Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package exim for openSUSE:Factory checked in
at 2024-01-03 12:25:47
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/exim (Old)
and /work/SRC/openSUSE:Factory/.exim.new.28375 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "exim"
Wed Jan 3 12:25:47 2024 rev:79 rq:1135763 version:4.97.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/exim/exim.changes 2023-11-07
21:27:44.854582717 +0100
+++ /work/SRC/openSUSE:Factory/.exim.new.28375/exim.changes 2024-01-03
12:25:50.913363813 +0100
@@ -0,0 +1,7 @@
+-------------------------------------------------------------------
+Sat Dec 30 15:35:31 UTC 2023 - Dirk Müller <dmuel...@suse.com>
+
+- update to 4.97.1 (bsc#1218387, CVE-2023-51766):
+ * Fixes for the smtp protocol smuggling (CVE-2023-51766)
+
+-------------------------------------------------------------------
Old:
----
exim-4.97.tar.bz2
exim-4.97.tar.bz2.asc
New:
----
exim-4.97.1.tar.bz2
exim-4.97.1.tar.bz2.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ exim.spec ++++++
--- /var/tmp/diff_new_pack.bU3lnS/_old 2024-01-03 12:25:51.865398599 +0100
+++ /var/tmp/diff_new_pack.bU3lnS/_new 2024-01-03 12:25:51.865398599 +0100
@@ -18,66 +18,85 @@
#Compat macro for new _fillupdir macro introduced in Nov 2017
%if ! %{defined _fillupdir}
- %define _fillupdir /var/adm/fillup-templates
+ %define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
-
%bcond_without mysql
%bcond_without pgsql
%bcond_without sqlite
%bcond_without ldap
%bcond_without i18n
-
%if 0%{?suse_version} > 1199 || 0%{?centos_version} > 599 || 0%{?rhel_version}
> 599
%bcond_without dane
%else
%bcond_with dane
%endif
-
Name: exim
+Version: 4.97.1
+Release: 0
+Summary: The Exim Mail Transfer Agent, a Replacement for sendmail
+License: GPL-2.0-or-later
+Group: Productivity/Networking/Email/Servers
+URL: https://www.exim.org/
+Source: https://ftp.exim.org/pub/exim/exim4/exim-%{version}.tar.bz2
+Source1: sysconfig.exim
+Source2: exim.logrotate
+Source3: https://ftp.exim.org/pub/exim/exim4/exim-%{version}.tar.bz2.asc
+# http://ftp.exim.org/pub/exim/Exim-Maintainers-Keyring.asc
+Source4: exim.keyring
+Source11: exim.rc
+Source12: permissions.exim
+Source13: apparmor.usr.sbin.exim
+Source30: eximstats-html-update.py
+Source31: eximstats.conf
+Source32: eximstats.conf-2.2
+Source40: exim.service
+Source41: exim_db.8.gz
+Patch0: exim-tail.patch
+Patch1: gnu_printf.patch
BuildRequires: cyrus-sasl-devel
BuildRequires: db-devel
BuildRequires: libidn-devel
-%if 0%{?suse_version} >= 1330 && 0%{?suse_version} < 1599
-BuildRequires: libnsl-devel
-%endif
BuildRequires: libspf2-devel
BuildRequires: pam-devel
-%if %{with_ldap}
-BuildRequires: openldap2-devel
-%endif
BuildRequires: pcre2-devel
+BuildRequires: pkgconfig
BuildRequires: tcpd-devel
BuildRequires: pkgconfig(libcrypto)
BuildRequires: pkgconfig(libssl)
BuildRequires: pkgconfig(xaw7)
BuildRequires: pkgconfig(xmu)
BuildRequires: pkgconfig(xt)
-URL: http://www.exim.org/
Conflicts: postfix
Conflicts: sendmail
Conflicts: sendmail-tls
Provides: smtp_daemon
+%if 0%{?suse_version} >= 1330 && 0%{?suse_version} < 1599
+BuildRequires: libnsl-devel
+%endif
+%if %{with_ldap}
+BuildRequires: openldap2-devel
+%endif
%if %{?suse_version:%suse_version}%{?!suse_version:0} > 800
-Requires: logrotate
BuildRequires: perl-File-FcntlLock
+Requires: logrotate
Requires: perl-File-FcntlLock
+Requires(pre): %fillup_prereq
+Requires(pre): fileutils
+Requires(pre): permissions
+Requires(pre): textutils
%if 0%{?suse_version} > 1220
BuildRequires: pkgconfig(systemd)
%{?systemd_requires}
%else
Requires(pre): %insserv_prereq
%endif
-Requires(pre): %fillup_prereq permissions
%if 0%{?suse_version} >= 1330
BuildRequires: group(mail)
BuildRequires: user(mail)
-Requires(pre): user(mail)
Requires(pre): group(mail)
+Requires(pre): user(mail)
%endif
-Requires(pre): fileutils textutils
%endif
-Version: 4.97
-Release: 0
%if %{with_mysql}
BuildRequires: mysql-devel
%endif
@@ -87,26 +106,6 @@
%if %{with_sqlite}
BuildRequires: sqlite3-devel
%endif
-Summary: The Exim Mail Transfer Agent, a Replacement for sendmail
-License: GPL-2.0-or-later
-Group: Productivity/Networking/Email/Servers
-BuildRoot: %{_tmppath}/%{name}-%{version}-build
-Source: http://ftp.exim.org/pub/exim/exim4/exim-%{version}.tar.bz2
-Source3: http://ftp.exim.org/pub/exim/exim4/exim-%{version}.tar.bz2.asc
-# http://ftp.exim.org/pub/exim/Exim-Maintainers-Keyring.asc
-Source4: exim.keyring
-Source1: sysconfig.exim
-Source2: exim.logrotate
-Source11: exim.rc
-Source12: permissions.exim
-Source13: apparmor.usr.sbin.exim
-Source30: eximstats-html-update.py
-Source31: eximstats.conf
-Source32: eximstats.conf-2.2
-Source40: exim.service
-Source41: exim_db.8.gz
-Patch0: exim-tail.patch
-Patch1: gnu_printf.patch
%package -n eximon
Summary: Eximon, an graphical frontend to administer Exim's mail queue
@@ -136,13 +135,13 @@
%description -n eximstats-html
If this package is installed alongside the exim MTA, and you enable
-EXIM_REPORT_WEEKLY_HTML in /etc/sysconfig/exim, logrotate/cron will
+EXIM_REPORT_WEEKLY_HTML in %{_sysconfdir}/sysconfig/exim, logrotate/cron will
create HTML reports in /srv/www/eximstats.
