 's:@@PREFIX@@:${PREFIX}:' \ d121 1 a121 1 sed -e 's:@@PREFIX@@:${PREFIX}:' \ @ 1.199 log @*: bump for openssl 3 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.198 2023/10/16 14:59:26 prlw1 Exp $ d4 1 a4 1 PKGREVISION= 1 @ 1.198 log @Update exim to 4.96.2 Security fixes: JH/01 Bug 3033: Harden dnsdb lookups against crafted DNS responses. CVE-2023-42219 HS/01 Fix string_is_ip_address() CVE-2023-42117 (Bug 3031) @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.197 2023/10/03 08:42:44 prlw1 Exp $ d4 1 @ 1.197 log @Update exim to 4.96.1 Exim version 4.96.1 ------------------- This is a security release. JH/01 Bug 2999: Fix a possible OOB write in the external authenticator, which could be triggered by externally-supplied input. Found by Trend Micro. CVE-2023-42115 JH/02 Bug 3000: Fix a possible OOB write in the SPA authenticator, which could be triggered by externally-controlled input. Found by Trend Micro. CVE-2023-42116 JH/03 Bug 3001: Fix a possible OOB read in the SPA authenticator, which could be triggered by externally-controlled input. Found by Trend Micro. CVE-2023-42114 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.196 2023/04/19 08:10:41 adam Exp $ d3 1 a3 1 DISTNAME= exim-4.96.1 @ 1.196 log @revbump after textproc/icu update @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.195 2022/11/23 16:20:33 adam Exp $ d3 1 a3 2 DISTNAME= exim-4.96 PKGREVISION= 3 @ 1.196.4.1 log @Pullup ticket #6806 - requested by prlw1 mail/exim: security fix Revisions pulled up: - mail/exim/Makefile 1.197 - mail/exim/distinfo 1.84 --- Module Name: pkgsrc Committed By: prlw1 Date: Tue Oct 3 08:42:44 UTC 2023 Modified Files: pkgsrc/mail/exim: Makefile distinfo Log Message: Update exim to 4.96.1 Exim version 4.96.1 ------------------- This is a security release. JH/01 Bug 2999: Fix a possible OOB write in the external authenticator, which could be triggered by externally-supplied input. Found by Trend Micro. CVE-2023-42115 JH/02 Bug 3000: Fix a possible OOB write in the SPA authenticator, which could be triggered by externally-controlled input. Found by Trend Micro. CVE-2023-42116 JH/03 Bug 3001: Fix a possible OOB read in the SPA authenticator, which could be triggered by externally-controlled input. Found by Trend Micro. CVE-2023-42114 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.196 2023/04/19 08:10:41 adam Exp $ d3 2 a4 1 DISTNAME= exim-4.96.1 @ 1.196.4.2 log @Pullup ticket #6813 - requested by prlw1 mail/exim: security fix Revisions pulled up: - mail/exim/Makefile 1.198 - mail/exim/distinfo 1.85 --- Module Name: pkgsrc Committed By: prlw1 Date: Mon Oct 16 14:59:27 UTC 2023 Modified Files: pkgsrc/mail/exim: Makefile distinfo Log Message: Update exim to 4.96.2 Security fixes: JH/01 Bug 3033: Harden dnsdb lookups against crafted DNS responses. CVE-2023-42219 HS/01 Fix string_is_ip_address() CVE-2023-42117 (Bug 3031) @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.196.4.1 2023/10/12 15:28:14 bsiegert Exp $ d3 1 a3 1 DISTNAME= exim-4.96.2 @ 1.195 log @massive revision bump after textproc/icu update @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.194 2022/07/11 10:52:29 abs Exp $ d4 1 a4 1 PKGREVISION= 2 @ 1.194 log @Fix exim build on NetBSD (support for bdb 1.x dropped) Bump PKGREVISION @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.193 2022/07/02 09:24:34 adam Exp $ d4 1 a4 1 PKGREVISION= 1 @ 1.193 log @exim exim-html: updated to 4.96 New stuff we've added since 4.95: - A new ACL condition: seen. Records/tests a timestamp against a key. - A variant of the "mask" expansion operator to give normalised IPv6. - UTC output option for exim_dumpdb, exim_fixdb. - An event for failing TLS connects to the daemon. - The ACL "debug" control gains options "stop", "pretrigger" and "trigger". - Query-style lookups are now checked for quoting, if the query string is built using untrusted data ("tainted"). For now lack of quoting is merely logged; a future release will upgrade this to an error. - The expansion conditions match_ and inlist now set $value for the expansion of the "true" result of the ${if}. With a static list, this can be used for de-tainting. Notable removals since 4.95: - the "allow_insecure_tainted_data" main config option and the "taint" log_selector. These were deprecated in the 4.95 release. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.192 2022/06/28 11:34:20 wiz Exp $ d4 1 @ 1.192 log @*: recursive bump for perl 5.36 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.191 2022/04/18 19:11:33 adam Exp $ d3 1 a3 2 DISTNAME= exim-4.95 PKGREVISION= 3 d132 1 a132 1 .include "../../devel/pcre/buildlink3.mk" @ 1.191 log @revbump for textproc/icu update @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.190 2021/12/08 16:05:28 adam Exp $ d4 1 a4 1 PKGREVISION= 2 @ 1.190 log @revbump for icu and libffi @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.189 2021/11/14 20:19:08 adam Exp $ d4 1 a4 1 PKGREVISION= 1 @ 1.189 log @exim exim-html: updated to 4.95 Version 4.95 ------------ 1. The fast-ramp two phase queue run support, previously experimental, is now supported by default. 2. The native SRS support, previously experimental, is now supported. It is not built unless specified in the Local/Makefile. 3. TLS resumption support, previously experimental, is now supported and included in default builds. 4. Single-key LMDB lookups, previously experimental, are now supported. The support is not built unless specified in the Local/Makefile. 5. Option "message_linelength_limit" on the smtp transport to enforce (by default) the RFC 998 character limit. 6. An option to ignore the cache on a lookup. 7. Quota checking during reception (i.e. at SMTP time) for appendfile- transport-managed quotas. 8. Sqlite lookups accept a "file=" option to specify a per-operation db file, replacing the previous prefix to the SQL string (which had issues when the SQL used tainted values). 9. Lsearch lookups accept a "ret=full" option, to return both the portion of the line matching the key, and the remainder. 10. A command-line option to have a daemon not create a notifier socket. 11. Faster TLS startup. When various configuration options contain no expandable elements, the information can be preloaded and cached rather than the previous behaviour of always loading at startup time for every connection. This helps particularly for the CA bundle. 12. Proxy Protocol Timeout is configurable via "proxy_protocol_timeout" main config option. 13. Option "smtp_accept_max_per_connection" is now expanded. 14. Log selector "queue_size_exclusive", enabled by default, to exclude the time taken for reception from QT log elements. 15. Main option "smtp_backlog_monitor", to set a level above which listen socket backlogs are logged. 16. Main option "hosts_require_helo", requiring HELO or EHLO before MAIL. 17. A main config option "allow_insecure_tainted_data" allows to turn 18. TLS ALPN handling. By default, refuse TLS connections that try to specify a non-smtp (eg. http) use. Options for customising. 19. Support for MacOS (darwin) has been dropped. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.188 2021/06/23 20:33:12 nia Exp $ d4 1 @ 1.188 log @Revbump for MySQL default change @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.187 2021/05/24 19:52:40 wiz Exp $ d3 1 a3 2 DISTNAME= exim-4.94.2 PKGREVISION= 2 @ 1.187 log @*: recursive bump for perl 5.34 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.186 2021/05/11 09:53:20 jperkin Exp $ d4 1 a4 1 PKGREVISION= 1 @ 1.186 log @exim: Fix hardcoded CFLAGS breaking SunOS build. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.185 2021/05/04 20:29:38 abs Exp $ d4 1 @ 1.185 log @Updated mail/exim to 4.94.2 This includes a number of serious security fixes (one of which was included in a now obsoleted pkgsrc patch) CVE-2020-28016 CVE-2020-BDATA CVE-2020-EXOPT CVE-2020-PFPSN CVE-2020-RCPTL CVE-2020-SLCWD CVE-2020-SPRSS Since Exim version 4.94 ----------------------- JH/02 Bug 2587: Fix pam expansion condition. Tainted values are commonly used as arguments, so an implementation trying to copy these into a local buffer was taking a taint-enforcement trap. Fix by using dynamically created buffers. Similar fix for radius expansion condition. JH/03 Bug 2586: Fix listcount expansion operator. Using tainted arguments is reasonable, eg. to count headers. Fix by using dynamically created buffers rather than a local. Do similar fixes for ACL actions "dcc", "log_reject_target", "malware" and "spam"; the arguments are expanded so could be handling tainted values. JH/04 Bug 2590: Fix -bi (newaliases). A previous code rearrangement had broken the (no-op) support for this sendmail command. Restore it to doing nothing, silently, and returning good status. JH/05 Bug 2593: Fix "vacation" in Exim filter. Previously, when a "once" record path was given (or the default used) without a leading directory path, an error occurred on trying to open it. Use the transport's working directory. JH/06 Bug 2594: Change the name used for certificate name checks in the smtp transport. Previously it was the name on the DNS A-record; use instead the head of the CNAME chain leading there (if there is one). This seems to align better with RFC 6125. JH/07 Bug 2597: Fix a resource leak. Using a lookup in obtaining a value for smtp_accept_max_per_host allocated resources which were not released when the limit was exceeded. This eventually crashed the daemon. Fix by adding a relase action in that path. JH/08 Bug 2598: Fix verify ACL condition. The options for the condition are expanded; previously using tainted values was rejected. Fix by using dynamically-created buffers. JH/10 Bug 2603: Fix coding of string copying to only evaluate arguments once. Previously a macro used one argument twice; when called with the argument as an expression having side-effects, incorrect operation resulted. Use an inlineable function. JH/11 Bug 2604: Fix request to cutthrough-deliver when a connection is already held open for a verify callout. Previously this wan not accounted for and a corrupt onward SMTP conversation resulted. JH/13 Fix dsearch "subdir" filter to ignore ".". Previously only ".." was excluded, not matching the documentation. JH/14 Bug 2606: Fix a segfault in sqlite lookups. When no, or a bad, filename was given for the sqlite_dbfile a trap resulted. JH/15 Bug 2620: Fix "spam" ACL condition. Previously, tainted values for the "name" argument resulted in a trap. There is no reason to disallow such; this was a coding error. JH/16 Bug 2615: Fix pause during message reception, on systems that have been suspended/resumed. The Linux CLOCK_MONOTONIC does not account for time spent suspended, ignoring the Posix definition. Previously we assumed it did and a constant offset from real time could be used as a correction. Change to using the same clock source for the start-of-message and the post-message next-tick-wait. Also change to using CLOCK_BOOTTIME if it exists, just to get a clock slightly more aligned to reality. JH/17 Bug 2295: Fix DKIM signing to always semicolon-terminate. Although the RFC says it is optional some validators care. The missing char was not intended but triggered by a line-wrap alignement. Discovery and fix by Guillaume Outters, hacked on by JH. JH/18 Bug 2617: Fix a taint trap in parse_fix_phrase(). Previously when the name being quoted was tainted a trap would be taken. Fix by using dynamicaly created buffers. The routine could have been called by a rewrite with the "h" flag, by using the "-F" command-line option, or by using a "name=" option on a control=submission ACL modifier. JH/21 Bug 2630: Fix eol-replacement string for the ${readsocket } expansion. Previously when a whitespace character was specified it was not inserted after removing the newline. JH/24 Bug 2634: Fix a taint trap seen on NetBSD: the testing coded for is_tainted() had an off-by-one error in the overenthusiastic direction. Find and fix by Gavan. Although NetBSD is not a supported platform for 4.94 this bug could affect other platforms. JH/24 Bug 2634: Fix a taint trap seen on NetBSD: the testing coded for is_tainted() had an off-by-one error in the overenthusiastic direction. Find and fix by Gavan. Although NetBSD is not a supported platform for 4.94 this bug could affect other platforms. JH/21 Bug 2630: Fix eol-replacement string for the ${readsocket } expansion. Previously when a whitespace character was specified it was not inserted after removing the newline. JH/22 Bug 2265: Force SNI usage for smtp transport DANE'd connections, to be the domain part of the recipient address. This overrides any tls_sni option set, which was previously used. JH/23 Logging: with the +tls_sni log_selector, do not wrap the received SNI in quotes. JH/26 Bug 2646: fix a memory usage issue in ldap lookups. Previously, when more than one server was defined and depending on the platform memory layout details, an internal consistency trap could be hit while walking the list of servers. JH/27 Bug 2648: fix the passing of an authenticator public-name through spool files. The value is used by the authresults expansion item. Previously if this was used in a router or transport, a crash could result. JH/30 Bug 2677: fix matching of long addresses. Since 4.93 a limit of 256 was applied. This resulted, if any header-line rewrite rules were configured, in a panic-log trigerrable by sending a message with a long address in a header. Fix by increaing the arbitrary limit to larger than a single (dewrapped) 5322 header line maximum size. JH/31 The ESMTP option name advertised for the SUPPORT_EARLY_PIPE build option is changed from X_PIPE_CONNECT to PIPE_CONNECT. This is in line with RFC 6648 which deprecates X- options in protocols as a general practice. Changeover between the implementations is handled by the mechanisms alrready coded. JH/32 Bug 2599: fix delay of delivery to a local address where there is also a remote which uses callout/hold. Previously the local was queued. JH/33 Fix a taint trap in the ${listextract } expansion when the source data was tainted. JH/35 Bug 2343: Harden exim_tidydb against corrupt wait- files. JH/36 Bug 2687: Fix interpretation of multiple ^ chars in a plaintext authenticator client_send option. Previously the next char, after a pair was collapsed, was taken verbatim (so ^^^foo became ^^foo; ^^^^foo became ^^\x00foo). Fixed to get ^\x00foo and ^^foo respectively to match the documentation. There is still no way to get a leading ^ immediately after a NUL (ie. for the password of a PLAIN method authenticator. JH/39 Bug 2691: fix $local_part_data. When the matching list element referred to a file, bad data was returned. This likely also affected $domain_part_data. JH/41 Fix daemon SIGHUP on FreeBSD. Previously, a named socket for IPC was left undeleted; the attempt to re-create it then failed - resulting in the usual "SIGHUP tp have daemon reload configuration" to not work. This affected any platform not supporting "abstract" Unix-domain sockets (i.e. not Linux). JH/42 Bug 2692: Harden against a peer which reneges on a 452 "too many recipients" response to RCPT in a later response, with a 250. The previous coding assumed this would not happen, and under PIPELINING would result in both lost and duplicate recipients for a message. JH/43 Bug 2694: Fix weighted distribution of work to multiple spamd servers. Previously the weighting was incorrectly applied. Similar fix for socks proxies. Found and fixed by Heiko Schlichting. JH/44 Bug 2701: Fix list-expansion of dns_ipv4_lookup. Previously, it did not handle sub-lists included using the +namedlist syntax. While investigating, the same found for dns_trust_aa, dns_again_means_nonexist, dnssec_require_domains, dnssec_request_domains, srv_fail_domains, mx_fail_domains. HS/01 Enforce absolute PID file path name. HS/02 Handle SIGINT as we handle SIGTERM: terminate the Exim process. PP/01 Add a too-many-bad-recipients guard to the default config's RCPT ACL. PP/02 Bug 2643: Correct TLS DH constants. A missing NUL termination in our code-generation tool had led to some incorrect Diffie-Hellman constants in the Exim source. Reported by kylon94, code-gen tool fix by Simon Arlott. PP/03 Impose security length checks on various command-line options. Fixes CVE-2020-SPRSS reported by Qualys. PP/04 Fix Linux security issue CVE-2020-SLCWD and guard against PATH_MAX better. Reported by Qualys. PP/05 Fix security issue CVE-2020-PFPSN and guard against cmdline invoker providing a particularly obnoxious sender full name. Reported by Qualys. PP/06 Fix CVE-2020-28016 (PFPZA): Heap out-of-bounds write in parse_fix_phrase() PP/07 Refuse to allocate too little memory, block negative/zero allocations. Security guard. PP/08 Change default for recipients_max from unlimited to 50,000. PP/09 Fix security issue with too many recipients on a message (to remove a known security problem if someone does set recipients_max to unlimited, or if local additions add to the recipient list). Fixes CVE-2020-RCPTL reported by Qualys. PP/10 Fix security issue in SMTP verb option parsing Fixes CVE-2020-EXOPT reported by Qualys. PP/11 Fix security issue in BDAT state confusion. Ensure we reset known-good where we know we need to not be reading BDAT data, as a general case fix, and move the places where we switch to BDAT mode until after various protocol state checks. Fixes CVE-2020-BDATA reported by Qualys. HS/03 Die on "/../" in msglog file names QS/01 Creation of (database) files in $spool_dir: only uid=0 or the uid of the Exim runtime user are allowed to create files. QS/02 PID file creation/deletion: only possible if uid=0 or uid is the Exim runtime user. QS/03 When reading the output from interpreted forward files we do not pass the pipe between the parent and the interpreting process to executed child processes (if any). QS/04 Always die if requested from internal logging, even is logging is disabled. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.184 2021/04/21 11:42:08 adam Exp $ d70 1 a70 1 SUBST_MESSAGE.cflags= Removing hard-coded CFLAGS d72 3 a74 1 SUBST_SED.cflags= -e 's,^CFLAGS=.