Control: severity -1 important Control: retitle -1 NEWS doesn't clearly explain config changes needed for CVE-2016-1531
On Wed, 2016-03-16 at 19:39 +0100, Andreas Metzler wrote: > On 2016-03-16 Ben Hutchings <b...@decadent.org.uk> wrote: > > > > Control: severity -1 serious > > Control: tag -1 moreinfo > > > > Upgrading severity. I consider this release-critical because a package > > should never: > > > > 1. Send spurious error messages from its cron job > > 2. Recommend changing the configuration in a way that would undo a > > security fix > Hello, > > the situation is this: > > * Upstream made a change (cleaning the environment by default) that in > their opinion could break existing systems. There is not a magic > switch that can be thrown to fix this. The safe default value (empty > environment) is exactly what causes the breakage. To point > admininistrators of failing system in the right direction exim prints > a warning when keep_environment is not set. > > * Afaik the Debian config works fine with empty environment which is why > we have added an explicit 'keep_environment=" to prevent the runtime > warning. This is all good. > * Otoh if you are running a custom configuration you will get > the warning exactly as upstream has intended and you will need to > decide whether you need to modify the environment. This also applies > to configuration based on the Debian configuration. - You'll need to > look at the configuration and decide whether modifying the runtime > environment is necessary. (You'll get a dpkg confile prompt and need > to merge the changes.) The warning isn't really very clear, though. > * In addition there is an entry in exim4-config.NEWS. I saw that, but it also wasn't that clear about what changes were needed. > I am basically out of bright ideas on how to improve things from here. > The whole thing is trade-off, on one side now some people get a warning > message without experincing real breakage, on the other side if I patched > out the warning message some people would just see a broken e-mail > service without the helpful hint. Being in doubt I trusted upstream's > choice. > > See http://article.gmane.org/gmane.mail.exim.devel/9142 and following. Please expand the NEWS item to say that if you have a custom configuration you *must* update it, and also refer to https://exim.org/s tatic/doc/CVE-2016-1531.txt which briefly explains the new variables. Ben. -- Ben Hutchings If you seem to know what you are doing, you'll be given more to do.
signature.asc
Description: This is a digitally signed message part