-You can edit /etc/apache2/conf.d/eximstats.conf to configure your
+You can edit %{_sysconfdir}/apache2/conf.d/eximstats.conf to configure your
webserver for the reports.
-The script /usr/sbin/eximstats-html-update.py can create the reports
+The script %{_sbindir}/eximstats-html-update.py can create the reports
for log files that were rotated in the past. (You would only run this
once, if at all. The rest is done by logrotate / cron.)
@@ -160,11 +159,11 @@
%endif
cat <<-EOF > Local/Makefile
# see src/EDITME for comments.
- BIN_DIRECTORY=/usr/sbin
- CONFIGURE_FILE=/etc/exim/exim.conf
+ BIN_DIRECTORY=%{_sbindir}
+ CONFIGURE_FILE=%{_sysconfdir}/exim/exim.conf
EXIM_USER=ref:mail
EXIM_GROUP=ref:mail
- SPOOL_DIRECTORY=/var/spool/exim
+ SPOOL_DIRECTORY=%{_localstatedir}/spool/exim
ROUTER_ACCEPT=yes
ROUTER_DNSLOOKUP=yes
ROUTER_IPLITERAL=yes
@@ -206,21 +205,21 @@
# LOOKUP_NISPLUS=yes
LOOKUP_PASSWD=yes
# LOOKUP_WHOSON=yes
- CYRUS_SASLAUTHD_SOCKET=/var/run/sasl2/mux
+ CYRUS_SASLAUTHD_SOCKET=%{_localstatedir}/run/sasl2/mux
%if %{with_ldap}
LDAP_LIB_TYPE=OPENLDAP2
LOOKUP_LIBS+=-llber -lldap
%endif
%if %{with_mysql}
- LOOKUP_INCLUDE+=-I /usr/include/mysql
+ LOOKUP_INCLUDE+=-I %{_includedir}/mysql
LOOKUP_LIBS+=-L %{_libdir}/mysql -lmysqlclient
%endif
%if %{with_pgsql}
- LOOKUP_INCLUDE+=-I /usr/include/pgsql
+ LOOKUP_INCLUDE+=-I %{_includedir}/pgsql
LOOKUP_LIBS+=-lpq
%endif
%if %{with_sqlite}
- LOOKUP_INCLUDE+=-I /usr/include/sqlite3
+ LOOKUP_INCLUDE+=-I %{_includedir}/sqlite3
LOOKUP_LIBS+=-lsqlite3
%endif
EXIM_MONITOR=eximon.bin
@@ -236,24 +235,24 @@
USE_OPENSSL=yes
TLS_LIBS=-lssl -lcrypto
INFO_DIRECTORY=%{_infodir}
- LOG_FILE_PATH=/var/log/exim/%%s.log
+ LOG_FILE_PATH=%{_localstatedir}/log/exim/%%s.log
EXICYCLOG_MAX=10
SYSLOG_LOG_PID=yes
SYSLOG_LONG_LINES=yes
COMPRESS_COMMAND=/bin/gzip
COMPRESS_SUFFIX=gz
- ZCAT_COMMAND=/usr/bin/zcat
+ ZCAT_COMMAND=%{_bindir}/zcat
SUPPORT_PAM=yes
# You probably need to add -lpam to EXTRALIBS
- # RADIUS_CONFIG_FILE=/etc/radiusclient/radiusclient.conf
- # CYRUS_PWCHECK_SOCKET=/var/pwcheck/pwcheck
+ # RADIUS_CONFIG_FILE=%{_sysconfdir}/radiusclient/radiusclient.conf
+ # CYRUS_PWCHECK_SOCKET=%{_localstatedir}/pwcheck/pwcheck
# USE_TCP_WRAPPERS=yes
NO_SYMLINK=yes
CHOWN_COMMAND=/bin/chown
CHGRP_COMMAND=/bin/chgrp
MV_COMMAND=/bin/mv
RM_COMMAND=/bin/rm
- PERL_COMMAND=/usr/bin/perl
+ PERL_COMMAND=%{_bindir}/perl
# APPENDFILE_MODE=0600
# APPENDFILE_DIRECTORY_MODE=0700
# APPENDFILE_LOCKFILE_MODE=0600
@@ -275,7 +274,7 @@
# PERL_CC=
# PERL_CCOPTS=
# PERL_LIBS=
- PID_FILE_PATH=/var/run/exim.pid
+ PID_FILE_PATH=%{_localstatedir}/run/exim.pid
# SPOOL_DIRECTORY_MODE=0750
# SPOOL_MODE=0640
SUPPORT_MOVE_FROZEN_MESSAGES=yes
@@ -289,7 +288,7 @@
EXPERIMENTAL_PROXY=yes
EXPERIMENTAL_CERTNAMES=yes
EXPERIMENTAL_DSN=yes
- SYSTEM_ALIASES_FILE=/etc/aliases
+ SYSTEM_ALIASES_FILE=%{_sysconfdir}/aliases
# enable SRS
SUPPORT_SRS=yes
%if %{with dane}
@@ -300,73 +299,73 @@
EXPERIMENTAL_INTERNATIONAL=yes
%endif
LDFLAGS += -lidn
- CFLAGS=$RPM_OPT_FLAGS -std=gnu99 -Wall $CFLAGS_OPT_WERROR
-fno-strict-aliasing -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
-DLDAP_DEPRECATED $fPIE
+ CFLAGS=%{optflags} -std=gnu99 -Wall $CFLAGS_OPT_WERROR
-fno-strict-aliasing -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
-DLDAP_DEPRECATED $fPIE
EXTRALIBS=-ldl -lpam -L/usr/X11R6/%{_lib} $pie