*,,' @ 1.184 log @revbump for textproc/icu @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.183 2020/11/05 09:08:35 ryoon Exp $ d3 1 a3 2 DISTNAME= exim-4.94 PKGREVISION= 5 d5 3 a7 2 MASTER_SITES= ftp://ftp.exim.org/pub/exim/exim4/ MASTER_SITES+= https://ftp.exim.org/pub/exim/exim4/ a8 1 MASTER_SITES+= https://ftp.exim.org/pub/exim/exim4/fixes/ @ 1.183 log @*: Recursive revbump from textproc/icu-68.1 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.182 2020/08/31 18:09:55 wiz Exp $ d4 1 a4 1 PKGREVISION= 4 @ 1.183.4.1 log @Pullup ticket #6455 - requested by abs mail/exim: security fix Revisions pulled up: - mail/exim/Makefile 1.185 - mail/exim/distinfo 1.79 - mail/exim/patches/patch-src_store.c deleted --- Module Name: pkgsrc Committed By: abs Date: Tue May 4 20:29:39 UTC 2021 Modified Files: pkgsrc/mail/exim: Makefile distinfo Log Message: Updated mail/exim to 4.94.2 This includes a number of serious security fixes (one of which was included in a now obsoleted pkgsrc patch) CVE-2020-28016 CVE-2020-BDATA CVE-2020-EXOPT CVE-2020-PFPSN CVE-2020-RCPTL CVE-2020-SLCWD CVE-2020-SPRSS Since Exim version 4.94 ----------------------- JH/02 Bug 2587: Fix pam expansion condition. Tainted values are commonly used as arguments, so an implementation trying to copy these into a local buffer was taking a taint-enforcement trap. Fix by using dynamically created buffers. Similar fix for radius expansion condition. JH/03 Bug 2586: Fix listcount expansion operator. Using tainted arguments is reasonable, eg. to count headers. Fix by using dynamically created buffers rather than a local. Do similar fixes for ACL actions "dcc", "log_reject_target", "malware" and "spam"; the arguments are expanded so could be handling tainted values. JH/04 Bug 2590: Fix -bi (newaliases). A previous code rearrangement had broken the (no-op) support for this sendmail command. Restore it to doing nothing, silently, and returning good status. JH/05 Bug 2593: Fix "vacation" in Exim filter. Previously, when a "once" record path was given (or the default used) without a leading directory path, an error occurred on trying to open it. Use the transport's working directory. JH/06 Bug 2594: Change the name used for certificate name checks in the smtp transport. Previously it was the name on the DNS A-record; use instead the head of the CNAME chain leading there (if there is one). This seems to align better with RFC 6125. JH/07 Bug 2597: Fix a resource leak. Using a lookup in obtaining a value for smtp_accept_max_per_host allocated resources which were not released when the limit was exceeded. This eventually crashed the daemon. Fix by adding a relase action in that path. JH/08 Bug 2598: Fix verify ACL condition. The options for the condition are expanded; previously using tainted values was rejected. Fix by using dynamically-created buffers. JH/10 Bug 2603: Fix coding of string copying to only evaluate arguments once. Previously a macro used one argument twice; when called with the argument as an expression having side-effects, incorrect operation resulted. Use an inlineable function. JH/11 Bug 2604: Fix request to cutthrough-deliver when a connection is already held open for a verify callout. Previously this wan not accounted for and a corrupt onward SMTP conversation resulted. JH/13 Fix dsearch "subdir" filter to ignore ".". Previously only ".." was excluded, not matching the documentation. JH/14 Bug 2606: Fix a segfault in sqlite lookups. When no, or a bad, filename was given for the sqlite_dbfile a trap resulted. JH/15 Bug 2620: Fix "spam" ACL condition. Previously, tainted values for the "name" argument resulted in a trap. There is no reason to disallow such; this was a coding error. JH/16 Bug 2615: Fix pause during message reception, on systems that have been suspended/resumed. The Linux CLOCK_MONOTONIC does not account for time spent suspended, ignoring the Posix definition. Previously we assumed it did and a constant offset from real time could be used as a correction. Change to using the same clock source for the start-of-message and the post-message next-tick-wait. Also change to using CLOCK_BOOTTIME if it exists, just to get a clock slightly more aligned to reality. JH/17 Bug 2295: Fix DKIM signing to always semicolon-terminate. Although the RFC says it is optional some validators care. The missing char was not intended but triggered by a line-wrap alignement. Discovery and fix by Guillaume Outters, hacked on by JH. JH/18 Bug 2617: Fix a taint trap in parse_fix_phrase(). Previously when the name being quoted was tainted a trap would be taken. Fix by using dynamicaly created buffers. The routine could have been called by a rewrite with the "h" flag, by using the "-F" command-line option, or by using a "name=" option on a control=submission ACL modifier. JH/21 Bug 2630: Fix eol-replacement string for the ${readsocket } expansion. Previously when a whitespace character was specified it was not inserted after removing the newline. JH/24 Bug 2634: Fix a taint trap seen on NetBSD: the testing coded for is_tainted() had an off-by-one error in the overenthusiastic direction. Find and fix by Gavan. Although NetBSD is not a supported platform for 4.94 this bug could affect other platforms. JH/24 Bug 2634: Fix a taint trap seen on NetBSD: the testing coded for is_tainted() had an off-by-one error in the overenthusiastic direction. Find and fix by Gavan. Although NetBSD is not a supported platform for 4.94 this bug could affect other platforms. JH/21 Bug 2630: Fix eol-replacement string for the ${readsocket } expansion. Previously when a whitespace character was specified it was not inserted after removing the newline. JH/22 Bug 2265: Force SNI usage for smtp transport DANE'd connections, to be the domain part of the recipient address. This overrides any tls_sni option set, which was previously used. JH/23 Logging: with the +tls_sni log_selector, do not wrap the received SNI in quotes. JH/26 Bug 2646: fix a memory usage issue in ldap lookups. Previously, when more than one server was defined and depending on the platform memory layout details, an internal consistency trap could be hit while walking the list of servers. JH/27 Bug 2648: fix the passing of an authenticator public-name through spool files. The value is used by the authresults expansion item. Previously if this was used in a router or transport, a crash could result. JH/30 Bug 2677: fix matching of long addresses. Since 4.93 a limit of 256 was applied. This resulted, if any header-line rewrite rules were configured, in a panic-log trigerrable by sending a message with a long address in a header. Fix by increaing the arbitrary limit to larger than a single (dewrapped) 5322 header line maximum size. JH/31 The ESMTP option name advertised for the SUPPORT_EARLY_PIPE build option is changed from X_PIPE_CONNECT to PIPE_CONNECT. This is in line with RFC 6648 which deprecates X- options in protocols as a general practice. Changeover between the implementations is handled by the mechanisms alrready coded. JH/32 Bug 2599: fix delay of delivery to a local address where there is also a remote which uses callout/hold. Previously the local was queued. JH/33 Fix a taint trap in the ${listextract } expansion when the source data was tainted. JH/35 Bug 2343: Harden exim_tidydb against corrupt wait- files. JH/36 Bug 2687: Fix interpretation of multiple ^ chars in a plaintext authenticator client_send option. Previously the next char, after a pair was collapsed, was taken verbatim (so ^^^foo became ^^foo; ^^^^foo became ^^\x00foo). Fixed to get ^\x00foo and ^^foo respectively to match the documentation. There is still no way to get a leading ^ immediately after a NUL (ie. for the password of a PLAIN method authenticator. JH/39 Bug 2691: fix $local_part_data. When the matching list element referred to a file, bad data was returned. This likely also affected $domain_part_data. JH/41 Fix daemon SIGHUP on FreeBSD. Previously, a named socket for IPC was left undeleted; the attempt to re-create it then failed - resulting in the usual "SIGHUP tp have daemon reload configuration" to not work. This affected any platform not supporting "abstract" Unix-domain sockets (i.e. not Linux). JH/42 Bug 2692: Harden against a peer which reneges on a 452 "too many recipients" response to RCPT in a later response, with a 250. The previous coding assumed this would not happen, and under PIPELINING would result in both lost and duplicate recipients for a message. JH/43 Bug 2694: Fix weighted distribution of work to multiple spamd servers. Previously the weighting was incorrectly applied. Similar fix for socks proxies. Found and fixed by Heiko Schlichting. JH/44 Bug 2701: Fix list-expansion of dns_ipv4_lookup. Previously, it did not handle sub-lists included using the +namedlist syntax. While investigating, the same found for dns_trust_aa, dns_again_means_nonexist, dnssec_require_domains, dnssec_request_domains, srv_fail_domains, mx_fail_domains. HS/01 Enforce absolute PID file path name. HS/02 Handle SIGINT as we handle SIGTERM: terminate the Exim process. PP/01 Add a too-many-bad-recipients guard to the default config's RCPT ACL. PP/02 Bug 2643: Correct TLS DH constants. A missing NUL termination in our code-generation tool had led to some incorrect Diffie-Hellman constants in the Exim source. Reported by kylon94, code-gen tool fix by Simon Arlott. PP/03 Impose security length checks on various command-line options. Fixes CVE-2020-SPRSS reported by Qualys. PP/04 Fix Linux security issue CVE-2020-SLCWD and guard against PATH_MAX better. Reported by Qualys. PP/05 Fix security issue CVE-2020-PFPSN and guard against cmdline invoker providing a particularly obnoxious sender full name. Reported by Qualys. PP/06 Fix CVE-2020-28016 (PFPZA): Heap out-of-bounds write in parse_fix_phrase() PP/07 Refuse to allocate too little memory, block negative/zero allocations. Security guard. PP/08 Change default for recipients_max from unlimited to 50,000. PP/09 Fix security issue with too many recipients on a message (to remove a known security problem if someone does set recipients_max to unlimited, or if local additions add to the recipient list). Fixes CVE-2020-RCPTL reported by Qualys. PP/10 Fix security issue in SMTP verb option parsing Fixes CVE-2020-EXOPT reported by Qualys. PP/11 Fix security issue in BDAT state confusion. Ensure we reset known-good where we know we need to not be reading BDAT data, as a general case fix, and move the places where we switch to BDAT mode until after various protocol state checks. Fixes CVE-2020-BDATA reported by Qualys. HS/03 Die on "/../" in msglog file names QS/01 Creation of (database) files in $spool_dir: only uid=0 or the uid of the Exim runtime user are allowed to create files. QS/02 PID file creation/deletion: only possible if uid=0 or uid is the Exim runtime user. QS/03 When reading the output from interpreted forward files we do not pass the pipe between the parent and the interpreting process to executed child processes (if any). QS/04 Always die if requested from internal logging, even is logging is disabled. --- Module Name: pkgsrc Committed By: wiz Date: Thu May 6 07:08:54 UTC 2021 Removed Files: pkgsrc/mail/exim/patches: patch-src_store.c Log Message: exim: remove patch from distinfo that was removed from repository during update @ text @d1 1 a1 1 # $NetBSD$ d3 2 a4 1 DISTNAME= exim-4.94.2 d6 3 a8 1 MASTER_SITES= https://ftp.exim.org/pub/exim/exim4/ a9 2 MASTER_SITES+= ftp://ftp.exim.org/pub/exim/exim4/ MASTER_SITES+= ftp://ftp.exim.org/pub/exim/exim4/fixes/ @ 1.182 log @*: bump PKGREVISION for perl-5.32. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.181 2020/08/20 16:40:57 gavan Exp $ d4 1 a4 1 PKGREVISION= 3 @ 1.181 log @exim: fix crash on startup if log_buffer is allocated right after taint pool The check whether a block of memory is tainted erroneously returns true if the block in question starts the very next byte after a block in the tainted pool. Depending on the memory allocator, this can cause problems. For example, on NetBSD/amd64 9.0, this seems to allocate the first tainted block immediately before log_buffer. This leads to a recursive error in log_write the first time anything is written to the log, leading to a segmentation fault when the stack fills up. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.180 2020/06/02 08:24:14 adam Exp $ d4 1 a4 1 PKGREVISION= 2 @ 1.180 log @Revbump for icu @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.179 2020/06/01 19:42:48 adam Exp $ d4 1 a4 1 PKGREVISION= 1 @ 1.179 log @exim exim-html: updated to 4.94 Exim version 4.94 ----------------- JH/01 Avoid costly startup code when not strictly needed. This reduces time for some exim process initialisations. It does mean that the logging of TLS configuration problems is only done for the daemon startup. JH/02 Early-pipelining support code is now included unless disabled in Makefile. JH/03 DKIM verification defaults no long accept sha1 hashes, to conform to RFC 8301. They can still be enabled, using the dkim_verify_hashes main option. JH/04 Support CHUNKING from an smtp transport using a transport_filter, when DKIM signing is being done. Previously a transport_filter would always disable CHUNKING, falling back to traditional DATA. JH/05 Regard command-line receipients as tainted. JH/06 Bug 340: Remove the daemon pid file on exit, whe due to SIGTERM. JH/07 Bug 2489: Fix crash in the "pam" expansion condition. It seems that the PAM library frees one of the arguments given to it, despite the documentation. Therefore a plain malloc must be used. JH/08 Bug 2491: Use tainted buffers for the transport smtp context. Previously on-stack buffers were used, resulting in a taint trap when DSN information copied from a received message was written into the buffer. JH/09 Bug 2493: Harden ARC verify against Outlook, whick has been seen to mix the ordering of its ARC headers. This caused a crash. JH/10 Bug 2492: Use tainted memory for retry record when needed. Previously when a new record was being constructed with information from the peer, a trap was taken. JH/11 Bug 2494: Unset the default for dmarc_tld_file. Previously a naiive installation would get error messages from DMARC verify, when it hit the nonexistent file indicated by the default. Distros wanting DMARC enabled should both provide the file and set the option. Also enforce no DMARC verification for command-line sourced messages. JH/12 Fix an uninitialised flag in early-pipelining. Previously connections could, depending on the platform, hang at the STARTTLS response. JH/13 Bug 2498: Reset a counter used for ARC verify before handling another message on a connection. Previously if one message had ARC headers and the following one did not, a crash could result when adding an Authentication-Results: header. JH/14 Bug 2500: Rewind some of the common-coding in string handling between the Exim main code and Exim-related utities. The introduction of taint tracking also did many adjustments to string handling. Since then, eximon frequently terminated with an assert failure. JH/15 When PIPELINING, synch after every hundred or so RCPT commands sent and check for 452 responses. This slightly helps the inefficieny of doing a large alias-expansion into a recipient-limited target. The max_rcpt transport option still applies (and at the current default, will override the new feature). The check is done for either cause of synch, and forces a fast-retry of all 452'd recipients using a new MAIL FROM on the same connection. The new facility is not tunable at this time. JH/16 Fix the variables set by the gsasl authenticator. Previously a pointer to library live data was being used, so the results became garbage. Make copies while it is still usable. JH/17 Logging: when the deliver_time selector ise set, include the DT= field on delivery deferred (==) and failed (**) lines (if a delivery was attemtped). Previously it was only on completion (=>) lines. JH/18 Authentication: the gsasl driver not provides the $authN variables in time for the expansion of the server_scram_iter and server_scram_salt options. WB/01 SPF: DNS lookups for the obsolete SPF RR type done by the libspf2 library are now specifically given a NO_DATA response without hitting the system resolver. The library goes on to do the now-standard TXT lookup. Use of dnsdb lookups is not affected. JH/19 Bug 2507: Modules: on handling a dynamic-module (lookups) open failure, only retrieve the errormessage once. Previously two calls to dlerror() were used, and the second one (for mainlog/paniclog) retrieved null information. JH/20 Taint checking: disallow use of tainted data for - the appendfile transport file and directory options - the pipe transport command - the autoreply transport file, log and once options - file names used by the redirect router (including filter files) - named-queue names - paths used by single-key lookups Previously this was permitted. JH/21 Bug 2501: Fix init call in the heimdal authenticator. Previously it adjusted the size of a major service buffer; this failed because the buffer was in use at the time. Change to a compile-time increase in the buffer size, when this authenticator is compiled into exim. JH/22 Taint-checking: move to safe-mode taint checking on all platforms. The previous fast-mode was untenable in the face of glibs using mmap to support larger malloc requests. PP/01 Update the openssl_options possible values through OpenSSL 1.1.1c. New values supported, if defined on system where compiled: allow_no_dhe_kex, cryptopro_tlsext_bug, enable_middlebox_compat, no_anti_replay, no_encrypt_then_mac, prioritize_chacha, tlsext_padding JH/23 Performance improvement in the initial phase of a two-pass queue run. By running a limited number of proceses in parallel, a benefit is gained. The amount varies with the platform hardware and load. The use of the option queue_run_in_order means we cannot do this, as ordering becomes indeterminate. JH/24 Bug 2524: fix the cyrus_sasl auth driver gssapi usage. A previous fix had introduced a string-copy (for ensuring NUL-termination) which was not appropriate for that case, which can include embedded NUL bytes in the block of data. Investigation showed the copy to actually be needless, the data being length-specified. JH/25 Fix use of concurrent TLS connections under GnuTLS. When a callout was done during a receiving connection, and both used TLS, global info was used rather than per-connection info for tracking the state of data queued for transmission. This could result in a connection hang. JH/26 Fix use of the SIZE parameter on MAIL commands, on continued connections. Previously, when delivering serveral messages down a single connection only the first would provide a SIZE. This was due to the size information not being properly tracked. JH/27 Bug 2530: When operating in a timezone with sub-minute offset, such as TAI (at 37 seconds currently), pretend to be in UTC for time-related expansion and logging. Previously, spurious values such as a future minute could be seen. JH/28 Bug 2533: Fix expansion of ${tr } item. When called in some situations it could crash from a null-deref. This could also affect the ${addresses: } operator and ${readsock } item. JH/29 Bug 2537: Fix $mime_part_count. When a single connection had a non-mime message following a mime one, the variable was not reset. JH/30 When an pipelined-connect fails at the first response, assume incorrect cached capability (perhaps the peer reneged?) and immediately retry in non-pipelined mode. JH/31 Fix spurious detection of timeout while writing to transport filter. JH/32 Bug 2541: Fix segfault on bad cmdline -f (sender) argument. Previously an attempt to copy the string was made before checking it. JH/33 Fix the dsearch lookup to return an untainted result. Previously the taint of the lookup key was maintained; we now regard the presence in the filesystem as sufficient validation. JH/34 Fix the readsocket expansion to not segfault when an empty "options" argument is supplied. JH/35 The dsearch lookup now requires that the directory is an absolute path. Previously this was not checked, and nonempty relative paths made an access under Exim's current working directory. JH/36 Bug 2554: Fix msg:defer event for the hosts_max_try_hardlimit case. Previously no event was raised. JH/37 Bug 2552: Fix the check on spool space during reception to use the SIZE parameter supplied by the sender MAIL FROM command. Previously it was ignored, and only the check_spool_space option value for the required leeway checked. JH/38 Fix $dkim_key_length. This should, after a DKIM verification, present the size of the signing public-key. Previously it was instead giving the size of the signature hash. JH/39 DKIM verification: the RFC 8301 restriction on sizes of RSA keys is now the default. See the (new) dkim_verify_min_keysizes option. JH/40 Fix a memory-handling bug: when a connection carried multiple messages and an ACL use a lookup for checking either the local_part or domain, stale data could be accessed. Ensure that variable references are dropped between messages. JH/41 Bug 2571: Fix SPA authenticator. Running as a server, an offset supplied by the client was not checked as pointing within response data before being used. A malicious client could thus cause an out-of-bounds read and possibly gain authentication. Fix by adding the check. JH/42 Internationalisation: change the default for downconversion in the smtp transport to be "if needed". Previously it was "as previously set" for the message, which usually meant "if needed" for message-submission but "no" for everything else. However, MTAs have been seen using SMTPUTF8 even when the envelope addresses did not need it, resulting in forwarding failures to non-supporting MTAs. A downconvert in such cases will be a no-op on the addresses, merely dropping the use of SMTPUTF8 by the transport. The change does mean that addresses needing conversion will be converted when previously a delivery failure would occur. JH/43 Fix possible long line in DSN. Previously when a very long SMTP error response was received it would be used unchecked in a fail-DSN, violating standards on line-length limits. Truncate if needed. HS/01 Remove parameters of the link to www.open-spf.org. The linked form doesn't work. (Additionally add a new main config option to configure the spf_smtp_comment) @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.178 2020/04/25 12:48:57 gavan Exp $ d4 1 @ 1.178 log @Patch exicyclog to work when commands have spaces in them By default, pkgsrc uses 'mv -f' as MV_COMMAND. exicyclog is not resilient to this, and breaks as a result. This patch quotes the command names that are substituted into this script. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.177 2020/04/14 19:34:39 wiz Exp $ d3 1 a3 2 DISTNAME= exim-4.93.0.4 PKGREVISION= 1 @ 1.177 log @exim: update to 4.93.0.4. Based on patch provided by Mike Pumford on pkgsrc-users. Exim version 4.93+fixes ----------------------- This is not an official release. It is just a branch, collecting proposed bugfixes. Depending on your environment the fixes may be necessary to build and/or run Exim successfully. JH/05 Regard command-line receipients as tainted. JH/07 Bug 2489: Fix crash in the "pam" expansion condition. It seems that the PAM library frees one of the arguments given to it, despite the documentation. Therefore a plain malloc must be used. JH/08 Bug 2491: Use tainted buffers for the transport smtp context. Previously on-stack buffers were used, resulting in a taint trap when DSN information copied from a received message was written into the buffer. JH/09 Bug 2493: Harden ARC verify against Outlook, whick has been seen to mix the ordering of its ARC headers. This caused a crash. JH/10 Bug 2492: Use tainted memory for retry record when needed. Previously when a new record was being constructed with information from the peer, a trap was taken. JH/11 Bug 2494: Unset the default for dmarc_tld_file. Previously a naiive installation would get error messages from DMARC verify, when it hit the nonexistent file indicated by the default. Distros wanting DMARC enabled should both provide the file and set the option. Also enforce no DMARC verification for command-line sourced messages. JH/12 Fix an uninitialised flag in early-pipelining. Previously connections could, depending on the platform, hang at the STARTTLS response. JH/13 Bug 2498: Reset a counter used for ARC verify before handling another message on a connection. Previously if one message had ARC headers and the following one did not, a crash could result when adding an Authentication-Results: header. JH/14 Bug 2500: Rewind some of the common-coding in string handling between the Exim main code and Exim-related utities. The introduction of taint tracking also did many adjustments to string handling. Since then, eximon frequently terminated with an assert failure. JH/16 Fix the variables set by the gsasl authenticator. Previously a pointer to library live data was being used, so the results became garbage. Make copies while it is still usable. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.176 2020/04/12 08:28:56 adam Exp $ d4 1 @ 1.176 log @Recursive revision bump after textproc/icu update @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.175 2020/03/26 13:30:10 nia Exp $ d3 1 a3 2 DISTNAME= exim-4.93 PKGREVISION= 2 d7 2 @ 1.175 log @exim: Needs -std=c99 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.174 2020/01/26 17:31:33 rillig Exp $ d4 1 a4 1 PKGREVISION= 1 @ 1.174 log @all: migrate homepages from http to https pkglint -r --network --only "migrate" As a side-effect of migrating the homepages, pkglint also fixed a few indentations in unrelated lines. These and the new homepages have been checked manually. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.173 2020/01/18 21:49:49 jperkin Exp $ d18 2 @ 1.173 log @*: Recursive revision bump for openssl 1.1.1. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.172 2019/12/09 18:46:00 adam Exp $ d11 1 a11 1 HOMEPAGE= http://www.exim.org/ @ 1.172 log @exim: updated to 4.93 Exim version 4.93 ----------------- JH/01 OpenSSL: With debug enabled output keying information sufficient, server side, to decode a TLS 1.3 packet capture. JH/02 OpenSSL: Suppress the sending of (stateful) TLS1.3 session tickets. Previously the default library behaviour applied, sending two, each in its own TCP segment. JH/03 Debug output for ACL now gives the config file name and line number for each verb. JH/04 The default received_header_text now uses the RFC 8314 tls cipher clause. JH/05 DKIM: ensure that dkim_domain elements are lowercased before use. JH/06 Fix buggy handling of autoreply bounce_return_size_limit, and a possible buffer overrun for (non-chunking) other transports. JH/07 GnuTLS: Our use of late (post-handshake) certificate verification, under TLS1.3, means that a server rejecting a client certificate is not visible to the client until the first read of encrypted data (typically the response to EHLO). Add detection for that case and treat it as a failed TLS connection attempt, so that the normal retry-in-clear can work (if suitably configured). JB/01 Bug 2375: fix expansions of 822 addresses having comments in local-part and/or domain. Found and fixed by Jason Betts. JH/08 Add hardening against SRV & TLSA lookups the hit CNAMEs (a nonvalid configuration). If a CNAME target was not a wellformed name pattern, a crash could result. JH/09 Logging: Fix initial listening-on line for multiple ports for an IP when the OS reports them interleaved with other addresses. JH/10 OpenSSL: Fix aggregation of messages. Previously, when PIPELINING was used both for input and for a verify callout, both encrypted, SMTP responses being sent by the server could be lost. This resulted in dropped connections and sometimes bounces generated by a peer sending to this system. JH/11 Harden plaintext authenticator against a badly misconfigured client-send string. Previously it was possible to cause undefined behaviour in a library routine (usually a crash). Found by "zerons". JH/12 Bug 2384: fix "-bP smtp_receive_timeout". Previously it returned no output. JH/13 Bug 2386: Fix builds with Dane under LibreSSL 2.9.0 onward. Some old API was removed, so update to use the newer ones. JH/14 Bug 1891: Close the log file if receiving a non-smtp message, without any timeout set, is taking a long time. Previously we would hang on to a rotated logfile "forever" if the input was arriving with long gaps (a previous attempt to fix addressed lack, for a long time, of initial input). HS/01 Bug 2390: Use message_id for tempfile creation to avoid races in a shared (NFS) environment. The length of the tempfile name is now 4 + 16 ("hdr.$message_exim_id") which might break on file systems which restrict the file name length to lower values. (It was "hdr.$pid".) HS/02 Bug 2390: Use message_id for tempfile creation to avoid races in a shared (NFS) environment. HS/03 Bug 2392: exigrep does case sensitive *option* processing (as it did for all versions <4.90). Notably -M, -m, --invert, -I may be affected. JH/15 Use unsigned when creating bitmasks in macros, to avoid build errors on some platforms for bit 31. JH/16 GnuTLS: rework ciphersuite strings under recent library versions. Thanks to changes apparently associated with TLS1.3 handling some of the APIs previously used were either nonfunctional or inappropriate. Strings like TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM__AEAD:256 and TLS1.2:ECDHE_SECP256R1__RSA_SHA256__AES_128_CBC__SHA256:128 replace the previous TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 . This affects log line X= elements, the $tls_{in,out}_cipher variables, and the use of specific cipher names in the encrypted= ACL condition. JH/17 OpenSSL: the default openssl_options now disables ssl_v3. JH/18 GnuTLS: fix $tls_out_ocsp under hosts_request_ocsp. Previously the verification result was not updated unless hosts_require_ocsp applied. JH/19 Bug 2398: fix listing of a named-queue. Previously, even with the option queue_list_requires_admin set to false, non-admin users were denied the facility. JH/20 Bug 2389: fix server advertising of usable certificates, under GnuTLS in directory-of-certs mode. Previously they were advertised despite the documentation. JH/21 The smtp transport option "hosts_noproxy_tls" is now unset by default. A single TCP connection by a client will now hold a TLS connection open for multiple message deliveries, by default. Previoud the default was to not do so. JH/22 The smtp transport option "hosts_try_dane" now enables all hosts by default. If built with the facility, DANE will be used. The facility SUPPORT_DANE is now enabled in the prototype build Makefile "EDITME". JH/23 The build default is now for TLS to be included; the SUPPORT_TLS define is replaced with DISABLE_TLS. Either USE_GNUTLS or (the new) USE_OPENSSL must be defined and you must still, unless you define DISABLE_TLS, manage the the include-dir and library-file requirements that go with that choice. Non-TLS builds are still supported. JH/24 Fix duplicated logging of peer name/address, on a transport connection- reject under TFO. JH/25 The smtp transport option "hosts_try_fastopen" now enables all hosts by default. If the platform supports and has the facility enabled, it will be requested on all coneections. JH/26 The PIPE_CONNECT facility is promoted from experimental status and is now controlled by the build-time option SUPPORT_PIPE_CONNECT. PP/01 Unbreak heimdal_gssapi, broken in 4.92. JH/27 Bug 2404: Use the main-section configuration option "dsn_from" for success-DSN messages. Previously the From: header was always the default one for these; the option was ignored. JH/28 Fix the timeout on smtp response to apply to the whole response. Previously it was reset for every read, so a teergrubing peer sending single bytes within the time limit could extend the connection for a long time. Credit to Qualsys Security Advisory Team for the discovery. JH/29 Fix DSN Final-Recipient: field. Previously it was the post-routing delivery address, which leaked information of the results of local forwarding. Change to the original envelope recipient address, per standards. JH/30 Bug 2411: Fix DSN generation when RFC 3461 failure notification is requested. Previously not bounce was generated and a log entry of error ignored was made. JH/31 Avoid re-expansion in ${sort } expansion. (CVE-2019-13917) JH/32 Introduce a general tainting mechanism for values read from the input channel, and values derived from them. Refuse to expand any tainted values, to catch one form of exploit. JH/33 Bug 2413: Fix dkim_strict option. Previously the expansion result was unused and the unexpanded text used for the test. Found and fixed by Ruben Jenster. JH/34 Fix crash after TLS shutdown. When the TCP/SMTP channel was left open, an attempt to use a TLS library read routine dereffed a nul pointer, causing a segfault. JH/35 Bug 2409: filter out-of-spec chars from callout response before using them in our smtp response. JH/36 Have the general router option retry_use_local_part default to true when any of the restrictive preconditions are set (to anything). Previously it was only for check_local user. The change removes one item of manual configuration which is required for proper retries when a remote router handles a subset of addresses for a domain. JH/37 Appendfile: when evaluating quota use (non-quota_size_regex) take the file link count into consideration. HS/04 Fix handling of very log lines in -H files. If a - line caused the extension of big_buffer, the following lines were ignored. JH/38 Bug 1395: Teach the DNS negative-cache about TTL value from the SOA in accordance with RFC 2308. Previously there was no expiry, so a longlived receive process (eg. due to ACL delays) versus a short SOA value could surprise. HS/05 Handle trailing backslash gracefully. (CVE-2019-15846) JH/39 Promote DMARC support to mainline. JH/40 Bug 2452: Add a References: header to DSNs. JH/41 With GnuTLS 3.6.0 (and later) do not attempt to manage Diffie-Hellman parameters. The relevant library call is documented as "Deprecated: This function is unnecessary and discouraged on GnuTLS 3.6.0 or later. Since 3.6.0, DH parameters are negotiated following RFC7919." HS/06 Change the default of dnssec_request_domains to "*" JH/42 Bug 2545: Fix CHUNKING for all RCPT commands rejected. Previously we carried on and emitted a BDAT command, even when PIPELINING was not active. JH/43 Bug 2465: Fix taint-handling in dsearch lookup. Previously a nontainted buffer was used for the filename, resulting in a trap when tainted arguments (eg. $domain) were used. JH/44 With OpenSSL 1.1.1 (onwards) disable renegotiation for TLS1.2 and below; recommended to avoid a possible server-load attack. The feature can be re-enabled via the openssl_options main cofiguration option. JH/45 local_scan API: documented the current smtp_printf() call. This changed for version 4.90 - adding a "more data" boolean to the arguments. Bumped the ABI version number also, this having been missed previously; release versions 4.90 to 4.92.3 inclusive were effectively broken in respect of usage of smtp_printf() by either local_scan code or libraries accessed via the ${dlfunc } expansion item. Both will need coding adjustment for any calls to smtp_printf() to match the new function signature; a FALSE value for the new argument is always safe. JH/46 FreeBSD: fix use of the sendfile() syscall. The shim was not updating the file-offset (which the Linux syscall does, and exim expects); this resulted in an indefinite loop. JH/47 ARC: fix crash in signing, triggered when a configuration error failed to do ARC verification. The Authentication-Results: header line added by the configuration then had no ARC item. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.171 2019/09/30 19:25:58 wiedi Exp $ d4 1 @ 1.171 log @exim: update to 4.92.3 Fix for CVE-2019-16928 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.170 2019/09/06 12:57:33 wiedi Exp $ d3 1 a3 1 DISTNAME= exim-4.92.3 @ 1.170 log @exim: update to 4.92.2 Exim version 4.92.2 ------------------- HS/01 Handle trailing backslash gracefully. (CVE-2019-15846) @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.169 2019/08/11 13:21:27 wiz Exp $ d3 1 a3 1 DISTNAME= exim-4.92.2 @ 1.169 log @Bump PKGREVISIONs for perl 5.30.0 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.168 2019/07/28 21:17:28 abs Exp $ d3 1 a3 2 DISTNAME= exim-4.92.1 PKGREVISION= 1 @ 1.168 log @Updated mail/exim to 4.92.1 Exim version 4.92.1 ------------------- JH/31 Avoid re-expansion in ${sort } expansion. (CVE-2019-13917, OVE-20190718-0006) @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.167 2019/06/07 12:20:32 tm Exp $ d4 1 @ 1.167 log @exim: change local makefile options name for SPF The local makefile option need to be adjusted because SPF is no longer an experimental feature in exim. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.166 2019/04/03 00:32:52 ryoon Exp $ d3 1 a3 2 DISTNAME= exim-4.92 PKGREVISION= 2 @ 1.167.2.1 log @Pullup ticket #6016 - requested by abs mail/exim: security fix Revisions pulled up: - mail/exim/Makefile 1.168 - mail/exim/distinfo 1.71 --- Module Name: pkgsrc Committed By: abs Date: Sun Jul 28 21:17:28 UTC 2019 Modified Files: pkgsrc/mail/exim: Makefile distinfo Log Message: Updated mail/exim to 4.92.1 Exim version 4.92.1 ------------------- JH/31 Avoid re-expansion in ${sort } expansion. (CVE-2019-13917, OVE-20190718-0006) @ text @d1 1 a1 1 # $NetBSD$ d3 2 a4 1 DISTNAME= exim-4.92.1 @ 1.167.2.2 log @Pullup ticket #6049 - requested by wiedi mail/exim: security fix (remote root) Revisions pulled up: - mail/exim/Makefile 1.170 - mail/exim/distinfo 1.72 --- Module Name: pkgsrc Committed By: wiedi Date: Fri Sep 6 12:57:33 UTC 2019 Modified Files: pkgsrc/mail/exim: Makefile distinfo Log Message: exim: update to 4.92.2 Exim version 4.92.2 ------------------- HS/01 Handle trailing backslash gracefully. (CVE-2019-15846) @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.167.2.1 2019/08/09 13:25:41 bsiegert Exp $ d3 1 a3 1 DISTNAME= exim-4.92.2 @ 1.166 log @Recursive revbump from textproc/icu @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.165 2019/02/24 20:31:00 adam Exp $ d4 1 a4 1 PKGREVISION= 1 @ 1.165 log @exim: updated to 4.92 4.92: New features include: - ${l_header:} expansion - ${readsocket} now supports TLS - "utf8_downconvert" option (if built with SUPPORT_I18N) - "pipelining" log_selector - JSON variants for ${extract } expansion - "noutf8" debug option - TCP Fast Open support on MacOS @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.164 2018/12/09 18:52:35 adam Exp $ d4 1 @ 1.164 log @revbump after updating textproc/icu @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.163 2018/08/22 09:45:25 wiz Exp $ d3 1 a3 2 DISTNAME= exim-4.91 PKGREVISION= 3 d106 1 a106 1 sed -e 's:@@PREFIX@@:${PREFIX}:' \ @ 1.163 log @Recursive bump for perl5-5.28.0 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.162 2018/07/20 03:34:19 ryoon Exp $ d4 1 a4 1 PKGREVISION= 2 @ 1.162 log @Recursive revbump from textproc/icu-62.1 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.161 2018/07/04 13:40:23 jperkin Exp $ d4 1 a4 1 PKGREVISION= 1 @ 1.161 log @*: Move SUBST_STAGE from post-patch to pre-configure Performing substitutions during post-patch breaks tools such as mkpatches, making it very difficult to regenerate correct patches after making changes, and often leading to substituted string replacements being committed. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.160 2018/04/23 07:28:18 adam Exp $ d4 1 @ 1.160 log @exim: updated to 4.91 Version 4.91 1. Dual-certificate stacks on servers now support OCSP stapling, under GnuTLS version 3.5.6 or later. 2. DANE is now supported under GnuTLS version 3.0.0 or later. Both GnuTLS and OpenSSL versions are moved to mainline support from Experimental. New SMTP transport option "dane_require_tls_ciphers". 3. Feature macros for the compiled-in set of malware scanner interfaces. 4. SPF support is promoted from Experimental to mainline status. The template src/EDITME makefile does not enable its inclusion. 5. Logging control for DKIM verification. The existing DKIM log line is controlled by a "dkim_verbose" selector which is _not_ enabled by default. A new tag "DKIM=" is added to <= lines by default, controlled by a "dkim" log_selector. 6. Receive duration on <= lines, under a new log_selector "receive_time". 7. Options "ipv4_only" and "ipv4_prefer" on the dnslookup router and on routing rules in the manualroute router. 8. Expansion item ${sha3:} / ${sha3_:} now also supported under OpenSSL version 1.1.1 or later. 9. DKIM operations can now use the Ed25519 algorithm in addition to RSA, under GnuTLS 3.6.0 or OpenSSL 1.1.1 or later. 10. Builtin feature-macros _CRYPTO_HASH_SHA3 and _CRYPTO_SIGN_ED25519, library version dependent. 11. "exim -bP macro " returns caller-usable status. 12. Expansion item ${authresults {}} for creating an Authentication-Results: header. 13. EXPERIMENTAL_ARC. See the experimental.spec file. See also new util/renew-opendmarc-tlds.sh script for use with DMARC/ARC. 14: A dane:fail event, intended to facilitate reporting. 15. "Lightweight" support for Redis Cluster. Requires redis_servers list to contain all the servers in the cluster, all of which must be reachable from the running exim instance. If the cluster has master/slave replication, the list must contain all the master and slave servers. 16. Add an option to the Avast scanner interface: "pass_unscanned". This allows to treat unscanned files as clean. Files may be unscanned for several reasons: decompression bombs, broken archives. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.159 2018/04/14 07:34:30 adam Exp $ d65 1 a65 1 SUBST_STAGE.cflags= post-patch @ 1.159 log @revbump after icu update @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.158 2018/03/07 08:24:47 adam Exp $ d3 1 a3 2 DISTNAME= exim-4.90.1 PKGREVISION= 1 @ 1.158 log @exim: updated to 4.90.1 Exim version 4.90.1 JH/03 Fix pgsql lookup for multiple result-tuples with a single column. Previously only the last row was returned. JH/04 Bug 2217: Tighten up the parsing of DKIM signature headers. Previously we assumed that tags in the header were well-formed, and parsed the element content after inspecting only the first char of the tag. Assumptions at that stage could crash the receive process on malformed input. JH/05 Bug 2215: Fix crash associated with dnsdb lookup done from DKIM ACL. While running the DKIM ACL we operate on the Permanent memory pool so that variables created with "set" persist to the DATA ACL. Also (at any time) DNS lookups that fail create cache records using the Permanent pool. But expansions release any allocations made on the current pool - so a dnsdb lookup expansion done in the DKIM ACL releases the memory used for the DNS negative-cache, and bad things result. Solution is to switch to the Main pool for expansions. While we're in that code, add checks on the DNS cache during store_reset, active in the testsuite. Problem spotted, and debugging aided, by Wolfgang Breyha. JH/06 Fix issue with continued-connections when the DNS shifts unreliably. When none of the hosts presented to a transport match an already-open connection, close it and proceed with the list. Previously we would queue the message. Spotted by Lena with Yahoo, probably involving round-robin DNS. JH/07 Bug 2214: Fix SMTP responses resulting from non-accept result of MIME ACL. Previously a spurious "250 OK id=" response was appended to the proper failure response. JH/10 Bug 2223: Fix mysql lookup returns for the no-data case (when the number of rows affected is given instead). JH/12 Bug 2230: Fix cutthrough routing for nonfirst messages in an initiating SMTP connection. Previously, when one had more receipients than the first, an abortive onward connection was made. Move to full support for multiple onward connections in sequence, handling cutthrough connection for all multi-message initiating connections. JH/13 Bug 2229: Fix cutthrough routing for nonstandard port numbers defined by routers. Previously, a multi-recipient message would fail to match the onward-connection opened for the first recipient, and cause its closure. JH/14 Bug 2174: A timeout on connect for a callout was also erroneously seen as a timeout on read on a GnuTLS initiating connection, resulting in the initiating connection being dropped. This mattered most when the callout was marked defer_ok. Fix to keep the two timeout-detection methods separate. HS/01 Fix Buffer overflow in base64d() (CVE-2018-6789) JH/16 Fix bug in DKIM verify: a buffer overflow could corrupt the malloc metadata, resulting in a crash in free(). PP/01 Fix broken Heimdal GSSAPI authenticator integration. Broken in f2ed27cf5, missing an equals sign for specified-initialisers. Broken also in d185889f4, with init system revamp. