Hello community, here is the log from the commit of package exim for openSUSE:11.3 checked in at Tue May 24 18:37:37 CEST 2011.
-------- --- old-versions/11.3/UPDATES/all/exim/exim.changes 2011-05-06 20:25:37.000000000 +0200 +++ 11.3/exim/exim.changes 2011-05-20 17:06:30.000000000 +0200 @@ -1,0 +2,6 @@ +Fri May 20 17:05:34 CEST 2011 - [email protected] + +- Fixed another remote code execution issue (CVE-2011-1407 / bnc#694798) +- Fixed STARTTLS command injection (bnc#695144) + +------------------------------------------------------------------- calling whatdependson for 11.3-i586 New: ---- ae9094bfe313aeb9ffefc7566bd4dae49ada3cf5.patch da80c2a8ed49427334af613c00df65ae301cacdd.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ exim.spec ++++++ --- /var/tmp/diff_new_pack.a8jbI3/_old 2011-05-24 18:29:20.000000000 +0200 +++ /var/tmp/diff_new_pack.a8jbI3/_new 2011-05-24 18:29:20.000000000 +0200 @@ -45,7 +45,7 @@ PreReq: %insserv_prereq %fillup_prereq /usr/sbin/useradd fileutils textutils %endif Version: 4.71 -Release: 4.<RELEASE7> +Release: 4.<RELEASE9> Summary: The Exim Mail Transfer Agent, a Replacement for sendmail BuildRoot: %{_tmppath}/%{name}-%{version}-build Source: exim-%{version}.tar.bz2 @@ -63,6 +63,10 @@ Patch6: CVE-2010-4345.diff Patch7: CVE-2011-0017.diff Patch8: 337e3505b0e6cd4309db6bf6062b33fa56e06cf8.diff +# CVE-2011-1407 bnc#694798 +Patch9: ae9094bfe313aeb9ffefc7566bd4dae49ada3cf5.patch +# no CVE yet bnc#695144 +Patch10: da80c2a8ed49427334af613c00df65ae301cacdd.patch %if !%{?build_with_mysql:1}0 %package -n eximon @@ -134,6 +138,8 @@ %patch6 -p1 %patch7 -p1 %patch8 -p2 +%patch9 -p2 +%patch10 -p2 # build with fPIE/pie on SUSE 10.0 or newer, or on any other platform %if %{?suse_version:%suse_version}%{?!suse_version:99999} > 930 fPIE="-fPIE" ++++++ ae9094bfe313aeb9ffefc7566bd4dae49ada3cf5.patch ++++++ From: Tom Kistner <[email protected]> Date: Sun, 8 May 2011 08:58:12 +0000 (+0100) Subject: Don't use match_isinlist() for simple string list matching X-Git-Tag: exim-4_76_RC2~2^2 X-Git-Url: http://git.exim.org/exim.git/commitdiff_plain/ae9094bfe313aeb9ffefc7566bd4dae49ada3cf5 Don't use match_isinlist() for simple string list matching --- diff --git a/src/src/receive.c b/src/src/receive.c index 914b1d2..f331d2a 100644 --- a/src/src/receive.c +++ b/src/src/receive.c @@ -3022,14 +3022,29 @@ else appears in the expanded list. */ if (seen_items != NULL) { + uschar *seen_item = NULL; + uschar seen_item_buf[256]; uschar *seen_items_list = seen_items; - if (match_isinlist(item, - &seen_items_list,0,NULL,NULL,MCL_STRING,TRUE,NULL) == OK) + int seen_this_item = 0; + + while ((seen_item = string_nextinlist(&seen_items_list, &sep, + seen_item_buf, + sizeof(seen_item_buf))) != NULL) + { + if (Ustrcmp(seen_item,item) == 0) + { + seen_this_item = 1; + break; + } + } + + if (seen_this_item > 0) { DEBUG(D_receive) debug_printf("acl_smtp_dkim: skipping signer %s, already seen\n", item); continue; } + seen_items = string_append(seen_items,&seen_items_size,&seen_items_offset,1,":"); } ++++++ da80c2a8ed49427334af613c00df65ae301cacdd.patch ++++++ From: Phil Pennock <[email protected]> Date: Thu, 24 Mar 2011 06:37:39 +0000 (-0400) Subject: Extra paranoia around STARTTLS-with-data-in-buffer. X-Git-Tag: exim-4_76_RC1~9 X-Git-Url: http://git.exim.org/exim.git/commitdiff_plain/da80c2a8ed49427334af613c00df65ae301cacdd Extra paranoia around STARTTLS-with-data-in-buffer. --- diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c index 2ef6977..500000b 100644 --- a/src/src/smtp_in.c +++ b/src/src/smtp_in.c @@ -3844,6 +3844,23 @@ while (done <= 0) toomany = FALSE; cmd_list[CMD_LIST_STARTTLS].is_mail_cmd = FALSE; + /* There's an attack where more data is read in past the STARTTLS command + before TLS is negotiated, then assumed to be part of the secure session + when used afterwards; we use segregated input buffers, so are not + vulnerable, but we want to note when it happens and, for sheer paranoia, + ensure that the buffer is "wiped". + Pipelining sync checks will normally have protected us too, unless disabled + by configuration. */ + + if (receive_smtp_buffered()) + { + DEBUG(D_any) + debug_printf("Non-empty input buffer after STARTTLS; naive attack?"); + if (tls_active < 0) + smtp_inend = smtp_inptr = smtp_inbuffer; + /* and if TLS is already active, tls_server_start() should fail */ + } + /* Attempt to start up a TLS session, and if successful, discard all knowledge that was obtained previously. At least, that's what the RFC says, and that's what happens by default. However, in order to work round YAEB, ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