EOF
touch Local/eximon.conf
rm -f doc/*.{orig,txt~}
%build
-make
+%make_build
%install
%if 0%{?suse_version} > 1220
-mkdir -p $RPM_BUILD_ROOT/%{_unitdir}
+mkdir -p %{buildroot}/%{_unitdir}
%else
-mkdir -p $RPM_BUILD_ROOT/etc/init.d
+mkdir -p %{buildroot}%{_initddir}
%endif
%if 0%{?suse_version} > 1500
-mkdir -p $RPM_BUILD_ROOT%{_distconfdir}/logrotate.d
+mkdir -p %{buildroot}%{_distconfdir}/logrotate.d
%else
-mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d
+mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
%endif
-mkdir -p $RPM_BUILD_ROOT/usr/{bin,sbin,lib}
-mkdir -p $RPM_BUILD_ROOT/var/log/exim
-mkdir -p $RPM_BUILD_ROOT/var/spool/mail/
-ln -s spool/mail $RPM_BUILD_ROOT/var
-mkdir -p $RPM_BUILD_ROOT%{_fillupdir}
-mkdir -p $RPM_BUILD_ROOT%{_mandir}/man8
-mkdir -p $RPM_BUILD_ROOT/usr/bin
-make inst_dest=$RPM_BUILD_ROOT/usr/sbin \
- inst_conf=$RPM_BUILD_ROOT/etc/exim/exim.conf \
- inst_info=$RPM_BUILD_ROOT/%{_infodir} \
+mkdir -p %{buildroot}%{_prefix}/{bin,sbin,lib}
+mkdir -p %{buildroot}%{_localstatedir}/log/exim
+mkdir -p %{buildroot}%{_localstatedir}/spool/mail/
+ln -s spool/mail %{buildroot}%{_localstatedir}
+mkdir -p %{buildroot}%{_fillupdir}
+mkdir -p %{buildroot}%{_mandir}/man8
+mkdir -p %{buildroot}%{_bindir}
+make inst_dest=%{buildroot}%{_sbindir} \
+ inst_conf=%{buildroot}%{_sysconfdir}/exim/exim.conf \
+ inst_info=%{buildroot}/%{_infodir} \
INSTALL_ARG=-no_chown install
#mv $RPM_BUILD_ROOT/usr/sbin/exim-%{version}* $RPM_BUILD_ROOT/usr/sbin/exim
-mv $RPM_BUILD_ROOT/usr/sbin/exim-4.9* $RPM_BUILD_ROOT/usr/sbin/exim
-mv $RPM_BUILD_ROOT/etc/exim/exim.conf src/configure.default # with all
substitutions done
+mv %{buildroot}%{_sbindir}/exim-4.9* %{buildroot}%{_sbindir}/exim
+mv %{buildroot}%{_sysconfdir}/exim/exim.conf src/configure.default # with all
substitutions done
%if 0%{?suse_version} > 1220
-install -m 0644 %{S:40} $RPM_BUILD_ROOT/%{_unitdir}/exim.service
+install -m 0644 %{SOURCE40} %{buildroot}/%{_unitdir}/exim.service
%else
-install -m 0755 %{S:11} $RPM_BUILD_ROOT/etc/init.d/exim
+install -m 0755 %{SOURCE11} %{buildroot}%{_initddir}/exim
%endif
# aka...
for i in \
- /usr/lib/sendmail \
- /usr/bin/runq \
- /usr/bin/rsmtp \
- /usr/bin/mailq \
- /usr/bin/newaliases
+ %{_prefix}/lib/sendmail \
+ %{_bindir}/runq \
+ %{_bindir}/rsmtp \
+ %{_bindir}/mailq \
+ %{_bindir}/newaliases
do
ln -sf ../sbin/exim $RPM_BUILD_ROOT$i
done
-ln -sf exim $RPM_BUILD_ROOT/usr/sbin/sendmail
+ln -sf exim %{buildroot}%{_sbindir}/sendmail
%if 0%{?suse_version} > 1220
-ln -sv service $RPM_BUILD_ROOT/usr/sbin/rcexim
+ln -sv service %{buildroot}%{_sbindir}/rcexim
%else
-ln -sv ../../etc/init.d/exim $RPM_BUILD_ROOT/usr/sbin/rcexim
+ln -sv ../..%{_initddir}/exim %{buildroot}%{_sbindir}/rcexim
%endif
-mv $RPM_BUILD_ROOT/usr/sbin/eximon* $RPM_BUILD_ROOT/usr/bin/
-cp -p %{S:1} $RPM_BUILD_ROOT%{_fillupdir}/sysconfig.exim
+mv %{buildroot}%{_sbindir}/eximon* %{buildroot}%{_bindir}/
+cp -p %{SOURCE1} %{buildroot}%{_fillupdir}/sysconfig.exim
%if 0%{?suse_version} > 1500
-install -m 0644 %{S:2} $RPM_BUILD_ROOT%{_distconfdir}/logrotate.d/exim
+install -m 0644 %{SOURCE2} %{buildroot}%{_distconfdir}/logrotate.d/exim
%else
-install -m 0644 %{S:2} $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/exim
+install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/logrotate.d/exim
