Your message dated Tue, 27 Dec 2016 07:25:00 +0000
with message-id <a5fb5eed-2e52-673b-e589-c5b629c32...@thykier.net>
and subject line Re: Bug#849436: unblock: exim4/4.88~RC6-2
has caused the Debian Bug report #849436,
regarding unblock: exim4/4.88~RC6-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
849436: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849436
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please shorten the waiting time for migration of exim4 to testing. This
package's version includes a fix for CVE-2016-9963 (stable's DSA 3747-1).
* Add macro IGNORE_SMTP_LINE_LENGTH_LIMIT to allow disabling the SMTP DATA
physical line limit check for both for SMTP DATA ACL and remote_smtp*
transports. Closes: #828801
Also update corresponding NEWS entry.
* [lintian] debian/changelog: s/lenght/length/
* Pull 75_Fix-DKIM-information-leakage.patch from upstream GIT, fixing DKIM
information leakage issue CVE-2016-9963.
unblock exim4/4.88~RC6-2
TIA, cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
[The following lists of changes regard files as different if they have
different names, permissions or owners.]
Files in second .changes but not in first
-----------------------------------------
-rw-r--r-- root/root /usr/lib/debug/.build-id/0e/6ccd0a87df0978d44e8c56384725977293a6dd.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/41/1af8cce86cb5d33e1bdbb837691965bcf4bbe5.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/46/d0128b00d8487771080db604a216ffe5bbc4c9.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/8b/070c0099a8863f5af9e0dc6b4b8b30c882d5e3.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/a2/748941706aae40a4a467296db62bc5fbc5874e.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/b5/21f3139342b3cc5fefc9d5160d1c609170bdf2.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/bc/5c505fbec14f3a52727df50b7ed9a256a6896a.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/d6/5072ddeb66cc7ad6950e23e0ea5d2ea76f9015.debug
Files in first .changes but not in second
-----------------------------------------
-rw-r--r-- root/root /usr/lib/debug/.build-id/37/68bfb280763a8320ac0cb1b3f5128a6b2f7d50.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/67/180bb423dc99137f0dc7f115e46fa176414b9b.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/71/e8fbf0661a197ef7edf1a50faf9114d0551867.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/76/2c5a67771e75896543d5308d0f31e3a17102b1.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/a0/65508918ffd2a967a51fb0e172d0d85890798c.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/e0/2d1716e0c78e2d1fc27323ec0283c2048e0680.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/f0/aa82f38a765839ff6488981bb29adf9d0c7f4d.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/fc/0f8ff4895d18f4a3647db63921eba5887c1477.debug
Control files of package exim4: lines which differ (wdiff format)
-----------------------------------------------------------------
Depends: debconf (>= 0.5) | debconf-2.0, debconf (>= 1.4.69) | cdebconf (>= 0.39), exim4-base (>= [-4.88~RC6-1),-] {+4.88~RC6-2),+} exim4-base (<< [-4.88~RC6-1.1),-] {+4.88~RC6-2.1),+} exim4-daemon-light | exim4-daemon-heavy | exim4-daemon-custom
Version: [-4.88~RC6-1-] {+4.88~RC6-2+}
Control files of package exim4-base: lines which differ (wdiff format)
----------------------------------------------------------------------
Version: [-4.88~RC6-1-] {+4.88~RC6-2+}
Control files of package exim4-config: lines which differ (wdiff format)
------------------------------------------------------------------------
Version: [-4.88~RC6-1-] {+4.88~RC6-2+}
Control files of package exim4-daemon-heavy: lines which differ (wdiff format)
------------------------------------------------------------------------------
Version: [-4.88~RC6-1-] {+4.88~RC6-2+}
