[hs at schlittermann.de: Re: [Exim-maintainers] CVE-2016-1531]

Salvatore Bonaccorso carnil at debian.org
Sun Mar 13 14:45:36 UTC 2016 

Hi Andreas,

On Sat, Mar 12, 2016 at 04:04:56PM +0100, Andreas Metzler wrote:
> On 2016-03-12 Salvatore Bonaccorso <carnil at debian.org> wrote:
> > On Sat, Mar 12, 2016 at 07:14:51AM +0100, Andreas Metzler wrote:
> >> On 2016-03-12 Salvatore Bonaccorso <carnil at debian.org> wrote:
> >> > On Thu, Mar 10, 2016 at 10:43:18AM +0100, Salvatore Bonaccorso wrote:
> >> [..] 
> >> > > How do we move forward?
> 
> >> > friendly ping :). Any news?
>  
> >> Not yet, but I hope to be able to offer something for review this
> >> weekend.
> 
> > Okay thanks a lot.
> 
> Hello,
> 
> See https://people.debian.org/~ametzler/exim-dsa/ and the jessie and
> wheezy branches in git://anonscm.debian.org/pkg-exim4/exim4.git
> 
> * jessie (exim4_4.84.2-1) is trivial: Use upstream's security release, 
> update config (More to that below.)
> 
> * wheezy (4.80) required some handholding to get the 4.84->4.84.2 patch
> to apply and compile. Heiko, could you perhaps take a quick look?[1]
> 
> Regarding the configuration changes, I have set "keep_environment =" by
> default since exim shows a runtime warning if it is not set. The
> rationale being that the new behavior (cleaning environment by default)
> has the potential of causing severe breakage, e.g. libdap can be
> configured with environment variables. Since keep_environment is not
> understood by vanilla exim 4.80 (or 4.84) the new exim4-config packages
> has a Breaks for older daemon packages.
> 
> Is the configuration change acceptable for a security update?
> Alternatively we could diverge from upstream and patch out the warning
> and perhaps replace it with a NEWS.Debian entry.

Thank you Andreas. Looks good to me and thanks to Heiko's upstream-hat
review here. I think it would be good a NEWS.Debian entry nevertheless
to document that change, could you add it? Could you please as well
then set urgency=high for the final changelog entry.

We have done exceptionally in some cases as well the configuration
change, I think this should be okay here as well. Opinions from the
team on this?

Heiko additionally suggested to add two further commits from
https://github.com/Exim/exim/commits/exim-4_80_1+CVE-2016-1531, could
you add those as well?

For the upload to security-master: please make sure to build both with
-sa to include the original source. Both will be new to dak on
security-master so the full source needs to be included.

Regards,
Salvatore
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-exim4-maintainers/attachments/20160313/e7421319/attachment.sig>

More information about the Pkg-exim4-maintainers mailing list