%endif
# man pages
-mv doc/exim.8 $RPM_BUILD_ROOT/%{_mandir}/man8/
-cp $RPM_SOURCE_DIR/exim_db.8.gz $RPM_BUILD_ROOT/%{_mandir}/man8
-gunzip $RPM_BUILD_ROOT/%{_mandir}/man8/exim_db.8.gz
-pod2man --center=EXIM --section=8 $RPM_BUILD_ROOT/usr/sbin/eximstats >
$RPM_BUILD_ROOT/%{_mandir}/man8/eximstats.8
+mv doc/exim.8 %{buildroot}/%{_mandir}/man8/
+cp $RPM_SOURCE_DIR/exim_db.8.gz %{buildroot}/%{_mandir}/man8
+gunzip %{buildroot}/%{_mandir}/man8/exim_db.8.gz
+pod2man --center=EXIM --section=8 %{buildroot}%{_sbindir}/eximstats >
%{buildroot}/%{_mandir}/man8/eximstats.8
for i in \
sendmail \
runq \
@@ -374,32 +373,32 @@
mailq \
newaliases
do
- ln -sf exim.8.gz $RPM_BUILD_ROOT/%{_mandir}/man8/$i.8.gz
+ ln -sf exim.8.gz %{buildroot}/%{_mandir}/man8/$i.8.gz
done
for i in \
exim_dumpdb \
exim_fixdb \
exim_tidydb
do
- ln -sf exim_db.8.gz $RPM_BUILD_ROOT/%{_mandir}/man8/$i.8.gz
+ ln -sf exim_db.8.gz %{buildroot}/%{_mandir}/man8/$i.8.gz
done
-perl -pi -e 's%/usr/share/doc/exim4%/usr/share/doc/packages/exim%g' `find
$RPM_BUILD_ROOT/%{_mandir}/man8 -name "*.8"`
+sed -i -e 's,%{_datadir}/doc/exim4,%{_docdir}/exim,g' $(find
%{buildroot}/%{_mandir}/man8 -name "*.8")
gzip -9 doc/*.txt
#
# package the utilities without executable permissions, to silence rpmlint
warnings
chmod 644 util/*.{pl,sh} src/convert4r*
#
# eximstats-html files
-mkdir -p $RPM_BUILD_ROOT/srv/www/eximstats
-mkdir -p $RPM_BUILD_ROOT/etc/apache2/conf.d/
+mkdir -p %{buildroot}/srv/www/eximstats
+mkdir -p %{buildroot}%{_sysconfdir}/apache2/conf.d/
%if 0%{?suse_version} == 0 || 0%{?suse_version} > 1310
- cp -p %{S:31} $RPM_BUILD_ROOT/etc/apache2/conf.d/
+ cp -p %{SOURCE31} %{buildroot}%{_sysconfdir}/apache2/conf.d/
%else
- cp -p %{S:32} $RPM_BUILD_ROOT/etc/apache2/conf.d/eximstats.conf
+ cp -p %{SOURCE32}
%{buildroot}%{_sysconfdir}/apache2/conf.d/eximstats.conf
%endif
-install -m 0755 $RPM_SOURCE_DIR/eximstats-html-update.py
$RPM_BUILD_ROOT/%{_sbindir}
+install -m 0755 $RPM_SOURCE_DIR/eximstats-html-update.py
%{buildroot}/%{_sbindir}
# apparmor profile
-install -D -m 0644 $RPM_SOURCE_DIR/apparmor.usr.sbin.exim
$RPM_BUILD_ROOT/usr/share/apparmor/extra-profiles/usr.sbin.exim
+install -D -m 0644 $RPM_SOURCE_DIR/apparmor.usr.sbin.exim
%{buildroot}%{_datadir}/apparmor/extra-profiles/usr.sbin.exim
%pretrans -p <lua>
docdir = rpm.expand('%{_docdir}')
@@ -441,26 +440,25 @@
%if 0%{?suse_version} < 1131
%run_permissions
%else
-%set_permissions /usr/sbin/exim
+%set_permissions %{_sbindir}/exim
%endif
if ! test -s etc/exim/exim.conf; then
if test -s etc/exim.conf; then
mv etc/exim.conf etc/exim/
- echo moving exim.conf to /etc/exim/
+ echo moving exim.conf to %{_sysconfdir}/exim/
else
cp -p usr/share/doc/packages/%{name}/configure.default
etc/exim/exim.conf
- echo copying default config file to /etc/exim/exim.conf
+ echo copying default config file to
%{_sysconfdir}/exim/exim.conf
fi
fi
%if 0%{?suse_version} > 1220
-%{fillup_only}
+%fillup_only
%service_add_post exim.service
%else
%{fillup_and_insserv exim}
%endif
exit 0
%if %{?suse_version:1}%{?!suse_version:0}
-
%preun
%if 0%{?suse_version} > 1220
%service_del_preun exim.service
@@ -480,32 +478,32 @@
%endif
%verifyscript
-%verify_permissions -e /usr/sbin/exim
+%verify_permissions -e %{_sbindir}/exim
%files
-%defattr(-,root,root)