Control files of package exim4-daemon-heavy-dbg: lines which differ (wdiff format)
----------------------------------------------------------------------------------
Build-Ids: [-e02d1716e0c78e2d1fc27323ec0283c2048e0680-] {+a2748941706aae40a4a467296db62bc5fbc5874e+}
Version: [-4.88~RC6-1-] {+4.88~RC6-2+}
Control files of package exim4-daemon-light: lines which differ (wdiff format)
------------------------------------------------------------------------------
Version: [-4.88~RC6-1-] {+4.88~RC6-2+}
Control files of package exim4-daemon-light-dbg: lines which differ (wdiff format)
----------------------------------------------------------------------------------
Build-Ids: [-3768bfb280763a8320ac0cb1b3f5128a6b2f7d50-] {+0e6ccd0a87df0978d44e8c56384725977293a6dd+}
Version: [-4.88~RC6-1-] {+4.88~RC6-2+}
Control files of package exim4-dbg: lines which differ (wdiff format)
---------------------------------------------------------------------
Build-Ids: [-67180bb423dc99137f0dc7f115e46fa176414b9b 71e8fbf0661a197ef7edf1a50faf9114d0551867 762c5a67771e75896543d5308d0f31e3a17102b1 a065508918ffd2a967a51fb0e172d0d85890798c fc0f8ff4895d18f4a3647db63921eba5887c1477-] {+411af8cce86cb5d33e1bdbb837691965bcf4bbe5 46d0128b00d8487771080db604a216ffe5bbc4c9 8b070c0099a8863f5af9e0dc6b4b8b30c882d5e3 b521f3139342b3cc5fefc9d5160d1c609170bdf2 d65072ddeb66cc7ad6950e23e0ea5d2ea76f9015+}
Version: [-4.88~RC6-1-] {+4.88~RC6-2+}
Control files of package exim4-dev: lines which differ (wdiff format)
---------------------------------------------------------------------
Version: [-4.88~RC6-1-] {+4.88~RC6-2+}
Control files of package eximon4: lines which differ (wdiff format)
-------------------------------------------------------------------
Version: [-4.88~RC6-1-] {+4.88~RC6-2+}
diff -Nru exim4-4.88~RC6/debian/changelog exim4-4.88~RC6/debian/changelog
--- exim4-4.88~RC6/debian/changelog 2016-12-08 07:19:18.000000000 +0100
+++ exim4-4.88~RC6/debian/changelog 2016-12-22 16:50:21.000000000 +0100
@@ -1,3 +1,15 @@
+exim4 (4.88~RC6-2) unstable; urgency=high
+
+ * Add macro IGNORE_SMTP_LINE_LENGTH_LIMIT to allow disabling the SMTP DATA
+ physical line limit check for both for SMTP DATA ACL and remote_smtp*
+ transports. Closes: #828801
+ Also update corresponding NEWS entry.
+ * [lintian] debian/changelog: s/lenght/length/
+ * Pull 75_Fix-DKIM-information-leakage.patch from upstream GIT, fixing DKIM
+ information leakage issue CVE-2016-9963.
+
+ -- Andreas Metzler <ametz...@debian.org> Thu, 22 Dec 2016 16:50:21 +0100
+
exim4 (4.88~RC6-1) unstable; urgency=low
* New upstream version.
@@ -109,7 +121,7 @@
expansion. https://bugs.exim.org/show_bug.cgi?id=165
* Copy information message on rejecting overlong lines in data ACL from
upstream example configuration. Closes: #823418
- * Add NEWS entry on line-lenght-limit introduced in 4.87~RC1-1.
+ * Add NEWS entry on line-length-limit introduced in 4.87~RC1-1.
Closes: 821830
-- Andreas Metzler <ametz...@debian.org> Sun, 08 May 2016 14:03:10 +0200
@@ -3805,7 +3817,7 @@
- Supports CRL (Certificate Revocation List) (Closes: #229063)
- exim_dbmbuild does not crash on _very_ long RHS values.
(Closes: #231597)
- - route_list does not use a fixed lenght buffer anymore. (Closes: #231979)
+ - route_list does not use a fixed length buffer anymore. (Closes: #231979)
- An empty tls_verify_certificates file is correctly interpreted as empty
list instead of breaking TLS. (Closes: #236478)
* Korean translation of debconf templates by Changwoo Ryu (Closes: #241499)
diff -Nru exim4-4.88~RC6/debian/debconf/conf.d/acl/40_exim4-config_check_data exim4-4.88~RC6/debian/debconf/conf.d/acl/40_exim4-config_check_data
--- exim4-4.88~RC6/debian/debconf/conf.d/acl/40_exim4-config_check_data 2016-09-25 14:46:29.000000000 +0200
+++ exim4-4.88~RC6/debian/debconf/conf.d/acl/40_exim4-config_check_data 2016-12-18 13:59:15.000000000 +0100