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.157 2018/01/28 20:10:54 wiz Exp $ d4 1 @ 1.157 log @Bump PKGREVISION for gdbm shlib major bump @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.156 2017/11/30 16:45:30 adam Exp $ d3 1 a3 2 DISTNAME= exim-4.89 PKGREVISION= 4 d6 2 a7 2 MASTER_SITES+= http://dl.ambiweb.de/mirrors/ftp.exim.org/exim/exim4/ EXTRACT_SUFX= .tar.bz2 d76 1 a79 2 cp ${FILESDIR}/Makefile-DragonFly ${FILESDIR}/os.h-DragonFly \ ${WRKSRC}/OS/ @ 1.156 log @Revbump after textproc/icu update @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.155 2017/09/18 09:53:26 maya Exp $ d4 1 a4 1 PKGREVISION= 3 @ 1.156.2.1 log @Pullup ticket #5719 - requested by maya mail/exim-html: security update Revisions pulled up: - mail/exim-html/Makefile 1.36 - mail/exim-html/PLIST 1.17 - mail/exim-html/distinfo 1.29 - mail/exim/Makefile 1.158 - mail/exim/distinfo 1.68 - mail/exim/files/Makefile-DragonFly deleted - mail/exim/files/os.h-DragonFly deleted ------------------------------------------------------------------- Module Name: pkgsrc Committed By: adam Date: Wed Mar 7 08:24:47 UTC 2018 Modified Files: pkgsrc/mail/exim: Makefile distinfo pkgsrc/mail/exim-html: Makefile PLIST distinfo Removed Files: pkgsrc/mail/exim/files: Makefile-DragonFly os.h-DragonFly Log Message: exim: updated to 4.90.1 Exim version 4.90.1 JH/03 Fix pgsql lookup for multiple result-tuples with a single column. Previously only the last row was returned. JH/04 Bug 2217: Tighten up the parsing of DKIM signature headers. Previously we assumed that tags in the header were well-formed, and parsed the element content after inspecting only the first char of the tag. Assumptions at that stage could crash the receive process on malformed input. JH/05 Bug 2215: Fix crash associated with dnsdb lookup done from DKIM ACL. While running the DKIM ACL we operate on the Permanent memory pool so that variables created with "set" persist to the DATA ACL. Also (at any time) DNS lookups that fail create cache records using the Permanent pool. But expansions release any allocations made on the current pool - so a dnsdb lookup expansion done in the DKIM ACL releases the memory used for the DNS negative-cache, and bad things result. Solution is to switch to the Main pool for expansions. While we're in that code, add checks on the DNS cache during store_reset, active in the testsuite. Problem spotted, and debugging aided, by Wolfgang Breyha. JH/06 Fix issue with continued-connections when the DNS shifts unreliably. When none of the hosts presented to a transport match an already-open connection, close it and proceed with the list. Previously we would queue the message. Spotted by Lena with Yahoo, probably involving round-robin DNS. JH/07 Bug 2214: Fix SMTP responses resulting from non-accept result of MIME ACL. Previously a spurious "250 OK id=" response was appended to the proper failure response. JH/10 Bug 2223: Fix mysql lookup returns for the no-data case (when the number of rows affected is given instead). JH/12 Bug 2230: Fix cutthrough routing for nonfirst messages in an initiating SMTP connection. Previously, when one had more receipients than the first, an abortive onward connection was made. Move to full support for multiple onward connections in sequence, handling cutthrough connection for all multi-message initiating connections. JH/13 Bug 2229: Fix cutthrough routing for nonstandard port numbers defined by routers. Previously, a multi-recipient message would fail to match the onward-connection opened for the first recipient, and cause its closure. JH/14 Bug 2174: A timeout on connect for a callout was also erroneously seen as a timeout on read on a GnuTLS initiating connection, resulting in the initiating connection being dropped. This mattered most when the callout was marked defer_ok. Fix to keep the two timeout-detection methods separate. HS/01 Fix Buffer overflow in base64d() (CVE-2018-6789) JH/16 Fix bug in DKIM verify: a buffer overflow could corrupt the malloc metadata, resulting in a crash in free(). PP/01 Fix broken Heimdal GSSAPI authenticator integration. Broken in f2ed27cf5, missing an equals sign for specified-initialisers. Broken also in d185889f4, with init system revamp. To generate a diff of this commit: cvs rdiff -u -r1.157 -r1.158 pkgsrc/mail/exim/Makefile cvs rdiff -u -r1.67 -r1.68 pkgsrc/mail/exim/distinfo cvs rdiff -u -r1.35 -r1.36 pkgsrc/mail/exim-html/Makefile cvs rdiff -u -r1.16 -r1.17 pkgsrc/mail/exim-html/PLIST cvs rdiff -u -r1.28 -r1.29 pkgsrc/mail/exim-html/distinfo cvs rdiff -u -r1.1 -r0 pkgsrc/mail/exim/files/Makefile-DragonFly \ pkgsrc/mail/exim/files/os.h-DragonFly @ text @d1 1 a1 1 # $NetBSD$ d3 2 a4 1 DISTNAME= exim-4.90.1 d7 2 a8 2 MASTER_SITES+= https://ftp.exim.org/pub/exim/exim4/ EXTRACT_SUFX= .tar.xz a76 1 mv ${WRKSRC}/OS/unsupported/*-* ${WRKSRC}/OS/ d80 2 @ 1.155 log @revbump for requiring ICU 59.x @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.154 2017/04/22 21:03:42 adam Exp $ d4 1 a4 1 PKGREVISION= 2 @ 1.154 log @Revbump after icu update @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.153 2017/03/18 07:08:23 adam Exp $ d4 1 a4 1 PKGREVISION= 1 @ 1.153 log @Version 4.89 ------------ 1. Allow relative config file names for ".include" 2. A main-section config option "debug_store" to control the checks on variable locations during store-reset. Normally false but can be enabled when a memory corrution issue is suspected on a production system. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.152 2017/01/19 18:52:15 agc Exp $ d4 1 @ 1.152 log @Convert all occurrences (353 by my count) of MASTER_SITES= site1 \ site2 style continuation lines to be simple repeated MASTER_SITES+= site1 MASTER_SITES+= site2 lines. As previewed on tech-pkg. With thanks to rillig for fixing pkglint accordingly. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.151 2016/12/25 11:29:54 wiedi Exp $ d3 1 a3 1 DISTNAME= exim-4.88 d117 1 a117 1 INSTALLATION_DIRS+= ${PKGMANDIR}/man8 sbin share/examples/exim share/doc/exim @ 1.151 log @Update exim to 4.88 Security update to address CVE-2016-9963 Exim version 4.88 ----------------- JH/01 Use SIZE on MAIL FROM in a cutthrough connection, if the destination supports it and a size is available (ie. the sending peer gave us one). JH/02 The obsolete acl condition "demime" is removed (finally, after ten years of being deprecated). The replacements are the ACLs acl_smtp_mime and acl_not_smtp_mime. JH/03 Upgrade security requirements imposed for hosts_try_dane: previously a downgraded non-dane trust-anchor for the TLS connection (CA-style) or even an in-clear connection were permitted. Now, if the host lookup was dnssec and dane was requested then the host is only used if the TLSA lookup succeeds and is dnssec. Further hosts (eg. lower priority MXs) will be tried (for hosts_try_dane though not for hosts_require_dane) if one fails this test. This means that a poorly-configured remote DNS will make it incommunicado; but it protects against a DNS-interception attack on it. JH/04 Bug 1810: make continued-use of an open smtp transport connection non-noisy when a race steals the message being considered. JH/05 If main configuration option tls_certificate is unset, generate a self-signed certificate for inbound TLS connections. JH/06 Bug 165: hide more cases of password exposure - this time in expansions in rewrites and routers. JH/07 Retire gnutls_require_mac et.al. These were nonfunctional since 4.80 and logged a warning sing 4.83; now they are a configuration file error. JH/08 Bug 1836: Fix crash in VRFY handling when handed an unqualified name (lacking @@domain). Apply the same qualification processing as RCPT. JH/09 Bug 1804: Avoid writing msglog files when in -bh or -bhc mode. JH/10 Support ${sha256:} applied to a string (as well as the previous certificate). JH/11 Cutthrough: avoid using the callout hints db on a verify callout when a cutthrough deliver is pending, as we always want to make a connection. This also avoids re-routing the message when later placing the cutthrough connection after a verify cache hit. Do not update it with the verify result either. JH/12 Cutthrough: disable when verify option success_on_redirect is used, and when routing results in more than one destination address. JH/13 Cutthrough: expand transport dkim_domain option when testing for dkim signing (which inhibits the cutthrough capability). Previously only the presence of an option was tested; now an expansion evaluating as empty is permissible (obviously it should depend only on data available when the cutthrough connection is made). JH/14 Fix logging of errors under PIPELINING. Previously the log line giving the relevant preceding SMTP command did not note the pipelining mode. JH/15 Fix counting of empty lines in $body_linecount and $message_linecount. Previously they were not counted. JH/16 DANE: treat a TLSA lookup response having all non-TLSA RRs, the same as one having no matching records. Previously we deferred the message that needed the lookup. JH/17 Fakereject: previously logged as a norml message arrival "<="; now distinguished as "(=". JH/18 Bug 1867: make the fail_defer_domains option on a dnslookup router work for missing MX records. Previously it only worked for missing A records. JH/19 Bug 1850: support Radius libraries that return REJECT_RC. JH/20 Bug 1872: Ensure that acl_smtp_notquit is run when the connection drops after the data-go-ahead and data-ack. Patch from Jason Betts. JH/21 Bug 1846: Send DMARC forensic reports for reject and quaratine results, even for a "none" policy. Patch from Tony Meyer. JH/22 Fix continued use of a connection for further deliveries. If a port was specified by a router, it must also match for the delivery to be compatible. JH/23 Bug 1874: fix continued use of a connection for further deliveries. When one of the recipients of a message was unsuitable for the connection (has no matching addresses), we lost track of needing to mark it deferred. As a result mail would be lost. JH/24 Bug 1832: Log EHLO response on getting conn-close response for HELO. JH/25 Decoding ACL controls is now done using a binary search; the source code takes up less space and should be simpler to maintain. Merge the ACL condition decode tables also, with similar effect. JH/26 Fix problem with one_time used on a redirect router which returned the parent address unchanged. A retry would see the parent address marked as delivered, so not attempt the (identical) child. As a result mail would be lost. JH/27 Fix a possible security hole, wherein a process operating with the Exim UID can gain a root shell. Credit to http://www.halfdog.net/ for discovery and writeup. Ubuntu bug 1580454; no bug raised against Exim itself :( JH/28 Enable {spool,log} filesystem space and inode checks as default. Main config options check_{log,spool}_{inodes,space} are now 100 inodes, 10MB unless set otherwise in the configuration. JH/29 Fix the connection_reject log selector to apply to the connect ACL. Previously it only applied to the main-section connection policy options. JH/30 Bug 1897: fix callouts connection fallback from TLS to cleartext. PP/01 Changed default Diffie-Hellman parameters to be Exim-specific, created by me. Added RFC7919 DH primes as an alternative. PP/02 Unbreak build via pkg-config with new hash support when crypto headers are not in the system include path. JH/31 Fix longstanding bug with aborted TLS server connection handling. Under GnuTLS, when a session startup failed (eg because the client disconnected) Exim did stdio operations after fclose. This was exposed by a recent change which nulled out the file handle after the fclose. JH/32 Bug 1909: Fix OCSP proof verification for cases where the proof is signed directly by the cert-signing cert, rather than an intermediate OCSP-signing cert. This is the model used by LetsEncrypt. JH/33 Bug 1914: Ensure socket is nonblocking before draining after SMTP QUIT. HS/01 Fix leak in verify callout under GnuTLS, about 3MB per recipient on an incoming connection. HS/02 Bug 1802: Do not half-close the connection after sending a request to rspamd. HS/03 Use "auto" as the default EC curve parameter. For OpenSSL < 1.0.2 fallback to "prime256v1". JH/34 SECURITY: Use proper copy of DATA command in error message. Could leak key material. Remotely explaoitable. CVE-2016-9963. ok wiz@@ @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.150 2016/12/04 05:17:32 ryoon Exp $ d5 2 a6 2 MASTER_SITES= ftp://ftp.exim.org/pub/exim/exim4/ \ http://dl.ambiweb.de/mirrors/ftp.exim.org/exim/exim4/ @ 1.150 log @Recursive revbump from textproc/icu 58.1 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.149 2016/10/09 21:42:00 wiz Exp $ d3 1 a3 2 DISTNAME= exim-4.87 PKGREVISION= 5 @ 1.149 log @Recursive bump for all users of pgsql now that the default is 95. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.148 2016/07/09 06:38:29 wiz Exp $ d4 1 a4 1 PKGREVISION= 4 @ 1.148 log @Bump PKGREVISION for perl-5.24.0 for everything mentioning perl. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.147 2016/06/11 00:37:24 wiedi Exp $ d4 1 a4 1 PKGREVISION= 3 @ 1.147 log @since 4.87 redis lookup is no longer experimental @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.146 2016/04/11 19:01:56 ryoon Exp $ d4 1 a4 1 PKGREVISION= 2 @ 1.146 log @Recursive revbump from textproc/icu 57.1 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.145 2016/04/09 10:49:39 adam Exp $ d4 1 a4 1 PKGREVISION= 1 @ 1.145 log @Version 4.87 1. The ACL conditions regex and mime_regex now capture substrings into numeric variables $regex1 to 9, like the "match" expansion condition. 2. New $callout_address variable records the address used for a spam=, malware= or verify= callout. 3. Transports now take a "max_parallel" option, to limit concurrency. 4. Expansion operators ${ipv6norm:} and ${ipv6denorm:}. The latter expands to a 8-element colon-sep set of hex digits including leading zeroes. A trailing ipv4-style dotted-decimal set is converted to hex. Pure ipv4 addresses are converted to IPv4-mapped IPv6. The former operator strips leading zeroes and collapses the longest set of 0-groups to a double-colon. 5. New "-bP config" support, to dump the effective configuration. 6. New $dkim_key_length variable. 7. New base64d and base64 expansion items (the existing str2b64 being a synonym of the latter). Add support in base64 for certificates. 8. New main configuration option "bounce_return_linesize_limit" to avoid oversize bodies in bounces. The dafault value matches RFC limits. 9. New $initial_cwd expansion variable. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.144 2016/03/05 11:28:48 jperkin Exp $ d4 1 @ 1.144 log @Bump PKGREVISION for security/openssl ABI bump. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.143 2016/03/02 20:13:18 wiedi Exp $ d3 1 a3 2 DISTNAME= exim-4.86.2 PKGREVISION= 1 @ 1.143 log @Update mail/exim and mail/exim-html to 4.86.2 Exim version 4.86.2 ------------------- Portability relase of 4.86.1 Exim version 4.86.1 ------------------- HS/04 Add support for keep_environment and add_environment options. This fixes CVE-2016-1531. All installations having Exim set-uid root and using 'perl_startup' are vulnerable to a local privilege escalation. Any user who can start an instance of Exim (and this is normally *any* user) can gain root privileges. If you do not use 'perl_startup' you *should* be safe. New options ----------- We had to introduce two new configuration options: keep_environment = add_environment = Both options are empty per default. That is, Exim cleans the complete environment on startup. This affects Exim itself and any subprocesses, as transports, that may call other programs via some alias mechanisms, as routers (queryprogram), lookups, and so on. This may affect used libraries (e.g. LDAP). ** THIS MAY BREAK your existing installation ** If both options are not used in the configuration, Exim issues a warning on startup. This warning disappears if at least one of these options is used (even if set to an empty value). keep_environment should contain a list of trusted environment variables. (Do you trust PATH?). This may be a list of names and REs. keep_environment = ^LDAP_ : FOO_PATH To add (or override) variables, you can use add_environment: add_environment = <; PATH=/sbin:/usr/sbin New behaviour ------------- Now Exim changes it's working directory to / right after startup, even before reading it's configuration. (Later Exim changes it's working directory to $spool_directory, as usual.) Exim only accepts an absolute configuration file path now, when using the -C option. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.142 2016/01/10 20:55:56 bsiegert Exp $ d4 1 @ 1.142 log @Update exim to 4.86. Exim version 4.86 ----------------- JH/01 Bug 1545: The smtp transport option "retry_include_ip_address" is now expanded. JH/02 The smtp transport option "multi_domain" is now expanded. JH/03 The smtp transport now requests PRDR by default, if the server offers it. JH/04 Certificate name checking on server certificates, when exim is a client, is now done by default. The transport option tls_verify_cert_hostnames can be used to disable this per-host. The build option EXPERIMENTAL_CERTNAMES is withdrawn. JH/05 The value of the tls_verify_certificates smtp transport and main options default to the word "system" to access the system default CA bundle. For GnuTLS, only version 3.0.20 or later. JH/06 Verification of the server certificate for a TLS connection is now tried (but not required) by default. The verification status is now logged by default, for both outbound TLS and client-certificate supplying inbound TLS connections JH/07 Changed the default rfc1413 lookup settings to disable calls. Few sites use this now. JH/08 The EXPERIMENTAL_DSN compile option is no longer needed; all Delivery Status Notification (bounce) messages are now MIME format per RFC 3464. Support for RFC 3461 DSN options NOTIFY,ENVID,RET,ORCPT can be advertised under the control of the dsn_advertise_hosts option, and routers may have a dsn_lasthop option. JH/09 A timeout of 2 minutes is now applied to all malware scanner types by default, modifiable by a malware= option. The list separator for the options can now be changed in the usual way. Bug 68. JH/10 The smtp_receive_timeout main option is now expanded before use. JH/11 The incoming_interface log option now also enables logging of the local interface on delivery outgoing connections. JH/12 The cutthrough-routing facility now supports multi-recipient mails, if the interface and destination host and port all match. JH/13 Bug 344: The verify = reverse_host_lookup ACL condition now accepts a /defer_ok option. JH/14 Bug 1573: The spam= ACL condition now additionally supports Rspamd. Patch from Andrew Lewis. JH/15 Bug 670: The spamd_address main option (for the spam= ACL condition) now supports optional time-restrictions, weighting, and priority modifiers per server. Patch originally by . JH/16 The spamd_address main option now supports a mixed list of local and remote servers. Remote servers can be IPv6 addresses, and specify a port-range. JH/17 Bug 68: The spamd_address main option now supports an optional timeout value per server. JH/18 Bug 1581: Router and transport options headers_add/remove can now have the list separator specified. JH/19 Bug 392: spamd_address, and clamd av_scanner, now support retry option values. JH/20 Bug 1571: Ensure that $tls_in_peerdn is set, when verification fails under OpenSSL. JH/21 Support for the A6 type of dns record is withdrawn. JH/22 Bug 608: The result of a QUIT or not-QUIT toplevel ACL now matters rather than the verbs used. JH/23 Bug 1572: Increase limit on SMTP confirmation message copy size from 255 to 1024 chars. JH/24 Verification callouts now attempt to use TLS by default. HS/01 DNSSEC options (dnssec_require_domains, dnssec_request_domains) are generic router options now. The defaults didn't change. JH/25 Bug 466: Add RFC2322 support for MIME attachment filenames. Original patch from Alexander Shikoff, worked over by JH. HS/02 Bug 1575: exigrep falls back to autodetection of compressed files if ZCAT_COMMAND is not executable. JH/26 Bug 1539: Add timout/retry options on dnsdb lookups. JH/27 Bug 286: Support SOA lookup in dnsdb lookups. JH/28 Bug 1588: Do not use the A lookup following an AAAA for setting the FQDN. Normally benign, it bites when the pair was led to by a CNAME; modern usage is to not canoicalize the domain to a CNAME target (and we were inconsistent anyway for A-only vs AAAA+A). JH/29 Bug 1632: Removed the word "rejected" from line logged for ACL discards. JH/30 Check the forward DNS lookup for DNSSEC, in addition to the reverse, when evaluating $sender_host_dnssec. JH/31 Check the HELO verification lookup for DNSSEC, adding new $sender_helo_dnssec variable. JH/32 Bug 1397: Enable ECDHE on OpenSSL, just the NIST P-256 curve. JH/33 Bug 1346: Note MAIL cmd seen in -bS batch, to avoid smtp_no_mail log. JH/34 Bug 1648: Fix a memory leak seen with "mailq" and large queues. JH/35 Bug 1642: Fix support of $spam_ variables at delivery time. Was documented as working, but never had. Support all but $spam_report. JH/36 Bug 1659: Guard checking of input smtp commands again pseudo-command added for tls authenticator. