Update mail/exim to version 4.74 from 4.73 currently in ports. This fixes a privilege escalation vulnerability, but I'm not sure it applies to FreeBSD (CVE-2011-0017) Changes according to the Changelog (http://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.74): TF/01 Failure to get a lock on a hints database can have serious consequences so log it to the panic log. TF/02 Log LMTP confirmation messages in the same way as SMTP, controlled using the smtp_confirmation log selector. TF/03 Include the error message when we fail to unlink a spool file. DW/01 Bugzilla 139: Support dynamically loaded lookups as modules. With thanks to Steve Haslam, Johannes Berg & Serge Demonchaux for maintaining out-of-tree patches for some time. PP/01 Bugzilla 139: Documentation and portability issues. Avoid GNU Makefile-isms, let Exim continue to build on BSD. Handle per-OS dynamic-module compilation flags. PP/02 Let /dev/null have normal permissions. The 4.73 fixes were a little too stringent and complained about the permissions on /dev/null. Exempt it from some checks. Reported by Andreas M. Kirchwitz. PP/03 Report version information for many libraries, including Exim version information for dynamically loaded libraries. Created version.h, now support a version extension string for distributors who patch heavily. Dynamic module ABI change. PP/04 CVE-2011-0017 - check return value of setuid/setgid. This is a privilege escalation vulnerability whereby the Exim run-time user can cause root to append content of the attacker's choosing to arbitrary files. PP/05 Bugzilla 1041: merged DCC maintainer's fixes for return code. (Wolfgang Breyha) PP/06 Bugzilla 1071: fix delivery logging with untrusted macros. If dropping privileges for untrusted macros, we disabled normal logging on the basis that it would fail; for the Exim run-time user, this is not the case, and it resulted in successful deliveries going unlogged. Fixed. Reported by Andreas Metzler. Fix: Since all the heavy lifting was done in the update to 4.73, it seems just bumping the version (as the attached patch does) will do the job. Tested for two days with my set of options and it works fine. I also included a spiffy feature I saw in the security/openssl port which causes "make makesum" to always fetch all dist files, not just the ones needed for the currently selected options.
Responsible Changed From-To: freebsd-ports-bugs->rea Over to maintainer (via the GNATS Auto Assign Tool)
Thanks for the patch: I am already aware of the 4.74 and trying to get all bits I have since 4.73 to be gathered into the new update. Seems like the CVE-2011-0017 is the classical case of not checking the results of setuid/setgid calls. This attack came into existence (at Linux) because setuid() calls check RLIMIT_NPROC. FreeBSD implementation checks that on fork(), so seems like we're safe here, but I'll check the actual Exim code just to be sure. Thanks for your submission! -- Eygene Ryabinkin ,,,^..^,,, [ Life's unfair - but root password helps! | codelabs.ru ] [ 82FE 06BC D497 C0DE 49EC 4FF0 16AF 9EAE 8152 ECFB | freebsd.org ]
Collected various update bits to the single patch: http://codelabs.ru/fbsd/ports/exim/update-4.73-to-4.74.diff In respect to the Exim distribution it is no different from the original patch by Alexander Wittig. Wider testing is welcome! If no bugs will be catched by anyone, my intention is to commit this patch today at the evening (around 20:00 UTC or so). -- Eygene Ryabinkin ,,,^..^,,, [ Life's unfair - but root password helps! | codelabs.ru ] [ 82FE 06BC D497 C0DE 49EC 4FF0 16AF 9EAE 8152 ECFB | freebsd.org ]
rea 2011-01-27 21:23:33 UTC FreeBSD ports repository Modified files: Mk bsd.sites.mk mail/exim Makefile distinfo mail/exim/files 150.exim-tidydb.sh Log: mail/exim: update to 4.74 Changelog is at http://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.74 Please, note that CVE-2011-0017 is not applicable to FreeBSD, because setuid() doesn't check RLIMIT_NPROC. Also fixed the periodic script for tidying the databases: now it won't produce errors if the lockfile is here, but the actual database file is gone. [2] And finally, synced the mirror list to the current one and pruned old unusable mirrors: - ftp.csx.cam.ac.uk: not synced anymore; - www.no.exim.org: no DNS record; - ftp.demon.nl: no longer mirrors Exim; - ftp.freenet.de: mirror of ftp.csx.cam.ac.uk; - ftp.esat.net: not synced anymore; - ftp.mirrorservice.org: mirror of ftp.csx.cam.ac.uk. Feature safe: yes PR: 154323 [1] Submitted by: Geraint Edwards <gedge@yadn.org> [2], Alexander Wittig <alexander@wittig.name> [1] Approved by: erwin (mentor), renato (mentor) Revision Changes Path 1.523 +32 -10 ports/Mk/bsd.sites.mk 1.257 +10 -3 ports/mail/exim/Makefile 1.102 +2 -2 ports/mail/exim/distinfo 1.3 +5 -2 ports/mail/exim/files/150.exim-tidydb.sh _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: open->closed Port is updated. Thanks for your submission!