%ghost %{_docdir}/%{name}/doc/cve-2019-13917.rpmmoved
-%doc ACKNOWLEDGMENTS CHANGES LICENCE NOTICE README.UPDATING README
+%license LICENCE
+%doc ACKNOWLEDGMENTS CHANGES NOTICE README.UPDATING README
%doc doc
%doc src/configure.default
%doc build-Linux-*/convert4r{3,4}
%doc util
-%doc %{_mandir}/man8/*
-/usr/sbin/exicyclog
-/usr/sbin/exigrep
-/usr/sbin/exiqgrep
-%verify(not mode) %attr(4755,root,root) /usr/sbin/exim
-/usr/sbin/exim_*
-/usr/sbin/eximstats
-/usr/sbin/exinext
-/usr/sbin/exipick
-/usr/sbin/exiqsumm
-/usr/sbin/exiwhat
-%dir /etc/exim
+%{_mandir}/man8/*
+%{_sbindir}/exicyclog
+%{_sbindir}/exigrep
+%{_sbindir}/exiqgrep
+%verify(not mode) %attr(4755,root,root) %{_sbindir}/exim
+%{_sbindir}/exim_*
+%{_sbindir}/eximstats
+%{_sbindir}/exinext
+%{_sbindir}/exipick
+%{_sbindir}/exiqsumm
+%{_sbindir}/exiwhat
+%dir %{_sysconfdir}/exim
%if 0%{?suse_version} > 1220
%{_unitdir}/exim.service
%else
-%config /etc/init.d/exim
+%config %{_initddir}/exim
%endif
%if 0%{?suse_version} > 1500
%{_distconfdir}/logrotate.d/exim
@@ -513,33 +511,31 @@
%config(noreplace) %{_sysconfdir}/logrotate.d/exim
%endif
%if %{?suse_version:%suse_version}%{?!suse_version:99999} < 1000
-%config(noreplace) /etc/permissions.d/exim
+%config(noreplace) %{_sysconfdir}/permissions.d/exim
%endif
-%dir /usr/share/apparmor
-%dir /usr/share/apparmor/extra-profiles
-%config(noreplace) /usr/share/apparmor/extra-profiles/usr.sbin.exim
-/usr/sbin/rcexim
-/usr/bin/mailq
-/usr/bin/runq
-/usr/bin/rsmtp
-/usr/bin/newaliases
-/usr/sbin/sendmail
-/usr/lib/sendmail
+%dir %{_datadir}/apparmor
+%dir %{_datadir}/apparmor/extra-profiles
+%config(noreplace) %{_datadir}/apparmor/extra-profiles/usr.sbin.exim
+%{_sbindir}/rcexim
+%{_bindir}/mailq
+%{_bindir}/runq
+%{_bindir}/rsmtp
+%{_bindir}/newaliases
+%{_sbindir}/sendmail
+%{_prefix}/lib/sendmail
%{_fillupdir}/sysconfig.exim
-%dir %attr(750,mail,mail) /var/log/exim
-%dir %attr(1777,root,root) /var/spool/mail
-/var/mail
+%dir %attr(750,mail,mail) %{_localstatedir}/log/exim
+%dir %attr(1777,root,root) %{_localstatedir}/spool/mail
+%{_localstatedir}/mail
%files -n eximon
-%defattr(-,root,root)
-/usr/bin/eximon
-/usr/bin/eximon.bin
+%{_bindir}/eximon
+%{_bindir}/eximon.bin
%files -n eximstats-html
-%defattr(-,root,root)
%attr(0750,root,www) /srv/www/eximstats
-%dir /etc/apache2
-%dir /etc/apache2/conf.d
-%config /etc/apache2/conf.d/eximstats.conf
+%dir %{_sysconfdir}/apache2
+%dir %{_sysconfdir}/apache2/conf.d
+%config %{_sysconfdir}/apache2/conf.d/eximstats.conf
%{_sbindir}/eximstats-html-update.py
++++++ exim-4.97.tar.bz2 -> exim-4.97.1.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/exim-4.97/doc/ChangeLog new/exim-4.97.1/doc/ChangeLog
--- old/exim-4.97/doc/ChangeLog 2023-11-04 13:55:49.000000000 +0100
+++ new/exim-4.97.1/doc/ChangeLog 2023-12-25 19:42:52.000000000 +0100
@@ -2,6 +2,15 @@
affect Exim's operation, with an unchanged configuration file. For new
options, and new features, see the NewStuff file next to this ChangeLog.
+Since Exim version 4.97
+-----------------------
+
+JH/s1 Refuse to accept a line "dot, LF" as end-of-DATA unless operating in
+ LF-only mode (as detected from the first header line). Previously we did
+ accept that in (normal) CRLF mode; this has been raised as a possible
+ attack scenario (under the name "smtp smuggling", CVE-2023-51766).