@@ -11,9 +11,11 @@
# Deny if the message contains an overlong line. Per the standards
# we should never receive one such via SMTP.
#
+ .ifndef IGNORE_SMTP_LINE_LENGTH_LIMIT
deny message = maximum allowed line length is 998 octets, \
got $max_received_linelength
condition = ${if > {$max_received_linelength}{998}}
+ .endif
# Deny unless the address list headers are syntactically correct.
#
diff -Nru exim4-4.88~RC6/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp exim4-4.88~RC6/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp
--- exim4-4.88~RC6/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp 2016-09-25 14:46:29.000000000 +0200
+++ exim4-4.88~RC6/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp 2016-12-18 13:59:52.000000000 +0100
@@ -9,7 +9,9 @@
remote_smtp:
debug_print = "T: remote_smtp for $local_part@$domain"
driver = smtp
+.ifndef IGNORE_SMTP_LINE_LENGTH_LIMIT
message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
+.endif
.ifdef REMOTE_SMTP_HOSTS_AVOID_TLS
hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS
.endif
diff -Nru exim4-4.88~RC6/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_smarthost exim4-4.88~RC6/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_smarthost
--- exim4-4.88~RC6/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_smarthost 2016-09-25 14:46:29.000000000 +0200
+++ exim4-4.88~RC6/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_smarthost 2016-12-18 14:00:13.000000000 +0100
@@ -12,7 +12,9 @@
remote_smtp_smarthost:
debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
driver = smtp
+.ifndef IGNORE_SMTP_LINE_LENGTH_LIMIT
message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
+.endif
hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \
{\
${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\
diff -Nru exim4-4.88~RC6/debian/NEWS exim4-4.88~RC6/debian/NEWS
--- exim4-4.88~RC6/debian/NEWS 2016-09-25 14:46:29.000000000 +0200
+++ exim4-4.88~RC6/debian/NEWS 2016-12-18 14:04:32.000000000 +0100
@@ -1,9 +1,11 @@
exim4 (4.87-3) unstable; urgency=medium
- Starting with 4.87~RC1-1 exim will not accept messages with physical lines
- longer than 998 characters. Delivery of such RFC-violating message might
- fail and subsequently cause routing errors and loss of legitimate mail.
- See <https://bugs.exim.org/show_bug.cgi?id=1684>.
+ Starting with 4.87~RC1-1 exim will not accept or send out messages with
+ physical lines longer than 998 characters by SMTP DATA. Delivery of such
+ RFC-violating message might fail and subsequently cause routing errors and
+ loss of legitimate mail. See <https://bugs.exim.org/show_bug.cgi?id=1684>.
+ This limit can be disabled by setting the macro
+ IGNORE_SMTP_LINE_LENGTH_LIMIT.
-- Andreas Metzler <ametz...@debian.org> Sun, 08 May 2016 14:03:10 +0200
diff -Nru exim4-4.88~RC6/debian/patches/75_Fix-DKIM-information-leakage.patch exim4-4.88~RC6/debian/patches/75_Fix-DKIM-information-leakage.patch
--- exim4-4.88~RC6/debian/patches/75_Fix-DKIM-information-leakage.patch 1970-01-01 01:00:00.000000000 +0100
+++ exim4-4.88~RC6/debian/patches/75_Fix-DKIM-information-leakage.patch 2016-12-18 18:16:03.000000000 +0100
@@ -0,0 +1,73 @@
+From 87cb4a166c47b57df48c2918e47801d77639fbb0 Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <j...@wizmail.org>
+Date: Fri, 16 Dec 2016 20:45:44 +0000
+Subject: [PATCH 1/2] Fix DKIM information leakage
+
+
+JH/34 SECURITY: Use proper copy of DATA command in error message.
+ Could leak key material. Remotely exploitable. CVE-2016-9963.
