Bug#818349: exim4-base: Still warns about purging the environment, even with add_environment set

Andreas Metzler ametzler at bebt.de
Sun Mar 20 16:42:28 UTC 2016 

On 2016-03-16 Ben Hutchings <ben at decadent.org.uk> wrote:
> On Wed, 2016-03-16 at 19:39 +0100, Andreas Metzler wrote:
[...]
>> * Otoh if you are running a custom configuration you will get
>>   the warning exactly as upstream has intended and you will need to
>>   decide whether you need to modify the environment. This also applies
>>   to configuration based on the Debian configuration. - You'll need to
>>   look at the configuration and decide whether modifying the runtime
>>   environment is necessary. (You'll get a dpkg confile prompt and need
>>   to merge the changes.)

> The warning isn't really very clear, though.

>> * In addition there is an entry in exim4-config.NEWS.

> I saw that, but it also wasn't that clear about what changes were
> needed.
[...]
> Please expand the NEWS item to say that if you have a custom
> configuration you *must* update it, and also refer to
> https://exim.org/static/doc/CVE-2016-1531.txt which briefly explains
> the new variables.
[...]

Hello,

exim4/experimental has this in NEWS:
-------------------------
  As part of the fix for CVE-2016-1531 updated Exim versions clean
  the complete execution environment by default, affecting Exim and
  subprocesses such as routers calling other programs, and thus may break
  existing installations. New configuration options (keep_environment,
  add_environment) were introduced to adjust this behavior. Because of the
  possible breakage Exim will show a runtime warning if keep_environment is
  not set.

  The Debian exim4 configuration does not rely on specific environment
  variables and therefore sets 'keep_environment =' (i.e confirm empty
  environment).

  Users of custom Exim configurations will need to check whether their setup
  continues to work with the abovementioned upstream change and modify the
  Exim environment as needed otherwise. If the setup works fine with empty
  environment it is still necessary to set the main configuration option
  "keep_environment =" to quiet the runtime warning.
------------------------

Do you think that is alright (except for the CVE link)?

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

More information about the Pkg-exim4-maintainers mailing list