+
+
Exim version 4.97
-----------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/exim-4.97/doc/cve-2023-51766
new/exim-4.97.1/doc/cve-2023-51766
--- old/exim-4.97/doc/cve-2023-51766 1970-01-01 01:00:00.000000000 +0100
+++ new/exim-4.97.1/doc/cve-2023-51766 2023-12-25 19:42:52.000000000 +0100
@@ -0,0 +1,69 @@
+CVE ID: CVE-2023-51766
+Date: 2016-12-15
+Credits:
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
+Version(s): all up to 4.97 inclusive
+Issue: Given a buggy relay, Exim can be induced to accept a second
message embedded
+ as part of the body of a first message
+
+Conditions
+==========
+
+If *all* the following conditions are met
+
+ Runtime options
+ ---------------
+
+ * Exim offers PIPELINING on incoming connections
+
+ * Exim offers CHUNKING on incoming connections
+
+ Operation
+ ---------
+
+ * DATA (as opposed to BDAT) is used for a message reception
+
+ * The relay host sends to the Exim MTA message data including
+ one of "LF . LF" or "CR LF . LF" or "LF . CR LF".
+
+ * Exim interprets the sequence as signalling the end of data for
+ the SMTP DATA command, and hence a first message.
+
+ * Exim interprets further input which the relay had as message body
+ data, as SMTP commands and data. This could include a MAIL, RCPT,
+ BDAT (etc) sequence, resulting in a further message acceptance.
+
+Impact
+======
+
+One or more messages can be accepted by Exim that have not been
+properly validated by the buggy relay.
+
+Fix
+===
+
+Install a fixed Exim version:
+
+ 4.98 (once available)
+ 4.97.1
+
+If you can't install one of the above versions, ask your package
+maintainer for a version containing the backported fix. On request and
+depending on our resources we will support you in backporting the fix.
+(Please note, that Exim project officially doesn't support versions
+prior the current stable version.)
+
+
+Workaround
+==========
+
+ Disable CHUNKING advertisement for incoming connections.
+
+ An attempt to "smuggle" a DATA command will trip a syncronisation
+ check.
+
+*or*
+
+ Disable PIPELINING advertisement for incoming connections.
+
+ The "smuggled" MAIL FROM command will then trip a syncronisation
+ check.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/exim-4.97/doc/filter.txt
new/exim-4.97.1/doc/filter.txt
--- old/exim-4.97/doc/filter.txt 2023-11-04 14:02:13.000000000 +0100
+++ new/exim-4.97.1/doc/filter.txt 2023-12-25 19:54:28.000000000 +0100
@@ -4,7 +4,7 @@
Copyright (c) 2023 The Exim Maintainers
-Revision 4.97 04 Nov 2023 PH
+Revision 4.97.1 25 Dec 2023 PH
-------------------------------------------------------------------------------
@@ -72,7 +72,7 @@
This document describes the user interfaces to Exim's in-built mail filtering
facilities, and is copyright (c) The Exim Maintainers 2023. It corresponds to
-Exim version 4.97.
+Exim version 4.97.1.
1.1 Introduction
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/exim-4.97/doc/spec.txt new/exim-4.97.1/doc/spec.txt
--- old/exim-4.97/doc/spec.txt 2023-11-04 14:02:13.000000000 +0100
+++ new/exim-4.97.1/doc/spec.txt 2023-12-25 19:54:28.000000000 +0100
@@ -4,7 +4,7 @@
Copyright (c) 2023 The Exim Maintainers
-Revision 4.97 04 Nov 2023 EM
+Revision 4.97.1 25 Dec 2023 EM
-------------------------------------------------------------------------------
@@ -634,7 +634,7 @@
1.1 Exim documentation
----------------------
-This edition of the Exim specification applies to version 4.97 of Exim.
+This edition of the Exim specification applies to version 4.97.1 of Exim.
Substantive changes from the 4.96 edition are marked in some renditions of this
document; this paragraph is so marked if the rendition is capable of showing a
change indicator.
@@ -1762,7 +1762,7 @@
Exim is distributed as a gzipped or bzipped tar file which, when unpacked,
creates a directory with the name of the current release (for example,
-exim-4.97) into which the following files are placed:
+exim-4.97.1) into which the following files are placed:
ACKNOWLEDGMENTS contains some acknowledgments
CHANGES contains a reference to where changes are documented
@@ -2379,7 +2379,7 @@
For the utility programs, old versions are renamed by adding the suffix .O to
their names. The Exim binary itself, however, is handled differently. It is
installed under a name that includes the version number and the compile number,
-for example, exim-4.97-1. The script then arranges for a symbolic link called
+for example, exim-4.97.1-1. The script then arranges for a symbolic link called
exim to point to the binary. If you are updating a previous version of Exim,
the script takes care to ensure that the name exim is never absent from the
directory (as seen by other processes).
@@ -33667,8 +33667,6 @@
other MTAs, the way Exim handles line endings for all messages is now as
follows:
- * LF not preceded by CR is treated as a line ending.
-
* CR is treated as a line ending; if it is immediately followed by LF, the LF
is ignored.
@@ -33683,7 +33681,10 @@
* If the first header line received in a message ends with CRLF, a subsequent
bare LF in a header line is treated in the same way as a bare CR in a
- header line.
+ header line and a bare LF in a body line is replaced with a space.
+
+ * If the first header line received in a message does not end with CRLF, a
+ subsequent LF not preceded by CR is treated as a line ending.
