On 2016-03-16 Matthew Vernon <mc...@cam.ac.uk> wrote:
> Package: exim4-base
> Version: 4.84.2-1
> Severity: important
> Hi,
> I upgraded my jessie systems to 4.84.2-1 and added an add_environment
> setting thus:
> add_environment = <; PATH=/bin:/usr/bin
> The upstream advisory says:
> "If both options are not used in the configuration, Exim issues a
> warning on startup. This warning disappears if at least one of these
> options is used (even if set to an empty value)."
> Yet:
> root@mws-priv-21:~# /usr/sbin/exim4 -bP | grep environment
> LOG: MAIN
> Warning: purging the environment.
> Suggested action: use keep_environment.
> add_environment = <; PATH=/bin:/usr/bin
> keep_environment =
> This is clearly not the correct behaviour, and I'm getting a lot of
> cron mail :-(
Hello,
exim4 (4.84.2-1)'s says this in
a) debian/changelog
* Add macros MAIN_KEEP_ENVIRONMENT and MAIN_ADD_ENVIRONMENT to set the new
options. Set "keep_environment =" by default to avoid a runtime warning.
Bump exim4-config Breaks to exim4-daemon-* (<< 4.84.2).
[...]
Upstream followups on the CVE fix (Thanks, Heiko Schlittermann!):
[...]
+ Runtime warning is only generated if (and only if) keep_environment
is unset and environment is nonempty.
b) /usr/share/doc/exim4-base/spec.txt.gz
Current versions of Exim issue a warning during startup if you do not mention
keep_environment in your runtime configuration file and if there is
anything in your environment. Future versions may not issue that warning
anymore.
So, this is documented behavior, pulling an enhancement for the issue
from upstream.
cu Andreas