+
+diff --git a/src/dkim.c b/src/dkim.c
+index 3fa11c80..70c9547e 100644
+--- a/src/dkim.c
++++ b/src/dkim.c
+@@ -612,6 +612,7 @@ while ((dkim_signing_domain = string_nextinlist(&dkim_domain, &sep,
+ CS dkim_private_key_expanded,
+ PDKIM_ALGO_RSA_SHA256,
+ dkim->dot_stuffed);
++ dkim_private_key_expanded[0] = '\0';
+ pdkim_set_optional(ctx,
+ CS dkim_sign_headers_expanded,
+ NULL,
+diff --git a/src/transports/smtp.c b/src/transports/smtp.c
+index d6ef34ef..a19e85ff 100644
+--- a/src/transports/smtp.c
++++ b/src/transports/smtp.c
+@@ -285,10 +285,11 @@ static uschar *rf_names[] = { US"NEVER", US"SUCCESS", US"FAILURE", US"DELAY" };
+
+ /* Local statics */
+
+-static uschar *smtp_command; /* Points to last cmd for error messages */
+-static uschar *mail_command; /* Points to MAIL cmd for error messages */
+-static BOOL update_waiting; /* TRUE to update the "wait" database */
+-static BOOL pipelining_active; /* current transaction is in pipe mode */
++static uschar *smtp_command; /* Points to last cmd for error messages */
++static uschar *mail_command; /* Points to MAIL cmd for error messages */
++static uschar *data_command = US""; /* Points to DATA cmd for error messages */
++static BOOL update_waiting; /* TRUE to update the "wait" database */
++static BOOL pipelining_active; /* current transaction is in pipe mode */
+
+
+ /*************************************************
+@@ -1390,10 +1391,14 @@ uschar * buffer = tctx->buffer;
+ /* Write SMTP chunk header command */
+
+ if (chunk_size > 0)
++ {
+ if((cmd_count = smtp_write_command(tctx->outblock, FALSE, "BDAT %u%s\r\n",
+ chunk_size,
+ flags & tc_chunk_last ? " LAST" : "")
+ ) < 0) return ERROR;
++ if (flags & tc_chunk_last)
++ data_command = string_copy(big_buffer); /* Save for later error message */
++ }
+
+ prev_cmd_count = cmd_count += tctx->cmd_count;
+
+@@ -2512,6 +2517,7 @@ if ( !(peer_offered & PEER_OFFERED_CHUNKING)
+ default: goto RESPONSE_FAILED; /* I/O error, or any MAIL/DATA error */
+ }
+ pipelining_active = FALSE;
++ data_command = string_copy(big_buffer); /* Save for later error message */
+ }
+
+ /* If there were no good recipients (but otherwise there have been no
+@@ -2735,7 +2741,7 @@ else
+ #else
+ "LMTP error after %s: %s",
+ #endif
+- big_buffer, string_printing(buffer));
++ data_command, string_printing(buffer));
+ setflag(addr, af_pass_message); /* Allow message to go to user */
+ if (buffer[0] == '5')
+ addr->transport_return = FAIL;
diff -Nru exim4-4.88~RC6/debian/patches/series exim4-4.88~RC6/debian/patches/series
--- exim4-4.88~RC6/debian/patches/series 2016-11-19 17:39:37.000000000 +0100
+++ exim4-4.88~RC6/debian/patches/series 2016-12-18 18:16:06.000000000 +0100
@@ -8,4 +8,5 @@
60_convert4r4.dpatch
67_unnecessaryCopt.diff
70_remove_exim-users_references.dpatch
+75_Fix-DKIM-information-leakage.patch
92_CVE-2016-1238.diff
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Andreas Metzler:
> Package: release.debian.org
> Severity: normal
> User: release.debian....@packages.debian.org
> Usertags: unblock
>
> Please shorten the waiting time for migration of exim4 to testing. This
> package's version includes a fix for CVE-2016-9963 (stable's DSA 3747-1).
>
> * Add macro IGNORE_SMTP_LINE_LENGTH_LIMIT to allow disabling the SMTP DATA
> physical line limit check for both for SMTP DATA ACL and remote_smtp*
> transports. Closes: #828801
> Also update corresponding NEWS entry.
> * [lintian] debian/changelog: s/lenght/length/
> * Pull 75_Fix-DKIM-information-leakage.patch from upstream GIT, fixing DKIM
> information leakage issue CVE-2016-9963.
>
> unblock exim4/4.88~RC6-2
>
> TIA, cu Andreas
>
Unblocked, thanks.
~Niels
--- End Message ---