48.3 Unqualified addresses
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/exim-4.97/src/receive.c new/exim-4.97.1/src/receive.c
--- old/exim-4.97/src/receive.c 2023-11-04 13:55:49.000000000 +0100
+++ new/exim-4.97.1/src/receive.c 2023-12-25 19:42:52.000000000 +0100
@@ -829,100 +829,114 @@
well, so that there are no CRs in spooled messages. However, the message
terminating dot is not recognized between two bare CRs.
+Dec 2023: getting a site to send a body including an "LF . LF" sequence
+followed by SMTP commands is a possible "smtp smuggling" attack. If
+the first (header) line for the message has a proper CRLF then enforce
+that for the body: convert bare LF to a space.
+
Arguments:
- fout a FILE to which to write the message; NULL if skipping
+ fout a FILE to which to write the message; NULL if skipping
+ strict_crlf require full CRLF sequence as a line ending
Returns: One of the END_xxx values indicating why it stopped reading
*/
static int
-read_message_data_smtp(FILE *fout)
+read_message_data_smtp(FILE * fout, BOOL strict_crlf)
{
-int ch_state = 0;
-int ch;
-int linelength = 0;
+enum { s_linestart, s_normal, s_had_cr, s_had_nl_dot, s_had_dot_cr } ch_state =
+ s_linestart;
+int linelength = 0, ch;
while ((ch = (receive_getc)(GETC_BUFFER_UNLIMITED)) != EOF)
{
if (ch == 0) body_zerocount++;
switch (ch_state)
{
- case 0: /* After LF or CRLF */
- if (ch == '.')
- {
- ch_state = 3;
- continue; /* Don't ever write . after LF */
- }
- ch_state = 1;
+ case s_linestart: /* After LF or CRLF */
+ if (ch == '.')
+ {
+ ch_state = s_had_nl_dot;
+ continue; /* Don't ever write . after LF */
+ }
+ ch_state = s_normal;
- /* Else fall through to handle as normal uschar. */
+ /* Else fall through to handle as normal uschar. */
- case 1: /* Normal state */
- if (ch == '\n')
- {
- ch_state = 0;
- body_linecount++;
+ case s_normal: /* Normal state */
+ if (ch == '\r')
+ {
+ ch_state = s_had_cr;
+ continue; /* Don't write the CR */
+ }
+ if (ch == '\n') /* Bare LF at end of line */
+ if (strict_crlf)
+ ch = ' '; /* replace LF with space */
+ else
+ { /* treat as line ending */
+ ch_state = s_linestart;
+ body_linecount++;
+ if (linelength > max_received_linelength)
+ max_received_linelength = linelength;
+ linelength = -1;
+ }
+ break;
+
+ case s_had_cr: /* After (unwritten) CR */
+ body_linecount++; /* Any char ends line */
if (linelength > max_received_linelength)
- max_received_linelength = linelength;
+ max_received_linelength = linelength;
linelength = -1;
- }
- else if (ch == '\r')
- {
- ch_state = 2;
- continue;
- }
- break;
+ if (ch == '\n') /* proper CRLF */
+ ch_state = s_linestart;
+ else
+ {
+ message_size++; /* convert the dropped CR to a stored NL */
+ if (fout && fputc('\n', fout) == EOF) return END_WERROR;
+ cutthrough_data_put_nl();
+ if (ch == '\r') /* CR; do not write */
+ continue;
+ ch_state = s_normal; /* not LF or CR; process as standard */
+ }
+ break;
- case 2: /* After (unwritten) CR */
- body_linecount++;
- if (linelength > max_received_linelength)
- max_received_linelength = linelength;
- linelength = -1;
- if (ch == '\n')
- {
- ch_state = 0;
- }
- else
- {
- message_size++;
- if (fout != NULL && fputc('\n', fout) == EOF) return END_WERROR;
- cutthrough_data_put_nl();
- if (ch != '\r') ch_state = 1; else continue;
- }
- break;
+ case s_had_nl_dot: /* After [CR] LF . */
+ if (ch == '\n') /* [CR] LF . LF */
+ if (strict_crlf)
+ ch = ' '; /* replace LF with space */
+ else
+ return END_DOT;
+ else if (ch == '\r') /* [CR] LF . CR */
+ {
+ ch_state = s_had_dot_cr;
+ continue; /* Don't write the CR */
+ }
+ /* The dot was removed on reaching s_had_nl_dot. For a doubled dot, here,
+ reinstate it to cutthrough. The current ch, dot or not, is passed both to
+ cutthrough and to file below. */
+ else if (ch == '.')
+ {
+ uschar c = ch;
+ cutthrough_data_puts(&c, 1);
+ }
+ ch_state = s_normal;
+ break;
- case 3: /* After [CR] LF . */
- if (ch == '\n')
- return END_DOT;
- if (ch == '\r')
- {
- ch_state = 4;
- continue;
- }
- /* The dot was removed at state 3. For a doubled dot, here, reinstate
- it to cutthrough. The current ch, dot or not, is passed both to cutthrough
- and to file below. */
- if (ch == '.')
