On 2021-05-05 Paul Muster <p...@muster.net> wrote:
> Package: release-notes
> Severity: normal
> Hi,
> please add a new paragraph 5.1.13 (and move existing 5.1.14 to .14) regarding
> exim and the new 'tainted data' issue.
> Text copied from NEWS.Debian file:
[...]
Thanks, Paul!
The text has been slightly updated with one oof the latest uploads, it
now reads
-----------------
Please consider exim 4.93/4.94 a *major* exim upgrade. It introduces the
concept of tainted data read from untrusted sources, like e.g. message
sender or recipient. This tainted data (e.g. $local_part or $domain)
cannot be used among other things as a file or directory name or command
name.
This WILL BREAK configurations which are not updated accordingly.
Old Debian exim configuration files also will not work unmodified, the new
configuration needs to be installed with local modifications merged in.
Typical nonworking examples include:
* Delivery to /var/mail/$local_part. Use $local_part_data in combination
with check_local_user.
* Using
data = ${lookup{$local_part}lsearch{/some/path/$domain/aliases}}
instead of
data = ${lookup{$local_part}lsearch{/some/path/$domain_data/aliases}}
for a virtual domain alias file.
The basic strategy for dealing with this change is to use the result of a
lookup in further processing instead of the original (remote provided)
value.
To ease upgrading there is a new main configuration option to temporarily
downgrade taint errors to warnings, letting the old configuration work with
the newer exim. To make use of this feature add
.ifdef _OPT_MAIN_ALLOW_INSECURE_TAINTED_DATA
allow_insecure_tainted_data = yes
.endif
to the exim configuration (e.g. to /etc/exim4/exim4.conf.localmacros)
*before* upgrading to exim 4.93/4.94 and check the logfile for taint
warnings. This is a temporary workaround which is already marked for
removal on introduction.
-----------------
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