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.141 2015/10/10 01:58:12 ryoon Exp $ d3 1 a3 1 DISTNAME= exim-4.86 @ 1.141 log @Recursive revbump from textproc/icu @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.140 2015/06/12 10:50:18 wiz Exp $ d3 1 a3 2 DISTNAME= exim-4.85 PKGREVISION= 3 @ 1.141.2.1 log @Pullup ticket #4942 - requested by wiedi mail/exim: security fix Revisions pulled up: - mail/exim-html/Makefile 1.30-1.31 - mail/exim-html/PLIST 1.14 - mail/exim-html/distinfo 1.25-1.26 - mail/exim/Makefile 1.142-1.143 - mail/exim/distinfo 1.63-1.64 - mail/exim/patches/patch-aa 1.24 --- Module Name: pkgsrc Committed By: bsiegert Date: Sun Jan 10 20:55:57 UTC 2016 Modified Files: pkgsrc/mail/exim: Makefile distinfo pkgsrc/mail/exim/patches: patch-aa Log Message: Update exim to 4.86. Exim version 4.86 ----------------- JH/01 Bug 1545: The smtp transport option "retry_include_ip_address" is now expanded. JH/02 The smtp transport option "multi_domain" is now expanded. JH/03 The smtp transport now requests PRDR by default, if the server offers it. JH/04 Certificate name checking on server certificates, when exim is a client, is now done by default. The transport option tls_verify_cert_hostnames can be used to disable this per-host. The build option EXPERIMENTAL_CERTNAMES is withdrawn. JH/05 The value of the tls_verify_certificates smtp transport and main options default to the word "system" to access the system default CA bundle. For GnuTLS, only version 3.0.20 or later. JH/06 Verification of the server certificate for a TLS connection is now tried (but not required) by default. The verification status is now logged by default, for both outbound TLS and client-certificate supplying inbound TLS connections JH/07 Changed the default rfc1413 lookup settings to disable calls. Few sites use this now. JH/08 The EXPERIMENTAL_DSN compile option is no longer needed; all Delivery Status Notification (bounce) messages are now MIME format per RFC 3464. Support for RFC 3461 DSN options NOTIFY,ENVID,RET,ORCPT can be advertised under the control of the dsn_advertise_hosts option, and routers may have a dsn_lasthop option. JH/09 A timeout of 2 minutes is now applied to all malware scanner types by default, modifiable by a malware= option. The list separator for the options can now be changed in the usual way. Bug 68. JH/10 The smtp_receive_timeout main option is now expanded before use. JH/11 The incoming_interface log option now also enables logging of the local interface on delivery outgoing connections. JH/12 The cutthrough-routing facility now supports multi-recipient mails, if the interface and destination host and port all match. JH/13 Bug 344: The verify = reverse_host_lookup ACL condition now accepts a /defer_ok option. JH/14 Bug 1573: The spam= ACL condition now additionally supports Rspamd. Patch from Andrew Lewis. JH/15 Bug 670: The spamd_address main option (for the spam= ACL condition) now supports optional time-restrictions, weighting, and priority modifiers per server. Patch originally by . JH/16 The spamd_address main option now supports a mixed list of local and remote servers. Remote servers can be IPv6 addresses, and specify a port-range. JH/17 Bug 68: The spamd_address main option now supports an optional timeout value per server. JH/18 Bug 1581: Router and transport options headers_add/remove can now have the list separator specified. JH/19 Bug 392: spamd_address, and clamd av_scanner, now support retry option values. JH/20 Bug 1571: Ensure that $tls_in_peerdn is set, when verification fails under OpenSSL. JH/21 Support for the A6 type of dns record is withdrawn. JH/22 Bug 608: The result of a QUIT or not-QUIT toplevel ACL now matters rather than the verbs used. JH/23 Bug 1572: Increase limit on SMTP confirmation message copy size from 255 to 1024 chars. JH/24 Verification callouts now attempt to use TLS by default. HS/01 DNSSEC options (dnssec_require_domains, dnssec_request_domains) are generic router options now. The defaults didn't change. JH/25 Bug 466: Add RFC2322 support for MIME attachment filenames. Original patch from Alexander Shikoff, worked over by JH. HS/02 Bug 1575: exigrep falls back to autodetection of compressed files if ZCAT_COMMAND is not executable. JH/26 Bug 1539: Add timout/retry options on dnsdb lookups. JH/27 Bug 286: Support SOA lookup in dnsdb lookups. JH/28 Bug 1588: Do not use the A lookup following an AAAA for setting the FQDN. Normally benign, it bites when the pair was led to by a CNAME; modern usage is to not canoicalize the domain to a CNAME target (and we were inconsistent anyway for A-only vs AAAA+A). JH/29 Bug 1632: Removed the word "rejected" from line logged for ACL discards. JH/30 Check the forward DNS lookup for DNSSEC, in addition to the reverse, when evaluating $sender_host_dnssec. JH/31 Check the HELO verification lookup for DNSSEC, adding new $sender_helo_dnssec variable. JH/32 Bug 1397: Enable ECDHE on OpenSSL, just the NIST P-256 curve. JH/33 Bug 1346: Note MAIL cmd seen in -bS batch, to avoid smtp_no_mail log. JH/34 Bug 1648: Fix a memory leak seen with "mailq" and large queues. JH/35 Bug 1642: Fix support of $spam_ variables at delivery time. Was documented as working, but never had. Support all but $spam_report. JH/36 Bug 1659: Guard checking of input smtp commands again pseudo-command added for tls authenticator. --- Module Name: pkgsrc Committed By: adam Date: Mon Jan 11 08:35:32 UTC 2016 Modified Files: pkgsrc/mail/exim-html: Makefile PLIST distinfo Log Message: Match mail/exim version --- Module Name: pkgsrc Committed By: wiedi Date: Wed Mar 2 20:13:18 UTC 2016 Modified Files: pkgsrc/mail/exim: Makefile distinfo pkgsrc/mail/exim-html: Makefile distinfo Log Message: Update mail/exim and mail/exim-html to 4.86.2 Exim version 4.86.2 ------------------- Portability relase of 4.86.1 Exim version 4.86.1 ------------------- HS/04 Add support for keep_environment and add_environment options. This fixes CVE-2016-1531. All installations having Exim set-uid root and using 'perl_startup' are vulnerable to a local privilege escalation. Any user who can start an instance of Exim (and this is normally *any* user) can gain root privileges. If you do not use 'perl_startup' you *should* be safe. New options ----------- We had to introduce two new configuration options: keep_environment = add_environment = Both options are empty per default. That is, Exim cleans the complete environment on startup. This affects Exim itself and any subprocesses, as transports, that may call other programs via some alias mechanisms, as routers (queryprogram), lookups, and so on. This may affect used libraries (e.g. LDAP). ** THIS MAY BREAK your existing installation ** If both options are not used in the configuration, Exim issues a warning on startup. This warning disappears if at least one of these options is used (even if set to an empty value). keep_environment should contain a list of trusted environment variables. (Do you trust PATH?). This may be a list of names and REs. keep_environment = ^LDAP_ : FOO_PATH To add (or override) variables, you can use add_environment: add_environment = <; PATH=/sbin:/usr/sbin New behaviour ------------- Now Exim changes it's working directory to / right after startup, even before reading it's configuration. (Later Exim changes it's working directory to $spool_directory, as usual.) Exim only accepts an absolute configuration file path now, when using the -C option. @ text @d1 1 a1 1 # $NetBSD$ d3 2 a4 1 DISTNAME= exim-4.86.2 @ 1.140 log @Recursive PKGREVISION bump for all packages mentioning 'perl', having a PKGNAME of p5-*, or depending such a package, for perl-5.22.0. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.139 2015/04/06 08:17:31 adam Exp $ d4 1 a4 1 PKGREVISION= 2 @ 1.139 log @Revbump after updating textproc/icu @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.138 2015/02/14 07:33:19 adam Exp $ d4 1 a4 1 PKGREVISION= 1 @ 1.138 log @Exim version 4.85 ----------------- TL/01 When running the test suite, the README says that variables such as no_msglog_check are global and can be placed anywhere in a specific test's script, however it was observed that placement needed to be near the beginning for it to behave that way. Changed the runtest perl script to read through the entire script once to detect and set these variables, reset to the beginning of the script, and then run through the script parsing/test process like normal. TL/02 The BSD's have an arc4random API. One of the functions to induce adding randomness was arc4random_stir(), but it has been removed in OpenBSD 5.5. Detect this OpenBSD version and skip calling this function when detected. JH/01 Expand the EXPERIMENTAL_TPDA feature. Several different events now cause callback expansion. TL/03 Bugzilla 1518: Clarify "condition" processing in routers; that syntax errors in an expansion can be treated as a string instead of logging or causing an error, due to the internal use of bool_lax instead of bool when processing it. JH/02 Add EXPERIMENTAL_DANE, allowing for using the DNS as trust-anchor for server certificates when making smtp deliveries. JH/03 Support secondary-separator specifier for MX, SRV, TLSA lookups. JH/04 Add ${sort {list}{condition}{extractor}} expansion item. TL/04 Bugzilla 1216: Add -M (related messages) option to exigrep. TL/05 GitHub Issue 18: Adjust logic testing for true/false in redis lookups. Merged patch from Sebastian Wiedenroth. JH/05 Fix results-pipe from transport process. Several recipients, combined with certificate use, exposed issues where response data items split over buffer boundaries were not parsed properly. This eventually resulted in duplicates being sent. This issue only became common enough to notice due to the introduction of conection certificate information, the item size being so much larger. Found and fixed by Wolfgang Breyha. JH/06 Bug 1533: Fix truncation of items in headers_remove lists. A fixed size buffer was used, resulting in syntax errors when an expansion exceeded it. JH/07 Add support for directories of certificates when compiled with a GnuTLS version 3.3.6 or later. JH/08 Rename the TPDA expermimental facility to Event Actions. The #ifdef is EXPERIMENTAL_EVENT, the main-configuration and transport options both become "event_action", the variables become $event_name, $event_data and $event_defer_errno. There is a new variable $verify_mode, usable in routers, transports and related events. The tls:cert event is now also raised for inbound connections, if the main configuration event_action option is defined. TL/06 In test suite, disable OCSP for old versions of openssl which contained early OCSP support, but no stapling (appears to be less than 1.0.0). JH/09 When compiled with OpenSSL and EXPERIMENTAL_CERTNAMES, the checks on server certificate names available under the smtp transport option "tls_verify_cert_hostname" now do not permit multi-component wildcard matches. JH/10 Time-related extraction expansions from certificates now use the main option "timezone" setting for output formatting, and are consistent between OpenSSL and GnuTLS compilations. Bug 1541. JH/11 Fix a crash in mime ACL when meeting a zero-length, quoted or RFC2047- encoded parameter in the incoming message. Bug 1558. JH/12 Bug 1527: Autogrow buffer used in reading spool files. Since they now include certificate info, eximon was claiming there were spoolfile syntax errors. JH/13 Bug 1521: Fix ldap lookup for single-attr request, multiple-attr return. JH/14 Log delivery-related information more consistently, using the sequence "H= []" wherever possible. TL/07 Bug 1547: Omit RFCs from release. Draft and RFCs have licenses which are problematic for Debian distribution, omit them from the release tarball. JH/15 Updates and fixes to the EXPERIMENTAL_DSN feature. JH/16 Fix string representation of time values on 64bit time_t anchitectures. Bug 1561. JH/17 Fix a null-indirection in certextract expansions when a nondefault output list separator was used. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.137 2014/10/20 13:39:56 wiedi Exp $ d4 1 @ 1.137 log @Enable queue runs in Exim SMF Manifest just like it is with rc.d @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.136 2014/10/07 16:47:29 adam Exp $ d3 1 a3 2 DISTNAME= exim-4.84 PKGREVISION= 2 @ 1.136 log @Revbump after updating libwebp and icu @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.135 2014/08/17 08:16:58 adam Exp $ d4 1 a4 1 PKGREVISION= 1 @ 1.135 log @Changes 4.84: TL/01 Bugzilla 1506: Re-add a 'return NULL' to silence complaints from static checkers that were complaining about end of non-void function with no return. JH/01 Bug 1513: Fix parsing of quoted parameter values in MIME headers. This was a regression intruduced in 4.83 by another bugfix. JH/02 Fix broken compilation when EXPERIMENTAL_DSN is enabled. TL/02 Bug 1509: Fix exipick for enhanced spoolfile specification used when EXPERIMENTAL_DNS is enabled. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.134 2014/07/23 14:09:52 adam Exp $ d4 1 @ 1.134 log @Changes 4.83: 1. If built with the EXPERIMENTAL_PROXY feature enabled, Exim can be configured to expect an initial header from a proxy that will make the actual external source IP:host be used in exim instead of the IP of the proxy that is connecting to it. 2. New verify option header_names_ascii, which will check to make sure there are no non-ASCII characters in header names. Exim itself handles those non-ASCII characters, but downstream apps may not, so Exim can detect and reject if those characters are present. 3. New expansion operator ${utf8clean:string} to replace malformed UTF8 codepoints with valid ones. 4. New malware type "sock". Talks over a Unix or TCP socket, sending one command line and matching a regex against the return data for trigger and a second regex to extract malware_name. The mail spoofile name can be included in the command line. 5. The smtp transport now supports options "tls_verify_hosts" and "tls_try_verify_hosts". If either is set the certificate verification is split from the encryption operation. The default remains that a failed verification cancels the encryption. 6. New SERVERS override of default ldap server list. In the ACLs, an ldap lookup can now set a list of servers to use that is different from the default list. 7. New command-line option -C for exiqgrep to specify alternate exim.conf file when searching the queue. 8. OCSP now supports GnuTLS also, if you have version 3.1.3 or later of that. 9. Support for DNSSEC on outbound connections. 10. New variables "tls_(in,out)_(our,peer)cert" and expansion item "certextract" to extract fields from them. Hash operators md5 and sha1 work over them for generating fingerprints, and a new sha256 operator for them added. 11. PRDR is now supported dy default. 12. OCSP stapling is now supported by default. 13. If built with the EXPERIMENTAL_DSN feature enabled, Exim will output Delivery Status Notification messages in MIME format, and negociate DSN features per RFC 3461. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.133 2014/06/14 10:18:05 wiedi Exp $ d3 1 a3 1 DISTNAME= exim-4.83 @ 1.133 log @fix SMF Manifest installation by not overwriting INSTALLATION_DIRS @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.132 2014/05/29 23:36:45 wiz Exp $ d3 1 a3 2 DISTNAME= exim-4.82.1 PKGREVISION= 1 d38 2 a39 2 FILES_SUBST+= EXIM_GROUP=${EXIM_GROUP:Q} FILES_SUBST+= EXIM_USER=${EXIM_USER:Q} @ 1.132 log @Bump for perl-5.20.0. Do it for all packages that * mention perl, or * have a directory name starting with p5-*, or * depend on a package starting with p5- like last time, for 5.18, where this didn't lead to complaints. Let me know if you have any this time. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.131 2014/05/29 09:27:37 adam Exp $ d118 1 a118 1 INSTALLATION_DIRS = ${PKGMANDIR}/man8 sbin share/examples/exim share/doc/exim @ 1.131 log @Changes 4.82.1: This is a SECURITY release, addressing a CRITICAL remote code execution flaw in Exim version 4.82 (only) when built with DMARC support (an experimental feature, not on by default). This release is identical to 4.82 except for the small change needed to plug the security hole. The next release of Exim will, eventually, be 4.83, which will include the many improvements we've made since 4.82, but which will require the normal release candidate baking process before release. You are not vulnerable unless you built Exim with EXPERIMENTAL_DMARC. This issue is known by the CVE ID of CVE-2014-2957, was reported directly to the Exim development team by a company which uses Exim for its mail server. An Exim developer constructed a small patch which altered the way the contents of the From header is parsed by converting it to use safer and better internal functions. It was applied and tested on a production server for correctness. We were notified of the vulnerability Friday night, created a patch on Saturday, applied and tested it on Sunday, notified OS packagers on Monday/Tuesday, and are releasing on the next available work day, which is Wednesday. This is why we have made the smallest feasible changes to prevent exploit: we want this chagne to be as safe as possible to expedite into production (if the packages were built with DMARC). @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.130 2014/04/30 10:21:08 jperkin Exp $ d4 1 @ 1.130 log @Add SMF manifest. Contributed by BroSys on GitHub. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.129 2014/04/09 07:27:11 obache Exp $ d3 1 a3 2 DISTNAME= exim-4.82 PKGREVISION= 2 @ 1.129 log @recursive bump from icu shlib major bump. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.128 2014/02/12 23:18:07 tron Exp $ d39 3 @ 1.128 log @Recursive PKGREVISION bump for OpenSSL API version bump. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.127 2013/10/30 07:30:03 adam Exp $ d4 1 a4 1 PKGREVISION= 1 @ 1.127 log @Version 4.82 1. New command-line option -bI:sieve will list all supported sieve extensions of this Exim build on standard output, one per line. ManageSieve (RFC 5804) providers managing scripts for use by Exim should query this to establish the correct list to include in the protocol's SIEVE capability line. 2. If the -n option is combined with the -bP option, then the name of an emitted option is not output, only the value (if visible to you). For instance, "exim -n -bP pid_file_path" should just emit a pathname followed by a newline, and no other text. 3. When built with SUPPORT_TLS and USE_GNUTLS, the SMTP transport driver now has a "tls_dh_min_bits" option, to set the minimum acceptable number of bits in the Diffie-Hellman prime offered by a server (in DH ciphersuites) acceptable for security. (Option accepted but ignored if using OpenSSL). Defaults to 1024, the old value. May be lowered only to 512, or raised as far as you like. Raising this may hinder TLS interoperability with other sites and is not currently recommended. Lowering this will permit you to establish a TLS session which is not as secure as you might like. Unless you really know what you are doing, leave it alone. 