Changes 4.82.1: This is a SECURITY release, addressing a CRITICAL remote code execution flaw in Exim version 4.82 (only) when built with DMARC support (an experimental feature, not on by default). This release is identical to 4.82 except for the small change needed to plug the security hole. The next release of Exim will, eventually, be 4.83, which will include the many improvements we've made since 4.82, but which will require the normal release candidate baking process before release. You are not vulnerable unless you built Exim with EXPERIMENTAL_DMARC. This issue is known by the CVE ID of CVE-2014-2957, was reported directly to the Exim development team by a company which uses Exim for its mail server. An Exim developer constructed a small patch which altered the way the contents of the From header is parsed by converting it to use safer and better internal functions. It was applied and tested on a production server for correctness. We were notified of the vulnerability Friday night, created a patch on Saturday, applied and tested it on Sunday, notified OS packagers on Monday/Tuesday, and are releasing on the next available work day, which is Wednesday. This is why we have made the smallest feasible changes to prevent exploit: we want this chagne to be as safe as possible to expedite into production (if the packages were built with DMARC).diff -r1.130 -r1.131 pkgsrc/mail/exim/Makefile
(adam)
| @@ -1,17 +1,16 @@ | @@ -1,17 +1,16 @@ | |||
| 1 | # $NetBSD: Makefile,v 1.130 2014/04/30 10:21:08 jperkin Exp $ | 1 | # $NetBSD: Makefile,v 1.131 2014/05/29 09:27:37 adam Exp $ | |
| 2 | 2 | |||
| 3 | DISTNAME= exim-4.82 | 3 | DISTNAME= exim-4.82.1 | |
| 4 | PKGREVISION= 2 | |||
| 5 | CATEGORIES= mail net | 4 | CATEGORIES= mail net | |
| 6 | MASTER_SITES= ftp://ftp.exim.org/pub/exim/exim4/ \ | 5 | MASTER_SITES= ftp://ftp.exim.org/pub/exim/exim4/ \ | |
| 7 | http://dl.ambiweb.de/mirrors/ftp.exim.org/exim/exim4/ | 6 | http://dl.ambiweb.de/mirrors/ftp.exim.org/exim/exim4/ | |
| 8 | EXTRACT_SUFX= .tar.bz2 | 7 | EXTRACT_SUFX= .tar.bz2 | |
| 9 | 8 | |||
| 10 | MAINTAINER= abs@NetBSD.org | 9 | MAINTAINER= abs@NetBSD.org | |
| 11 | HOMEPAGE= http://www.exim.org/ | 10 | HOMEPAGE= http://www.exim.org/ | |
| 12 | COMMENT= The Exim mail transfer agent, a replacement for sendmail | 11 | COMMENT= The Exim mail transfer agent, a replacement for sendmail | |
| 13 | LICENSE= gnu-gpl-v2 | 12 | LICENSE= gnu-gpl-v2 | |
| 14 | 13 | |||
| 15 | CONFLICTS+= exim-exiscan-[0-9]* | 14 | CONFLICTS+= exim-exiscan-[0-9]* | |
| 16 | 15 | |||
| 17 | USE_TOOLS+= perl:run | 16 | USE_TOOLS+= perl:run |
| @@ -1,10 +1,10 @@ | @@ -1,10 +1,10 @@ | |||
| 1 | $NetBSD: distinfo,v 1.57 2014/04/02 17:36:00 wiedi Exp $ | 1 | $NetBSD: distinfo,v 1.58 2014/05/29 09:27:37 adam Exp $ | |
| 2 | 2 | |||
| 3 | SHA1 (exim-4.82.tar.bz2) = 47b74986bd7c258030b3451d4c5e2723dd29d6cc | 3 | SHA1 (exim-4.82.1.tar.bz2) = bfb5ae3ab2444d494cdee650983a35dcc10243f5 | |
| 4 | RMD160 (exim-4.82.tar.bz2) = b3dc58373576e299a85245df93bbd9cde34c2078 | 4 | RMD160 (exim-4.82.1.tar.bz2) = 2caa80ed8b5fef07fd0449dc5ac7958681466a2d | |
| 5 | Size (exim-4.82.tar.bz2) = 1722771 bytes | 5 | Size (exim-4.82.1.tar.bz2) = 1722912 bytes | |
| 6 | SHA1 (patch-aa) = 24a12631b7df17930349b8a0d03adc80d27efbe2 | 6 | SHA1 (patch-aa) = 24a12631b7df17930349b8a0d03adc80d27efbe2 | |
| 7 | SHA1 (patch-ab) = 6af17f036ed02a3bc37c1f303269eea447fcb691 | 7 | SHA1 (patch-ab) = 6af17f036ed02a3bc37c1f303269eea447fcb691 | |
| 8 | SHA1 (patch-ae) = 7daf63727e222bbaa7e5b8289c4fcb6a8c0272cf | 8 | SHA1 (patch-ae) = 7daf63727e222bbaa7e5b8289c4fcb6a8c0272cf | |
| 9 | SHA1 (patch-ag) = dd93bb718c996f18b4e985806eb6d4ff5f25a67f | 9 | SHA1 (patch-ag) = dd93bb718c996f18b4e985806eb6d4ff5f25a67f | |
| 10 | SHA1 (patch-lookups_Makefile) = 57a8ab00e5f3c6891c74fdfe457adc1d73bc06ce | 10 | SHA1 (patch-lookups_Makefile) = 57a8ab00e5f3c6891c74fdfe457adc1d73bc06ce |