- {
- uschar c= ch;
- cutthrough_data_puts(&c, 1);
- }
- ch_state = 1;
- break;
+ case s_had_dot_cr: /* After [CR] LF . CR */
+ if (ch == '\n')
+ return END_DOT; /* Preferred termination */
- case 4: /* After [CR] LF . CR */
- if (ch == '\n') return END_DOT;
- message_size++;
- body_linecount++;
- if (fout != NULL && fputc('\n', fout) == EOF) return END_WERROR;
- cutthrough_data_put_nl();
- if (ch == '\r')
- {
- ch_state = 2;
- continue;
- }
- ch_state = 1;
- break;
+ message_size++; /* convert the dropped CR to a stored NL */
+ body_linecount++;
+ if (fout && fputc('\n', fout) == EOF) return END_WERROR;
+ cutthrough_data_put_nl();
+ if (ch == '\r')
+ {
+ ch_state = s_had_cr;
+ continue; /* CR; do not write */
+ }
+ ch_state = s_normal;
+ break;
}
/* Add the character to the spool file, unless skipping; then loop for the
@@ -1138,7 +1152,7 @@
{
if (message_ended >= END_NOTENDED)
message_ended = chunking_state <= CHUNKING_OFFERED
- ? read_message_data_smtp(NULL)
+ ? read_message_data_smtp(NULL, FALSE)
: read_message_bdat_smtp_wire(NULL);
}
@@ -1960,8 +1974,10 @@
if (ch == '\n')
{
- if (first_line_ended_crlf == TRUE_UNSET) first_line_ended_crlf = FALSE;
- else if (first_line_ended_crlf) receive_ungetc(' ');
+ if (first_line_ended_crlf == TRUE_UNSET)
+ first_line_ended_crlf = FALSE;
+ else if (first_line_ended_crlf)
+ receive_ungetc(' ');
goto EOL;
}
@@ -1970,14 +1986,20 @@
This implements the dot-doubling rule, though header lines starting with
dots aren't exactly common. They are legal in RFC 822, though. If the
following is CRLF or LF, this is the line that that terminates the
+
entire message. We set message_ended to indicate this has happened (to
prevent further reading), and break out of the loop, having freed the
empty header, and set next = NULL to indicate no data line. */
if (f.dot_ends && ptr == 0 && ch == '.')
{
+ /* leading dot while in headers-read mode */
ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
- if (ch == '\r')
+ if (ch == '\n' && first_line_ended_crlf == TRUE /* and not TRUE_UNSET */ )
+ /* dot, LF but we are in CRLF mode. Attack? */
+ ch = ' '; /* replace the LF with a space */
+
+ else if (ch == '\r')
{
ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
if (ch != '\n')
@@ -2013,7 +2035,8 @@
ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
if (ch == '\n')
{
- if (first_line_ended_crlf == TRUE_UNSET) first_line_ended_crlf = TRUE;
+ if (first_line_ended_crlf == TRUE_UNSET)
+ first_line_ended_crlf = TRUE;
goto EOL;
}
@@ -3161,7 +3184,7 @@
/* Open a new spool file for the data portion of the message. We need
-to access it both via a file descriptor and a stream. Try to make the
+to access it both via a file descriptor and a stdio stream. Try to make the
directory if it isn't there. */
spool_name = spool_fname(US"input", message_subdir, message_id, US"-D");
@@ -3230,7 +3253,7 @@
if (smtp_input)
{
message_ended = chunking_state <= CHUNKING_OFFERED
- ? read_message_data_smtp(spool_data_file)
+ ? read_message_data_smtp(spool_data_file, first_line_ended_crlf)
: spool_wireformat
? read_message_bdat_smtp_wire(spool_data_file)
: read_message_bdat_smtp(spool_data_file);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/exim-4.97/src/smtp_in.c new/exim-4.97.1/src/smtp_in.c
--- old/exim-4.97/src/smtp_in.c 2023-11-04 13:55:49.000000000 +0100
+++ new/exim-4.97.1/src/smtp_in.c 2023-12-25 19:42:52.000000000 +0100
@@ -5102,12 +5102,12 @@
}
if (chunking_state > CHUNKING_OFFERED)
- rc = OK; /* No predata ACL or go-ahead output
for BDAT */
+ rc = OK; /* There is no predata ACL or go-ahead output for BDAT
*/
else
{
- /* If there is an ACL, re-check the synchronization afterwards, since
the
- ACL may have delayed. To handle cutthrough delivery enforce a dummy
call
- to get the DATA command sent. */
+ /* If there is a predata-ACL, re-check the synchronization afterwards,
+ since the ACL may have delayed. To handle cutthrough delivery enforce a
+ dummy call to get the DATA command sent. */
if (!acl_smtp_predata && cutthrough.cctx.sock < 0)
rc = OK;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/exim-4.97/src/version.h new/exim-4.97.1/src/version.h
--- old/exim-4.97/src/version.h 2023-11-04 14:02:02.000000000 +0100
+++ new/exim-4.97.1/src/version.h 2023-12-25 19:54:17.000000000 +0100
@@ -1,5 +1,5 @@
/* automatically generated file - see ../scripts/reversion */
-#define EXIM_RELEASE_VERSION "4.97"
+#define EXIM_RELEASE_VERSION "4.97.1"
#ifdef EXIM_VARIANT_VERSION
#define EXIM_VERSION_STR EXIM_RELEASE_VERSION "-" EXIM_VARIANT_VERSION
#else
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/exim-4.97/src/version.sh
new/exim-4.97.1/src/version.sh
--- old/exim-4.97/src/version.sh 2023-11-04 14:02:02.000000000 +0100
+++ new/exim-4.97.1/src/version.sh 2023-12-25 19:54:17.000000000 +0100
@@ -1,3 +1,3 @@
# automatically generated file - see ../scripts/reversion
-EXIM_RELEASE_VERSION="4.97"
+EXIM_RELEASE_VERSION="4.97.1"
EXIM_COMPILE_NUMBER="1"