4. If not built with DISABLE_DNSSEC, Exim now has the main option dns_dnssec_ok; if set to 1 then Exim will initialise the resolver library to send the DO flag to your recursive resolver. If you have a recursive resolver, which can set the Authenticated Data (AD) flag in results, Exim can now detect this. Exim does not perform validation itself, instead relying upon a trusted path to the resolver. Current status: work-in-progress; $sender_host_dnssec variable added. 5. DSCP support for outbound connections: on a transport using the smtp driver, set "dscp = ef", for instance, to cause the connections to have the relevant DSCP (IPv4 TOS or IPv6 TCLASS) value in the header. Similarly for inbound connections, there is a new control modifier, dscp, so "warn control = dscp/ef" in the connect ACL, or after authentication. Supported values depend upon system libraries. "exim -bI:dscp" to list the ones Exim knows of. You can also set a raw number 0..0x3F. 6. The -G command-line flag is no longer ignored; it is now equivalent to an ACL setting "control = suppress_local_fixups". The -L command-line flag is now accepted and forces use of syslog, with the provided tag as the process name. A few other flags used by Sendmail are now accepted and ignored. 7. New cutthrough routing feature. Requested by a "control = cutthrough_delivery" ACL modifier; works for single-recipient mails which are recieved on and deliverable via SMTP. Using the connection made for a recipient verify, if requested before the verify, or a new one made for the purpose while the inbound connection is still active. The bulk of the mail item is copied direct from the inbound socket to the outbound (as well as the spool file). When the source notifies the end of data, the data acceptance by the destination is negociated before the acceptance is sent to the source. If the destination does not accept the mail item, for example due to content-scanning, the item is not accepted from the source and therefore there is no need to generate a bounce mail. This is of benefit when providing a secondary-MX service. The downside is that delays are under the control of the ultimate destination system not your own. The Recieved-by: header on items delivered by cutthrough is generated early in reception rather than at the end; this will affect any timestamp included. The log line showing delivery is recorded before that showing reception; it uses a new ">>" tag instead of "=>". To support the feature, verify-callout connections can now use ESMTP and TLS. The usual smtp transport options are honoured, plus a (new, default everything) hosts_verify_avoid_tls. New variable families named tls_in_cipher, tls_out_cipher etc. are introduced for specific access to the information for each connection. The old names are present for now but deprecated. Not yet supported: IGNOREQUOTA, SIZE, PIPELINING. 8. New expansion operators ${listnamed:name} to get the content of a named list and ${listcount:string} to count the items in a list. 9. New global option "gnutls_allow_auto_pkcs11", defaults false. The GnuTLS rewrite in 4.80 combines with GnuTLS 2.12.0 or later, to autoload PKCS11 modules. For some situations this is desirable, but we expect admin in those situations to know they want the feature. More commonly, it means that GUI user modules get loaded and are broken by the setuid Exim being unable to access files specified in environment variables and passed through, thus breakage. So we explicitly inhibit the PKCS11 initialisation unless this new option is set. Some older OS's with earlier versions of GnuTLS might not have pkcs11 ability, so have also added a build option which can be used to build Exim with GnuTLS but without trying to use any kind of PKCS11 support. Uncomment this in the Local/Makefile: AVOID_GNUTLS_PKCS11=yes 10. The "acl = name" condition on an ACL now supports optional arguments. New expansion item "${acl {name}{arg}...}" and expansion condition "acl {{name}{arg}...}" are added. In all cases up to nine arguments can be used, appearing in $acl_arg1 to $acl_arg9 for the called ACL. Variable $acl_narg contains the number of arguments. If the ACL sets a "message =" value this becomes the result of the expansion item, or the value of $value for the expansion condition. If the ACL returns accept the expansion condition is true; if reject, false. A defer return results in a forced fail. 11. Routers and transports can now have multiple headers_add and headers_remove option lines. The concatenated list is used. 12. New ACL modifier "remove_header" can remove headers before message gets handled by routers/transports. 13. New dnsdb lookup pseudo-type "a+". A sequence of "a6" (if configured), "aaaa" and "a" lookups is done and the full set of results returned. 14. New expansion variable $headers_added with content from ACL add_header modifier (but not yet added to messsage). 15. New 8bitmime status logging option for received messages. Log field "M8S". 16. New authenticated_sender logging option, adding to log field "A". 17. New expansion variables $router_name and $transport_name. Useful particularly for debug_print as -bt commandline option does not require privilege whereas -d does. 18. If built with EXPERIMENTAL_PRDR, per-recipient data responses per a proposed extension to SMTP from Eric Hall. 19. The pipe transport has gained the force_command option, to allow decorating commands from user .forward pipe aliases with prefix wrappers, for instance. 20. Callout connections can now AUTH; the same controls as normal delivery connections apply. 21. Support for DMARC, using opendmarc libs, can be enabled. It adds new options: dmarc_forensic_sender, dmarc_history_file, and dmarc_tld_file. It adds new expansion variables $dmarc_ar_header, $dmarc_status, $dmarc_status_text, and $dmarc_used_domain. It adds a new acl modifier dmarc_status. It adds new control flags dmarc_disable_verify and dmarc_enable_forensic. 22. Add expansion variable $authenticated_fail_id, which is the username provided to the authentication method which failed. It is available for use in subsequent ACL processing (typically quit or notquit ACLs). 23. New ACL modifer "udpsend" can construct a UDP packet to send to a given UDP host and port. 24. New ${hexquote:..string..} expansion operator converts non-printable characters in the string to \xNN form. 25. Experimental TPDA (Transport Post Delivery Action) function added. Patch provided by Axel Rau. 26. Experimental Redis lookup added. Patch provided by Warren Baker. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.126 2013/10/19 09:07:07 adam Exp $ d4 1 @ 1.126 log @Revbump after updating textproc/icu @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.125 2013/07/12 10:44:56 jperkin Exp $ d3 1 a3 2 DISTNAME= exim-4.80.1 PKGREVISION= 8 @ 1.125 log @Bump PKGREVISION of all packages which create users, to pick up change of sysutils/user_* packages. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.124 2013/05/31 12:41:13 wiz Exp $ d4 1 a4 1 PKGREVISION= 7 @ 1.124 log @Bump all packages for perl-5.18, that a) refer 'perl' in their Makefile, or b) have a directory name of p5-*, or c) have any dependency on any p5-* package Like last time, where this caused no complaints. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.123 2013/05/09 07:40:04 adam Exp $ d4 1 a4 1 PKGREVISION= 6 @ 1.123 log @Massive revbump after updating graphics/ilmbase, graphics/openexr, textproc/icu. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.122 2013/03/02 20:33:27 wiz Exp $ d4 1 a4 1 PKGREVISION= 5 @ 1.122 log @Bump PKGREVISION for mysql default change to 55. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.121 2013/02/06 23:22:44 jperkin Exp $ d4 1 a4 1 PKGREVISION= 4 @ 1.121 log @PKGREVISION bumps for the security/openssl 1.0.1d update. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.120 2013/01/26 21:38:07 adam Exp $ d4 1 a4 1 PKGREVISION= 3 @ 1.120 log @Revbump after graphics/jpeg and textproc/icu @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.119 2012/12/16 01:52:20 obache Exp $ d4 1 a4 1 PKGREVISION= 2 @ 1.119 log @recursive bump from cyrus-sasl libsasl2 shlib major bump. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.118 2012/10/30 20:12:20 abs Exp $ d4 1 a4 1 PKGREVISION= 1 @ 1.118 log @Updated mail/exim to 4.80.1 Exim version 4.80.1 ------------------- PP/01 SECURITY: protect DKIM DNS decoding from remote exploit. CVE-2012-5671 This, or similar/improved, will also be change PP/11 of 4.81. See: https://secunia.com/advisories/51098/ @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.117 2012/10/08 12:19:10 asau Exp $ d4 1 @ 1.117 log @Drop PKG_DESTDIR_SUPPORT setting, "user-destdir" is default these days. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.116 2012/10/03 21:56:23 wiz Exp $ d3 1 a3 2 DISTNAME= exim-4.80 PKGREVISION= 1 @ 1.116 log @Bump all packages that use perl, or depend on a p5-* package, or are called p5-*. I hope that's all of them. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.115 2012/06/11 11:41:24 adam Exp $ a24 2 PKG_DESTDIR_SUPPORT = user-destdir @ 1.115 log @Changes 4.80: 1. New authenticator driver, "gsasl". Server-only (at present). This is a SASL interface, licensed under GPL, which can be found at http://www.gnu.org/software/gsasl/. This system does not provide sources of data for authentication, so careful use needs to be made of the conditions in Exim. 2. New authenticator driver, "heimdal_gssapi". Server-only. A replacement for using cyrus_sasl with Heimdal, now that $KRB5_KTNAME is no longer honoured for setuid programs by Heimdal. Use the "server_keytab" option to point to the keytab. 3. The "pkg-config" system can now be used when building Exim to reference cflags and library information for lookups and authenticators, rather than having to update "CFLAGS", "AUTH_LIBS", "LOOKUP_INCLUDE" and "LOOKUP_LIBS" directly. Similarly for handling the TLS library support without adjusting "TLS_INCLUDE" and "TLS_LIBS". In addition, setting PCRE_CONFIG=yes will query the pcre-config tool to find the headers and libraries for PCRE. 4. New expansion variable $tls_bits. 5. New lookup type, "dbmjz". Key is an Exim list, the elements of which will be joined together with ASCII NUL characters to construct the key to pass into the DBM library. Can be used with gsasl to access sasldb2 files as used by Cyrus SASL. 6. OpenSSL now supports TLS1.1 and TLS1.2 with OpenSSL 1.0.1. Avoid release 1.0.1a if you can. Note that the default value of "openssl_options" is no longer "+dont_insert_empty_fragments", as that increased susceptibility to attack. This may still have interoperability implications for very old clients (see version 4.31 change 37) but administrators can choose to make the trade-off themselves and restore compatibility at the cost of session security. 7. Use of the new expansion variable $tls_sni in the main configuration option tls_certificate will cause Exim to re-expand the option, if the client sends the TLS Server Name Indication extension, to permit choosing a different certificate; tls_privatekey will also be re-expanded. You must still set these options to expand to valid files when $tls_sni is not set. The SMTP Transport has gained the option tls_sni, which will set a hostname for outbound TLS sessions, and set $tls_sni too. A new log_selector, +tls_sni, has been added, to log received SNI values for Exim as a server. 8. The existing "accept_8bitmime" option now defaults to true. This means that Exim is deliberately not strictly RFC compliant. We're following Dan Bernstein's advice in http://cr.yp.to/smtp/8bitmime.html by default. Those who disagree, or know that they are talking to mail servers that, even today, are not 8-bit clean, need to turn off this option. 9. Exim can now be started with -bw (with an optional timeout, given as -bw). With this, stdin at startup is a socket that is already listening for connections. This has a more modern name of "socket activation", but forcing the activated socket to fd 0. We're interested in adding more support for modern variants. 10. ${eval } now uses 64-bit values on supporting platforms. A new "G" suffix for numbers indicates multiplication by 1024^3. 11. The GnuTLS support has been revamped; the three options gnutls_require_kx, gnutls_require_mac & gnutls_require_protocols are no longer supported. tls_require_ciphers is now parsed by gnutls_priority_init(3) as a priority string, documentation for which is at: http://www.gnu.org/software/gnutls/manual/html_node/Priority-Strings.html SNI support has been added to Exim's GnuTLS integration too. For sufficiently recent GnuTLS libraries, ${randint:..} will now use gnutls_rnd(), asking for GNUTLS_RND_NONCE level randomness. 12. With OpenSSL, if built with EXPERIMENTAL_OCSP, a new option tls_ocsp_file is now available. If the contents of the file are valid, then Exim will send that back in response to a TLS status request; this is OCSP Stapling. Exim will not maintain the contents of the file in any way: administrators are responsible for ensuring that it is up-to-date. 13. ${lookup dnsdb{ }} supports now SPF record types. They are handled identically to TXT record lookups. 14. New expansion variable $tod_epoch_l for higher-precision time. 15. New global option tls_dh_max_bits, defaulting to current value of NSS hard-coded limit of DH ephemeral bits, to fix interop problems caused by GnuTLS 2.12 library recommending a bit count higher than NSS supports. 16. tls_dhparam now used by both OpenSSL and GnuTLS, can be path or identifier. Option can now be a path or an identifier for a standard prime. If unset, we use the DH prime from section 2.2 of RFC 5114, "ike23". Set to "historic" to get the old GnuTLS behaviour of auto-generated DH primes. 17. SSLv2 now disabled by default in OpenSSL. (Never supported by GnuTLS). Use "openssl_options -no_sslv2" to re-enable support, if your OpenSSL install was not built with OPENSSL_NO_SSL2 ("no-ssl2"). @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.114 2012/04/27 12:31:53 obache Exp $ d4 1 @ 1.115.4.1 log @Pullup ticket #3957 - requested by abs mail/exim: security update Revisions pulled up: - mail/exim/Makefile 1.118 - mail/exim/distinfo 1.54 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: abs Date: Tue Oct 30 20:12:20 UTC 2012 Modified Files: pkgsrc/mail/exim: Makefile distinfo Log Message: Updated mail/exim to 4.80.1 Exim version 4.80.1 ------------------- PP/01 SECURITY: protect DKIM DNS decoding from remote exploit. CVE-2012-5671 This, or similar/improved, will also be change PP/11 of 4.81. See: https://secunia.com/advisories/51098/ To generate a diff of this commit: cvs rdiff -u -r1.117 -r1.118 pkgsrc/mail/exim/Makefile cvs rdiff -u -r1.53 -r1.54 pkgsrc/mail/exim/distinfo @ text @d1 1 a1 1 # $NetBSD$ d3 1 a3 1 DISTNAME= exim-4.80.1 @ 1.114 log @Recursive bump from icu shlib major bumped to 49. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.113 2012/03/03 00:13:29 wiz Exp $ d3 1 a3 2 DISTNAME= exim-4.77 PKGREVISION= 3 @ 1.113 log @Recursive bump for pcre-8.30* (shlib major change) @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.112 2012/01/24 09:11:06 sbd Exp $ d4 1 a4 1 PKGREVISION= 2 @ 1.112 log @Recursive dependency bump for databases/gdbm ABI_DEPENDS change. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.111 2011/10/10 12:20:49 adam Exp $ d4 1 a4 1 PKGREVISION= 1 @ 1.111 log @Changes 4.77: * Solaris build fix for Oracle's LDAP libraries. * HP/UX build fix: avoid arithmetic on a void pointer. * DKIM Verification: Fix relaxed canon for empty headers w/o whitespace trailer * Fix a couple more cases where we did not log the error message when unlink() failed. * Make the exiwhat support code safe for signals. Previously Exim might lock up or crash if it happened to be inside a call to libc when it got a SIGUSR1 from exiwhat. * Improved ratelimit ACL condition. * Removed a few PCRE remnants. * Automatically extract Exim's version number from tags in the git repository when doing development or release builds. * Raise smtp_cmd_buffer_size to 16kB. * Implement SSL-on-connect outbound with protocol=smtps on smtp transport. * Use .dylib instead of .so for dynamic library loading on MacOS. * Variable $av_failed, true if the AV scanner deferred. * Stop make process more reliably on build failure. * Make maildir_use_size_file an _expandable_ boolean. * Handle ${run} returning more data than OS pipe buffer size. * Handle IPv6 addresses with SPF. * GnuTLS: support TLS 1.2 & 1.1. * match_* no longer expand right-hand-side by default. * fix uninitialised greeting string from PP/03 (smtps client support). * shell and compiler warnings fixes for RC1-RC4 changes. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.110 2011/08/23 13:06:50 obache Exp $ d4 1 @ 1.110 log @Recursive bump from gdbm shlib bump. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.109 2011/06/10 21:57:08 obache Exp $ d3 1 a3 2 DISTNAME= exim-4.76 PKGREVISION= 2 @ 1.109 log @recursive bump from icu shlib major bump. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.108 2011/05/09 13:30:47 adam Exp $ d4 1 a4 1 PKGREVISION= 1 @ 1.108 log @Changes 4.76: * The new ldap_require_cert option would segfault if used. Fixed. * Harmonised TLS library version reporting; only show if debugging. Layout now matches that introduced for other libraries in 4.74 PP/03. * New openssl_options items: no_sslv2 no_sslv3 no_ticket no_tlsv1 * New "dns_use_edns0" global option. * Don't segfault on misconfiguration of ref:name exim-user as uid. * Extra paranoia around buffer usage at the STARTTLS transition. nb: Exim is not vulnerable to http://www.kb.cert.org/vuls/id/555316 * Updated PolarSSL code to 0.14.2. * Catch divide-by-zero in ${eval:...}. * Condition negation of bool{}/bool_lax{} did not negate. Fixed. * CVE-2011-1764 - DKIM log line was subject to a format-string attack -- SECURITY: remote arbitrary code execution. * SECURITY - DKIM signature header parsing was double-expanded, second time unintentionally subject to list matching rules, letting the header cause arbitrary Exim lookups (of items which can occur in lists, *not* arbitrary string expansion). This allowed for information disclosure. * Fix another SIGFPE (x86) in ${eval:...} expansion, this time related to INT_MIN/-1 -- value coerced to INT_MAX. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.107 2011/05/07 14:32:02 drochner Exp $ d4 1 @ 1.107 log @add patch from upstream to fix format string vulnerability (CVE-2011-1764) bump PKGREV @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.106 2011/03/22 13:52:19 adam Exp $ d3 1 a3 2 DISTNAME= exim-4.75 PKGREVISION= 1 @ 1.106 log @Changes 4.75: 1. In addition to the existing LDAP and LDAP/SSL ("ldaps") support, there is now LDAP/TLS support, given sufficiently modern OpenLDAP client libraries. The following global options have been added in support of this: ldap_ca_cert_dir, ldap_ca_cert_file, ldap_cert_file, ldap_cert_key, ldap_cipher_suite, ldap_require_cert, ldap_start_tls. 2. The pipe transport now takes a boolean option, "freeze_signal", default false. When true, if the external delivery command exits on a signal then Exim will freeze the message in the queue, instead of generating a bounce. 3. Log filenames may now use %M as an escape, instead of %D (still available). The %M pattern expands to yyyymm, providing month-level resolution. 4. The $message_linecount variable is now updated for the maildir_tag option, in the same way as $message_size, to reflect the real number of lines, including any header additions or removals from transport. 5. When contacting a pool of SpamAssassin servers configured in spamd_address, Exim now selects entries randomly, to better scale in a cluster setup. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.105 2011/01/27 07:48:51 adam Exp $ d4 1 @ 1.105 log @Changes 4.74: * Failure to get a lock on a hints database can have serious consequences so log it to the panic log. * Log LMTP confirmation messages in the same way as SMTP, controlled using the smtp_confirmation log selector. * Include the error message when we fail to unlink a spool file. * Bugzilla 139: Support dynamically loaded lookups as modules. * Bugzilla 139: Documentation and portability issues. Avoid GNU Makefile-isms, let Exim continue to build on BSD. Handle per-OS dynamic-module compilation flags. * Let /dev/null have normal permissions. The 4.73 fixes were a little too stringent and complained about the permissions on /dev/null. Exempt it from some checks. * Report version information for many libraries, including Exim version information for dynamically loaded libraries. Created version.h, now support a version extension string for distributors who patch heavily. Dynamic module ABI change. * CVE-2011-0017 - check return value of setuid/setgid. This is a privilege escalation vulnerability whereby the Exim run-time user can cause root to append content of the attacker's choosing to arbitrary files. * Bugzilla 1041: merged DCC maintainer's fixes for return code. * Bugzilla 1071: fix delivery logging with untrusted macros. If dropping privileges for untrusted macros, we disabled normal logging on the basis that it would fail; for the Exim run-time user, this is not the case, and it resulted in successful deliveries going unlogged. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.104 2011/01/12 07:52:44 adam Exp $ d3 1 a3 1 DISTNAME= exim-4.74 @ 1.104 log @Changes 4.73: * Date: & Message-Id: revert to normally being appended to a message, only prepend for the Resent-* case. Fixes regression introduced in Exim 4.70 by NM/22 for Bugzilla 607. * Include check_rfc2047_length in configure.default because we're seeing increasing numbers of administrators be bitten by this. * Added DISABLE_DKIM and comment to src/EDITME * Bugzilla 994: added openssl_options main configuration option. * Bugzilla 995: provide better SSL diagnostics on failed reads. * Bugzilla 834: provide a permit_coredump option for pipe transports. * Adjust NTLM authentication to handle SASL Initial Response. * If TLS negotiated an anonymous cipher, we could end up with SSL but without a peer certificate, leading to a segfault because of an assumption that peers always have certificates. Be a little more paranoid. * Bugzilla 926: switch ClamAV to use the new zINSTREAM API for content filtering; old API available if built with WITH_OLD_CLAMAV_STREAM=yes NB: ClamAV planning to remove STREAM in "middle of 2010". CL also introduces -bmalware, various -d+acl logging additions and more caution in buffer sizes. * Implemented reverse_ip expansion operator. * Bugzilla 937: provide a "debug" ACL control. * Bugzilla 922: Documentation dusting, patch provided by John Horne. * Bugzilla 973: Implement --version. * Bugzilla 752: Refuse to build/run if Exim user is root/0. * Build without WITH_CONTENT_SCAN. Path from Andreas Metzler. * Bugzilla 816: support multiple condition rules on Routers. * Add bool_lax{} expansion operator and use that for combining multiple condition rules, instead of bool{}. Make both bool{} and bool_lax{} ignore trailing whitespace. * prevent non-panic DKIM error from being sent to paniclog * added tcp_wrappers_daemon_name to allow host entries other than "exim" to be used * Fix malware regression for cmdline scanner introduced in PP/08. Notification from Dr Andrew Aitchison. * Change ClamAV response parsing to be more robust and to handle ClamAV's ExtendedDetectionInfo response format. * OpenSSL 1.0.0a compatibility const-ness change, should be backwards compatible. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.103 2010/11/08 13:59:11 adam Exp $ d3 1 a3 1 DISTNAME= exim-4.73 @ 1.103 log @* Fix resolver on NetBSD when Exim is linked with pthreads (e.g. when using sqlite). * Pass LDFLAGS for linking (useful with different SDKs on Mac OS X). @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.102 2010/06/06 14:15:30 adam Exp $ d3 1 a3 1 DISTNAME= exim-4.72 @ 1.103.2.1 log @Pullup ticket #3330 - requested by gls mail/exim: security update Revisions pulled up: - mail/exim/Makefile 1.104 - mail/exim/distinfo 1.47 - mail/exim/patches/patch-aa 1.21 - mail/exim/patches/patch-ba 1.1 - mail/exim/patches/patch-bb 1.1 - mail/exim/patches/patch-bc 1.1 - mail/exim/patches/patch-bd 1.1 --- Module Name: pkgsrc Committed By: adam Date: Wed Jan 12 07:52:45 UTC 2011 Modified Files: pkgsrc/mail/exim: Makefile distinfo pkgsrc/mail/exim/patches: patch-aa Added Files: pkgsrc/mail/exim/patches: patch-ba patch-bb patch-bc patch-bd Log Message: Changes 4.73: * Date: & Message-Id: revert to normally being appended to a message, only prepend for the Resent-* case. Fixes regression introduced in Exim 4.70 by NM/22 for Bugzilla 607. * Include check_rfc2047_length in configure.default because we're seeing increasing numbers of administrators be bitten by this. * Added DISABLE_DKIM and comment to src/EDITME * Bugzilla 994: added openssl_options main configuration option. * Bugzilla 995: provide better SSL diagnostics on failed reads. * Bugzilla 834: provide a permit_coredump option for pipe transports. * Adjust NTLM authentication to handle SASL Initial Response. * If TLS negotiated an anonymous cipher, we could end up with SSL but without a peer certificate, leading to a segfault because of an assumption that peers always have certificates. Be a little more paranoid. * Bugzilla 926: switch ClamAV to use the new zINSTREAM API for content filtering; old API available if built with WITH_OLD_CLAMAV_STREAM=yes NB: ClamAV planning to remove STREAM in "middle of 2010". CL also introduces -bmalware, various -d+acl logging additions and more caution in buffer sizes. * Implemented reverse_ip expansion operator. * Bugzilla 937: provide a "debug" ACL control. * Bugzilla 922: Documentation dusting, patch provided by John Horne. * Bugzilla 973: Implement --version. * Bugzilla 752: Refuse to build/run if Exim user is root/0. * Build without WITH_CONTENT_SCAN. Path from Andreas Metzler. * Bugzilla 816: support multiple condition rules on Routers. * Add bool_lax{} expansion operator and use that for combining multiple condition rules, instead of bool{}. Make both bool{} and bool_lax{} ignore trailing whitespace. * prevent non-panic DKIM error from being sent to paniclog * added tcp_wrappers_daemon_name to allow host entries other than "exim" to be used * Fix malware regression for cmdline scanner introduced in PP/08. Notification from Dr Andrew Aitchison. * Change ClamAV response parsing to be more robust and to handle ClamAV's ExtendedDetectionInfo response format. * OpenSSL 1.0.0a compatibility const-ness change, should be backwards compatible. @ text @d1 1 a1 1 # $NetBSD$ d3 1 a3 1 DISTNAME= exim-4.73 @ 1.102 log @Changes 4.72: * installed exipick 20100104.1, adding $max_received_linelength, $data_path, and $header_path variables; fixed documentation bugs and typos * installed exipick 20100222.0, added --input-dir and --finput to allow exipick to access non-standard spools, including the "frozen" queue (Finput) * Support mysql stored procedures. * Spacing fix (syntax error) on Makefile directives for NetBSD * Documentation fix for max_rcpts. * Fix for unknown responses from Dovecot authenticator. * Added umask to procmail example. * installed exipick 20100323.0, fixing doc bug * CVE-2010-2023 - prevent hardlink attack on sticky mail directory. * Upgrade PolarSSL files to upstream version 0.12.1. * Improve log output when DKIM signing operation fails. * Treat the transport option dkim_domain as a colon separated list, not as a single string, and sign the message with each element, omitting multiple occurences of the same signer. * Null terminate DKIM strings, Null initialise DKIM variable * dnsdb DNS TXT record bug fix (DKIM-related) * CVE-2010-2024 - work round race condition on MBX locking. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.101 2010/06/02 13:04:04 adam Exp $ a52 3 # XXX: The following will be handled by buildlink3 at some point. CFLAGS+= ${_STRIPFLAG_CC} @ 1.101 log @Fix building with db5; revision bump for db4 update @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.100 2010/01/31 21:06:29 heinz Exp $ d3 1 a3 2 DISTNAME= exim-4.71 PKGREVISION= 2 d6 1 a6 1 http://dl.ambiweb.de/mirrors/ftp.exim.org/exim/exim4/ d40 1 a40 1 PKG_SYSCONFSUBDIR?= exim d66 6 a112 5 # CFLAGS is already set by pkgsrc for f in ${WRKSRC}/OS/Makefile-*; do \ sed -e 's/^CFLAGS=.*//' $$f > $$f.subst; \ mv -f $$f.subst $$f; \ done @ 1.100 log @Added complete support for installation to DESTDIR. The Exim executable file cannot run without EXIM_USER being present on the system, so scripts/exim_install was changed to derive the Exim version from the pkgsrc package version (see PKGSRC_EXIM_VERSION in the Makefile and patch-ae). Added LICENSE information. Ok'd by abs@@ @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.99 2010/01/15 20:48:08 zafer Exp $ d4 1 a4 1 PKGREVISION= 1 @ 1.99 log @use official mirrors, remove broken ones. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.98 2009/12/30 13:24:50 abs Exp $ d13 1 a17 1 INSTALLATION_DIRS+= ${PKGMANDIR}/man8 d25 1 a25 1 PKG_DESTDIR_SUPPORT = destdir d52 1 d60 10 @ 1.98 log @Add missing doc/spec.txt to install & PLIST @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.97 2009/12/07 14:29:09 adam Exp $ d7 1 a7 2 ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/exim4/ \ ftp://ftp.esat.net/pub/networking/mail/mta/exim/exim4/ @ 1.97 log @Changes 4.71: * Fix DKIM segfault on empty headers/body * Documentation fix for gnutls_* options. * Documentation for randint. Better randomness defaults. * Enable DNSDB lookup by default. * Flag broken perl installation during build. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.96 2009/11/17 06:39:32 adam Exp $ d4 1 d109 1 a109 1 INSTALLATION_DIRS = ${PKGMANDIR}/man8 sbin share/examples/exim d113 4 a116 1 ${INSTALL_DATA} ${WRKSRC}/doc/exim.8 ${DESTDIR}${PREFIX}/${PKGMANDIR}/man8/exim.8 @ 1.96 log @Changes 4.70: * Added patch by Johannes Berg that expands the main option "spamd_servers" if it starts with a dollar sign. * Write list of recipients to X-Envelope-Sender header when building the mbox-format spool file for content scanning. * Added patch by Wolfgang Breyha that adds experimental DCC (http://www.dcc-servers.net/) support via dccifd. Activated by setting EXPERIMENTAL_DCC=yes in Local/Makefile. Check out experimental_spec.txt for more documentation. * Bugzilla 673: Add f-protd malware scanner support. * Bugzilla 657: Embedded PCRE removed from the exim source tree. When building exim an external PCRE library is now needed - PCRE is a system library on the majority of modern systems. See entry on PCRE_LIBS in EDITME file. * Bugzilla 646: Removed unwanted C/R in Dovecot authenticator conversation. Added nologin parameter to request. * Do not log submission mode rewrites if they do not change the address. * Bugzilla 662: Fix stack corruption before exec() in daemon.c. * Bugzilla 602: exicyclog now handles panic log, and creates empty log files in place. Contributed by Roberto Lima * Bugzilla 667: close socket used by dovecot authenticator * Bugzilla 615: When checking the local_parts router precondition after a local_part_suffix or local_part_prefix option, Exim now does not use the address's named list lookup cache, since this contains cached lookups for the whole local part. * Bugzilla 521: Integrated SPF Best Guess support contributed by Robert Millan. Documentation is in experimental-spec.txt * Bugzilla 668: Fix parallel build (make -j). * Bugzilla 437: Prevent Maildir aux files being created with mode 000 * Bugzilla 598: Improvement to Dovecot authenticator handling. * Leading white space used to be stripped from $spam_report which wrecked the formatting. Now it is preserved. * Save $spam_score, $spam_bar, and $spam_report in spool files, so that they are available at delivery time. * Fix the way ${extract is skipped in the untaken branch of a conditional. * TLS error reporting now respects the incoming_interface and incoming_port log selectors. * more... @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.95 2009/02/13 15:28:03 abs Exp $ d3 1 a3 1 DISTNAME= exim-4.70 @ 1.95 log @Add PKG_DESTDIR_SUPPORT=destdir @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.94 2009/01/12 18:59:24 abs Exp $ d3 1 a3 2 DISTNAME= exim-4.69 PKGREVISION= 4 a60 4 # BDB_TYPE gets set to "db1" if USE_DB185=="yes" USE_DB185?= no BDB_ACCEPTED?= db1 db2 db3 db4 d79 1 d82 1 d115 1 @ 1.94 log @Update exim to 4.69nb4 - Add support for getifaddrs() and enable on NetBSD - submitted back to exim bugzilla as http://bugs.exim.org/show_bug.cgi?id=802 - Increase size of addrbuf[512] used in old style ioctl() version of os_common_find_running_interfaces() Fixes issue on NetBSD 5.0 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.93 2008/11/10 17:21:36 wiz Exp $ d26 2 d111 2 d114 2 a115 3 ${INSTALL_DATA_DIR} ${EXAMPLESDIR} ${INSTALL_DATA} ${WRKDIR}/mailer.conf ${EXAMPLESDIR} ${INSTALL_DATA} ${WRKSRC}/doc/exim.8 ${PREFIX}/${PKGMANDIR}/man8/exim.8 @ 1.93 log @Bump PKGREVISION for libXaw API depends bump due to libXaw8 removal. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.92 2008/09/07 11:24:27 wiz Exp $ d4 1 a4 1 PKGREVISION= 3 @ 1.92 log @Bump PKGREVISION for db4 shlib name change (4.6 -> 4.7). Noted by OBATA Akio. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.91 2008/01/31 13:05:36 rillig Exp $ d4 1 a4 1 PKGREVISION= 2 @ 1.91 log @Fixed pkglint warning about BUILD_DEFS. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.90 2008/01/18 05:08:24 tnn Exp $ d4 1 a4 1 PKGREVISION= 1 @ 1.90 log @Per the process outlined in revbump(1), perform a recursive revbump on packages that are affected by the switch from the openssl 0.9.7 branch to the 0.9.8 branch. ok jlam@@ @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.89 2008/01/14 18:57:38 adam Exp $ d19 1 @ 1.89 log @Changes 4.69: * Add preliminary DKIM support. * Bugzilla 592: --help option is handled incorrectly if exim is invoked as mailq or other aliases. Changed the --help handling significantly to do whats expected. exim_usage() emits usage/help information. * Added the -bylocaldomain option to eximstats. * Bugzilla 619: Defended against bad data coming back from gethostbyaddr * Bugzilla 613: Documentation fix for acl_not_smtp * Bugzilla 628: PCRE update to 7.4 (work done by John Hall) @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.88 2007/12/15 16:04:41 adam Exp $ d4 1 @ 1.88 log @Added 'readline' option, and MAKE_JOBS_SAFE=no @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.87 2007/10/14 19:14:57 adam Exp $ d3 1 a3 1 DISTNAME= exim-4.68 @ 1.87 log @Changes 4.68: * Bug fixes @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.86 2007/09/11 18:16:01 abs Exp $ d22 1 d43 1 a43 1 PLIST_SUBST+= DISTNAME=${DISTNAME:Q} @ 1.86 log @Update to exim-4.67nb1: - When -inet6, explicitly set HAVE_IPV6=NO to avoid use of any inet6 APIs Note: For entertainment purposes build a NetBSD distribution with 'MKINET=no' and see what breaks in pkgsrc @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.85 2007/07/04 20:54:42 jlam Exp $ d3 1 a3 2 DISTNAME= exim-4.67 PKGREVISION= 1 d62 4 a65 4 ${MKDIR} ${WRKSRC}/Local ${CP} ${WRKSRC}/src/EDITME ${WRKSRC}/Local/Makefile.pkgsrc ${CP} ${WRKSRC}/exim_monitor/EDITME ${WRKSRC}/Local/eximon.conf.pkgsrc ${CP} ${FILESDIR}/Makefile-DragonFly ${FILESDIR}/os.h-DragonFly \ d69 1 a69 1 ${SED} -e 's:@@PREFIX@@:${PREFIX}:' \ d91 1 a91 1 ${SED} -e 's:@@PREFIX@@:${PREFIX}:' \ d96 3 a98 3 @@for f in ${WRKSRC}/OS/Makefile-*; do \ ${SED} -e 's/^CFLAGS=.*//' $$f > $$f.subst; \ ${MV} -f $$f.subst $$f; \ d102 1 a102 1 ${SED} -e 's:@@PREFIX@@:${PREFIX}:' \ @ 1.85 log @Make it easier to build and install packages "unprivileged", where the owner of all installed files is a non-root user. This change affects most packages that require special users or groups by making them use the specified unprivileged user and group instead. (1) Add two new variables PKG_GROUPS_VARS and PKG_USERS_VARS to unprivileged.mk. These two variables are lists of other bmake variables that define package-specific users and groups. Packages that have user-settable variables for users and groups, e.g. apache and APACHE_{USER,GROUP}, courier-mta and COURIER_{USER,GROUP}, etc., should list these variables in PKG_USERS_VARS and PKG_GROUPS_VARS so that unprivileged.mk can know to set them to ${UNPRIVILEGED_USER} and ${UNPRIVILEGED_GROUP}. (2) Modify packages to use PKG_GROUPS_VARS and PKG_USERS_VARS. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.84 2007/06/24 10:55:40 abs Exp $ d4 1 @ 1.84 log @Update mail/exim to 4.67: Prompted by report from Peter Avalos that exim 4.66 would not build against openssl 0.9.8e Changelog: MH/01 Fix for bug #448, segfault in Dovecot authenticator when interface_address is unset (happens when testing with -bh and -oMi isn't used). Thanks to Jan Srzednicki. PH/01 Added a new log selector smtp_no_mail, to log SMTP sessions that do not issue a MAIL command. PH/02 In an ACL statement such as deny dnslists = X!=127.0.0.2 : X=127.0.0.2 if a client was not listed at all, or was listed with a value other than 127.0.0.2, in the X list, but was listed with 127.0.0.2 in the Y list, the condition was not true (as it should be), so access was not denied. The bug was that the ! inversion was incorrectly passed on to the second item. This has been fixed. PH/03 Added additional dnslists conditions == and =& which are different from = and & when the dns lookup returns more than one IP address. PH/04 Added gnutls_require_{kx,mac,protocols} to give more control over the cipher suites used by GnuTLS. These options are ignored by OpenSSL. PH/05 After discussion on the list, added a compile time option ENABLE_DISABLE_ FSYNC, which compiles an option called disable_fsync that allows for bypassing fsync(). The documentation is heavily laced with warnings. SC/01 Updated eximstats to collate all SpamAssassin rejects into one bucket. PH/06 Some tidies to the infrastructure of the Test Suite that is concerned with the auxiliary C programs that it uses: (1) Arrange for BIND_8_COMPAT to be defined when compiling on OSX (Darwin); (2) Tidies to the Makefile, including adding "make clean"; (3) Added -fPIC when compiling the test dynamically loaded module, to get rid of a warning. MH/02 Fix for bug #451, causing paniclog entries to be written if a bounce message fails, move_frozen_messages = true and ignore_bounce_errors_after = 0s. The bug is otherwise harmless. PH/07 There was a bug in the dovecot authenticator such that the value of $auth1 could be overwritten, and so not correctly preserved, after a successful authentication. This usually meant that the value preserved by the server_setid option was incorrect. PH/08 Added $smtp_count_at_connection_start, deliberately with a long name. PH/09 Installed PCRE release 7.0. PH/10 The acl_not_smtp_start ACL was, contrary to the documentation, not being run for batched SMTP input. It is now run at the start of every message in the batch. While fixing this I discovered that the process information (output by running exiwhat) was not always getting set for -bs and -bS input. This is fixed, and it now also says "batched" for BSMTP. PH/11 Added control=no_pipelining. PH/12 Added $sending_ip_address and $sending_port (mostly Magnus Holmgren's patch, slightly modified), and move the expansion of helo_data till after the connection is made in the smtp transport (so it can use these values). PH/13 Added ${rfc2047d: to decoded RFC 2047 strings. PH/14 Added log_selector = +pid. PH/15 Flush SMTP output before delaying, unless control=no_delay_flush is set. PH/16 Add ${if forany and ${if forall. PH/17 Added dsn_from option to vary the From: line in DSNs. PH/18 Flush SMTP output before performing a callout, unless control = no_callout_flush is set. PH/19 Change 4.64/PH/36 introduced a bug: when address_retry_include_sender was true (the default) a successful delivery failed to delete the retry item, thus causing premature timeout of the address. The bug is now fixed. PH/20 Added hosts_avoid_pipelining to the smtp transport. PH/21 Long custom messages for fakedefer and fakereject are now split up into multiline reponses in the same way that messages for "deny" and other ACL rejections are. PH/22 Applied Jori Hamalainen's speed-up changes and typo fixes to exigrep, with slight modification. PH/23 Applied sieve patches from the maintainer "tracking the latest notify draft, changing the syntax and factoring some duplicate code". PH/24 When the log selector "outgoing_port" was set, the port was shown as -1 for deliveries of the second and subsequent messages over the same SMTP connection. PH/25 Applied Magnus Holmgren's patch for ${addresses, ${map, ${filter, and ${reduce, with only minor "tidies". SC/02 Applied Daniel Tiefnig's patch to improve