[hs at schlittermann.de: Re: [Exim-maintainers] CVE-2016-1531]
Andreas Metzler
ametzler at bebt.de
Sat Mar 12 15:04:56 UTC 2016
On 2016-03-12 Salvatore Bonaccorso <carnil at debian.org> wrote:
> On Sat, Mar 12, 2016 at 07:14:51AM +0100, Andreas Metzler wrote:
>> On 2016-03-12 Salvatore Bonaccorso <carnil at debian.org> wrote:
>> > On Thu, Mar 10, 2016 at 10:43:18AM +0100, Salvatore Bonaccorso wrote:
>> [..]
>> > > How do we move forward?
>> > friendly ping :). Any news?
>> Not yet, but I hope to be able to offer something for review this
>> weekend.
> Okay thanks a lot.
Hello,
See https://people.debian.org/~ametzler/exim-dsa/ and the jessie and
wheezy branches in git://anonscm.debian.org/pkg-exim4/exim4.git
* jessie (exim4_4.84.2-1) is trivial: Use upstream's security release,
update config (More to that below.)
* wheezy (4.80) required some handholding to get the 4.84->4.84.2 patch
to apply and compile. Heiko, could you perhaps take a quick look?[1]
Regarding the configuration changes, I have set "keep_environment =" by
default since exim shows a runtime warning if it is not set. The
rationale being that the new behavior (cleaning environment by default)
has the potential of causing severe breakage, e.g. libdap can be
configured with environment variables. Since keep_environment is not
understood by vanilla exim 4.80 (or 4.84) the new exim4-config packages
has a Breaks for older daemon packages.
Is the configuration change acceptable for a security update?
Alternatively we could diverge from upstream and patch out the warning
and perhaps replace it with a NEWS.Debian entry.
cu Andreas
[1] http://anonscm.debian.org/cgit/pkg-exim4/exim4.git/tree/debian/patches/88_CVE-2016-1531.diff?h=wheezy
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the Pkg-exim4-maintainers
mailing list