the '($parent) =' pattern match. PH/26 Added a "continue" ACL modifier that does nothing, for the benefit of its expansion side effects. PH/27 When a message times out after an over-quota error from an Exim-imposed quota, the bounce message says "mailbox is full". This message was not being given when it was a system quota that was exceeded. It now should be the same. MH/03 Made $recipients available in local_scan(). local_scan() already has better access to the recipient list through recipients_list[], but $recipients can be useful in postmaster-provided expansion strings. PH/28 The $smtp_command and $smtp_command_argument variables were not correct in the case of a MAIL command with additional options following the address, for example: MAIL FROM: SIZE=1234. The option settings were accidentally chopped off. PH/29 SMTP synchronization checks are implemented when a command is read - there is a check that no more input is waiting when there shouldn't be any. However, for some commands, a delay in an ACL can mean that it is some time before the response is written. In this time, more input might arrive, invalidly. So now there are extra checks after an ACL has run for HELO/EHLO and after the predata ACL, and likewise for MAIL and RCPT when pipelining has not been advertised. PH/30 MH's patch to allow iscntrl() characters to be list separators. PH/31 Unlike :fail:, a custom message specified with :defer: was not being returned in the SMTP response when smtp_return_error_details was false. This has been fixed. PH/32 Change the Dovecot authenticator to use read() and write() on the socket instead of the C I/O that was originally supplied, because problems were reported on Solaris. PH/33 Compile failed with OpenSSL 0.9.8e. This was due to a coding error in Exim which did not show up earlier: it was assuming that a call to SSL_CTX_set_info_callback() might give an error value. In fact, there is no error. In previous releases of OpenSSL, SSL_CTX_set_info_callback() was a macro that became an assignment, so it seemed to work. This has changed to a proper function call with a void return, hence the compile error. Exim's code has been fixed. PH/34 Change HDA_SIZE in oracle.c from 256 to 512. This is needed for 64-bit cpus. PH/35 Applied a patch from the Sieve maintainer which fixes a bug in "notify". PH/36 Applied John Jetmore's patch to add -v functionality to exigrep. PH/37 If a message is not accepted after it has had an id assigned (e.g. because it turns out to be too big or there is a timeout) there is no "Completed" line in the log. When some messages of this type were selected by exigrep, they were listed as "not completed". Others were picked up by some special patterns. I have improved the selection criteria to be more general. PH/38 The host_find_failed option in the manualroute router can now be set to "ignore", to completely ignore a host whose IP address cannot be found. If all hosts are ignored, the behaviour is controlled by the new host_all_ignored option. PH/39 In a list of hosts for manualroute, if one item (either because of multi- homing or because of multiple MX records with /mx) generated more than one IP address, and the following item turned out to be the local host, all the secondary addresses of the first item were incorrectly removed from the list, along with the local host and any following hosts (which is what is supposed to happen). PH/40 When Exim receives a message, it writes the login name, uid, and gid of whoever called Exim into the -H file. In the case of the daemon it was behaving confusingly. When first started, it used values for whoever started the daemon, but after a SIGHUP it used the Exim user (because it calls itself on a restart). I have changed the code so that it now always uses the Exim user. PH/41 (Following a suggestion from Tony Finch) If all the RCPT commands in a message are rejected with the same error (e.g. no authentication or bad sender address), and a DATA command is nevertheless sent (as can happen with PIPELINING or a stupid MUA), the error message that was given to the RCPT commands is included in the rejection of the DATA command. This is intended to be helpful for MUAs that show only the final error to their users. PH/42 Another patch from the Sieve maintainer. SC/02 Eximstats - Differentiate between permanent and temporary rejects. Eximstats - Fixed some broken HTML links and added missing column headers (Jez Hancock). Eximstats - Fixed Grand Total Summary Domains, Edomains, and Email columns for Rejects, Temp Rejects, Ham, and Spam rows. SC/03 Eximstats - V1.58 Fix to get <> and blackhole to show in edomain tables. PH/43 Yet another patch from the Sieve maintainer. PH/44 I found a way to check for a TCP/IP connection going away before sending the response to the final '.' that terminates a message, but only in the case where the client has not sent further data following the '.' (unfortunately, this is allowed). However, in many cases there won't be any further data because there won't be any more messages to send. A call to select() can be used: if it shows that the input is "ready", there is either input waiting, or the socket has been closed. An attempt to read the next input character can distinguish the two cases. Previously, Exim would have sent an OK response which the client would never have see. This could lead to message repetition. This fix should cure that, at least in a lot of common cases. PH/45 Do not advertise STARTTLS in response to HELP unless it would be advertised in response to EHLO. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.83 2007/06/08 13:11:56 wiz Exp $ d25 1 a25 1 BUILD_DEFS+= EXIM_USER EXIM_GROUP EXIM_DB EXIM_MAX_INCLUDE_SIZE d30 3 @ 1.83 log @PKGREVISION bump for db4 shlib name change. Noted by OBATA Akio. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.82 2007/05/18 14:24:11 abs Exp $ d3 1 a3 2 DISTNAME= exim-4.66 PKGREVISION= 1 @ 1.82 log @add exim-auth-dovecot and EXIM_MAX_INCLUDE_SIZE. both disabled by default @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.81 2007/01/10 12:54:36 abs Exp $ d4 1 @ 1.81 log @Update mail/exim from 4.63 to 4.66 Exim version 4.66 ----------------- PH/01 Two more bugs that were introduced by 4.64/PH/07, in addition to the one fixed by 4.65/MH/01 (is this a record?) are fixed: (i) An empty string was always treated as zero by the numeric comparison operators. This behaviour has been restored. (ii) It is documented that the numeric comparison operators always treat their arguments as decimal numbers. This was broken in that numbers starting with 0 were being interpreted as octal. While fixing these problems I realized that there was another issue that hadn't been noticed. Values of message_size_limit (both the global option and the transport option) were treated as octal if they started with 0. The documentation was vague. These values are now always treated as decimal, and I will make that clear in the documentation. Exim version 4.65 ----------------- TK/01 Disable default definition of HAVE_LINUX_SENDFILE. Clashes with Linux large file support (_FILE_OFFSET_BITS=64) on older glibc versions. (#438) MH/01 Don't check that the operands of numeric comparison operators are integers when their expansion is in "skipping" mode (fixes bug introduced by 4.64-PH/07). PH/01 If a system filter or a router generates more than SHRT_MAX (32767) child addresses, Exim now panics and dies. Previously, because the count is held in a short int, deliveries were likely to be lost. As such a large number of recipients for a single message is ridiculous (performance will be very, very poor), I have chosen to impose a limit rather than extend the field. Exim version 4.64 ----------------- TK/01 Bugzilla #401. Fix DK spooling code so that it can overwrite a leftover -K file (the existence of which was triggered by #402). While we were at it, introduced process PID as part of the -K filename. This should rule out race conditions when creating these files. TK/02 Bugzilla #402. Apply patch from Simon Arlott, speeding up DK signing processing considerably. Previous code took too long for large mails, triggering a timeout which in turn triggers #401. TK/03 Introduced HAVE_LINUX_SENDFILE to os.h-Linux. Currently only used in the DK code in transports.c. sendfile() is not really portable, hence the _LINUX specificness. TF/01 In the add_headers option to the mail command in an Exim filter, there was a bug that Exim would claim a syntax error in any header after the first one which had an odd number of characters in the field name. PH/01 If a server that rejects MAIL FROM:<> was the target of a sender callout verification, Exim cached a "reject" for the entire domain. This is correct for most verifications, but it is not correct for a recipient verification with use_sender or use_postmaster set, because in that case the callout does not use MAIL FROM:<>. Exim now distinguishes the special case of MAIL FROM:<> rejection from other early rejections (e.g. rejection of HELO). When verifying a recipient using a non-null MAIL address, the cache is ignored if it shows MAIL FROM:<> rejection. Whatever the result of the callout, the value of the domain cache is left unchanged (for any other kind of callout, getting as far as trying RCPT means that the domain itself is ok). PH/02 Tidied a number of unused variable and signed/unsigned warnings that gcc 4.1.1 threw up. PH/03 On Solaris, an unexpectedly close socket (dropped connection) can manifest itself as EPIPE rather than ECONNECT. When tidying away a session, the daemon ignores ECONNECT errors and logs others; it now ignores EPIPE as well. PH/04 Applied Nico Erfurth's refactoring patch to tidy up mime.c (quoted-printable decoding). PH/05 Applied Nico Erfurth's refactoring patch to tidy up spool_mbox.c, and later the small subsequent patch to fix an introduced bug. PH/06 Installed the latest Cygwin Makefile from the Cygwin maintainer. PH/07 There was no check for overflow in expansions such as ${if >{1}{4096M}}. PH/08 An error is now given if message_size_limit is specified negative. PH/09 Applied and tidied up Jakob Hirsch's patch for allowing ACL variables to be given (somewhat) arbitrary names. JJ/01 exipick 20060919.0, allow for arbitrary acl_ variables introduced in 4.64-PH/09. JJ/02 exipick 20060919.0, --show-vars args can now be regular expressions, miscellaneous code fixes PH/10 Added the log_reject_target ACL modifier to specify where to log rejections. PH/11 Callouts were setting the name used for EHLO/HELO from $smtp_active_ hostname. This is wrong, because it relates to the incoming message (and probably the interface on which it is arriving) and not to the outgoing callout (which could be using a different interface). This has been changed to use the value of the helo_data option from the smtp transport instead - this is what is used when a message is actually being sent. If there is no remote transport (possible with a router that sets up host addresses), $smtp_active_hostname is used. PH/12 Installed Andrey Panin's patch to add a dovecot authenticator. Various tweaks were necessary in order to get it to work (see also 21 below): (a) The code assumed that strncpy() returns a negative number on buffer overflow, which isn't the case. Replaced with Exim's string_format() function. (b) There were several signed/unsigned issues. I just did the minimum hacking in of casts. There is scope for a larger refactoring. (c) The code used strcasecmp() which is not a standard C function. Replaced with Exim's strcmpic() function. (d) The code set only $1; it now sets $auth1 as well. (e) A simple test gave the error "authentication client didn't specify service in request". It would seem that Dovecot has changed its interface. Fortunately there's a specification; I followed it and changed what the client sends and it appears to be working now. PH/13 Added $message_headers_raw to provide the headers without RFC 2047 decoding. PH/14 Corrected misleading output from -bv when -v was also used. Suppose the address A is aliased to B and C, where B exists and C does not. Without -v the output is "A verified" because verification stops after a successful redirection if more than one address is generated. However, with -v the child addresses are also verified. Exim was outputting "A failed to verify" and then showing the successful verification for C, with its parentage. It now outputs "B failed to verify", showing B's parentage before showing the successful verification of C. PH/15 Applied Michael Deutschmann's patch to allow DNS black list processing to look up a TXT record in a specific list after matching in a combined list. PH/16 It seems that the options setting for the resolver (RES_DEFNAMES and RES_DNSRCH) can affect the behaviour of gethostbyname() and friends when they consult the DNS. I had assumed they would set it the way they wanted; and indeed my experiments on Linux seem to show that in some cases they do (I could influence IPv6 lookups but not IPv4 lookups). To be on the safe side, however, I have now made the interface to host_find_byname() similar to host_find_bydns(), with an argument containing the DNS resolver options. The host_find_byname() function now sets these options at its start, just as host_find_bydns() does. The smtp transport options dns_qualify_single and dns_search_parents are passed to host_find_byname() when gethostbyname=TRUE in this transport. Other uses of host_find_byname() use the default settings of RES_DEFNAMES (qualify_single) but not RES_DNSRCH (search_parents). PH/17 Applied (a modified version of) Nico Erfurth's patch to make spool_read_header() do less string testing, by means of a preliminary switch on the second character of optional "-foo" lines. (This is overdue, caused by the large number of possibilities that now exist. Originally there were few.) While I was there, I also converted the str(n)cmp tests so they don't re-test the leading "-" and the first character, in the hope this might squeeze out yet more improvement. PH/18 Two problems with "group" syntax in header lines when verifying: (1) The flag allowing group syntax was set by the header_syntax check but not turned off, possible causing trouble later; (2) The flag was not being set at all for the header_verify test, causing "group"-style headers to be rejected. I have now set it in this case, and also caused header_ verify to ignore an empty address taken from a group. While doing this, I came across some other cases where the code for allowing group syntax while scanning a header line wasn't quite right (mostly, not resetting the flag correctly in the right place). These bugs could have caused trouble for malformed header lines. I hope it is now all correct. PH/19 The functions {pwcheck,saslauthd}_verify_password() are always called with the "reply" argument non-NULL. The code, however (which originally came from elsewhere) had *some* tests for NULL when it wrote to *reply, but it didn't always do it. This confused somebody who was copying the code for some other use. I have removed all the tests. PH/20 It was discovered that the GnuTLS code had support for RSA_EXPORT, a feature that was used to support insecure browsers during the U.S. crypto embargo. It requires special client support, and Exim is probably the only MTA that supported it -- and would never use it because real RSA is always available. This code has been removed, because it had the bad effect of slowing Exim down by computing (never used) parameters for the RSA_EXPORT functionality. PH/21 On the advice of Timo Sirainen, added a check to the dovecot authenticator to fail if there's a tab character in the incoming data (there should never be unless someone is messing about, as it's supposed to be base64-encoded). Also added, on Timo's advice, the "secured" option if the connection is using TLS or if the remote IP is the same as the local IP, and the "valid-client-cert option" if a client certificate has been verified. PH/22 As suggested by Dennis Davis, added a server_condition option to *all* authenticators. This can be used for authorization after authentication succeeds. (In the case of plaintext, it servers for both authentication and authorization.) PH/23 Testing for tls_required and lost_connection in a retry rule didn't work if any retry times were supplied. PH/24 Exim crashed if verify=helo was activated during an incoming -bs connection, where there is no client IP address to check. In this situation, the verify now always succeeds. PH/25 Applied John Jetmore's -Mset patch. PH/26 Added -bem to be like -Mset, but loading a message from a file. PH/27 In a string expansion for a processed (not raw) header when multiple headers of the same name were present, leading whitespace was being removed from all of them, but trailing whitespace was being removed only from the last one. Now trailing whitespace is removed from each header before concatenation. Completely empty headers in a concatenation (as before) are ignored. PH/28 Fixed bug in backwards-compatibility feature of PH/09 (thanks to John Jetmore). It would have mis-read ACL variables from pre-4.61 spool files. PH/29 [Removed. This was a change that I later backed out, and forgot to correct the ChangeLog entry (that I had efficiently created) before committing the later change.] PH/30 Exim was sometimes attempting to deliver messages that had suffered address errors (4xx response to RCPT) over the same connection as other messages routed to the same hosts. Such deliveries are always "forced", so retry times are not inspected. This resulted in far too many retries for the affected addresses. The effect occurred only when there were more hosts than the hosts_max_try setting in the smtp transport when it had the 4xx errors. Those hosts that it had tried were not added to the list of hosts for which the message was waiting, so if all were tried, there was no problem. Two fixes have been applied: (i) If there are any address or message errors in an SMTP delivery, none of the hosts (tried or untried) are now added to the list of hosts for which the message is waiting, so the message should not be a candidate for sending over the same connection that was used for a successful delivery of some other message. This seems entirely reasonable: after all the message is NOT "waiting for some host". This is so "obvious" that I'm not sure why it wasn't done previously. Hope I haven't missed anything, but it can't do any harm, as the worst effect is to miss an optimization. (ii) If, despite (i), such a delivery is accidentally attempted, the routing retry time is respected, so at least it doesn't keep hammering the server. PH/31 Installed Andrew Findlay's patch to close the writing end of the socket in ${readsocket because some servers need this prod. PH/32 Added some extra debug output when updating a wait-xxx database. PH/33 The hint "could be header name not terminated by colon", which has been given for certain expansion errors for a long time, was not being given for the ${if def:h_colon_omitted{... case. PH/34 The spec says: "With one important exception, whenever a domain list is being scanned, $domain contains the subject domain." There was at least one case where this was not true. PH/35 The error "getsockname() failed: connection reset by peer" was being written to the panic log as well as the main log, but it isn't really panic-worthy as it just means the connection died rather early on. I have removed the panic log writing for the ECONNRESET error when getsockname() fails. PH/36 After a 4xx response to a RCPT error, that address was delayed (in queue runs only) independently of the message's sender address. This meant that, if the 4xx error was in fact related to the sender, a different message to the same recipient with a different sender could confuse things. In particualar, this can happen when sending to a greylisting server, but other circumstances could also provoke similar problems. I have changed the default so that the retry time for these errors is now based a combination of the sender and recipient addresses. This change can be overridden by setting address_retry_include_sender=false in the smtp transport. PH/37 For LMTP over TCP/IP (the smtp transport), error responses from the remote server are returned as part of bounce messages. This was not happening for LMTP over a pipe (the lmtp transport), but now it is the same for both kinds of LMTP. PH/38 Despite being documented as not happening, Exim was rewriting addresses in header lines that were in fact CNAMEs. This is no longer the case. PH/39 If -R or -S was given with -q