Hello community, here is the log from the commit of package exim for openSUSE:Factory checked in at 2014-07-26 09:42:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/exim (Old) and /work/SRC/openSUSE:Factory/.exim.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "exim" Changes: -------- --- /work/SRC/openSUSE:Factory/exim/exim.changes 2014-01-30 14:54:32.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.exim.new/exim.changes 2014-07-26 09:42:27.000000000 +0200 @@ -1,0 +2,38 @@ +Wed Jul 23 13:09:41 UTC 2014 - [email protected] + +- Add silence-static-checkers.patch; (beo#1506). + +------------------------------------------------------------------- +Wed Jul 23 10:08:04 UTC 2014 - [email protected] + +- update to 4.83 + This release of Exim includes one incompatible fix: + + the behavior of expansion of arguments to math comparison functions + (<, <=, =, =>, >) was unexpected, expanding the values twice; + CVE-2014-2972; (bnc#888520) + This release contains the following enhancements and bugfixes: + + PRDR was promoted from Experimental to mainline + + OCSP Stapling was promoted from Experimental to mainline + + new Experimental feature Proxy Protocol + + new Experimental feature DSN (Delivery Status Notifications) + + TLS session improvements + + TLS SNI fixes + + LDAP enhancements + + DMARC fixes (previous CVE-2014-2957) and new $dmarc_domain_policy + + several new operations (listextract, utf8clean, md5, sha1) + + enforce header formatting with verify=header_names_ascii + + new commandline option -oMm + + new TLSA dns lookup + + new malware "sock" type + + cutthrough routing enhancements + + logging enhancements + + DNSSEC enhancements + + exiqgrep enhancements + + deprecating non-standard SPF results + + build and portability fixes + + documentation fixes and enhancements +- Verify source tar ball gpg signature. +- Refresh exim-enable_ecdh_openssl.patch and strip version number from the + patch filename. + +------------------------------------------------------------------- @@ -419,0 +458,6 @@ + +------------------------------------------------------------------- +Fri May 20 17:05:34 CEST 2011 - [email protected] + +- Fixed another remote code execution issue (CVE-2011-1407 / bnc#694798) +- Fixed STARTTLS command injection (bnc#695144) Old: ---- exim-4.82.tar.bz2 exim482-enable_ecdh_openssl.patch New: ---- exim-4.83.tar.bz2 exim-4.83.tar.bz2.asc exim-enable_ecdh_openssl.patch exim-pubkey_04d29eba.asc silence-static-checkers.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ exim.spec ++++++ --- /var/tmp/diff_new_pack.CjRPoI/_old 2014-07-26 09:42:28.000000000 +0200 +++ /var/tmp/diff_new_pack.CjRPoI/_new 2014-07-26 09:42:28.000000000 +0200 @@ -39,6 +39,7 @@ %if %{?suse_version:%suse_version}%{?!suse_version:0} > 800 Requires: logrotate %if 0%{?suse_version} > 1220 +BuildRequires: gpg-offline BuildRequires: pkgconfig(systemd) %{?systemd_requires} %else @@ -48,7 +49,7 @@ Requires(pre): /usr/sbin/useradd Requires(pre): fileutils textutils %endif -Version: 4.82 +Version: 4.83 Release: 0 %if %{?build_with_mysql:1}0 BuildRequires: mysql-devel @@ -63,6 +64,8 @@ Group: Productivity/Networking/Email/Servers BuildRoot: %{_tmppath}/%{name}-%{version}-build Source: exim-%{version}.tar.bz2 +Source3: exim-%{version}.tar.bz2.asc +Source4: exim-pubkey_04d29eba.asc Source1: sysconfig.exim Source2: exim.logrotate Source11: exim.rc @@ -73,7 +76,8 @@ Source31: eximstats.conf Source32: exim.service Patch: exim-tail.patch -Patch1: exim482-enable_ecdh_openssl.patch +Patch1: exim-enable_ecdh_openssl.patch +Patch2: silence-static-checkers.patch %if !%{?build_with_mysql:1}0 && !%{?build_with_pgsql:1}0 %package -n eximon @@ -123,9 +127,11 @@ %endif %prep +%{?gpg_verify: %gpg_verify --keyring %{SOURCE4} %{SOURCE3}} %setup -q -n exim-%{version} %patch %patch1 -p1 +%patch2 -p1 # build with fPIE/pie on SUSE 10.0 or newer, or on any other platform %if %{?suse_version:%suse_version}%{?!suse_version:99999} > 930 fPIE="-fPIE" ++++++ exim-4.82.tar.bz2 -> exim-4.83.tar.bz2 ++++++ ++++ 19368 lines of diff (skipped) ++++++ exim-enable_ecdh_openssl.patch ++++++ # Taken from: # http://bugs.exim.org/show_bug.cgi?id=1397 # http://bugs.exim.org/attachment.cgi?id=661 Index: exim-4.83/src/globals.c =================================================================== --- exim-4.83.orig/src/globals.c +++ exim-4.83/src/globals.c @@ -150,6 +150,7 @@ that's the interop problem which has bee bit-count as "NORMAL" (2432) and Thunderbird dropping connection. */ int tls_dh_max_bits = 2236; uschar *tls_dhparam = NULL; +uschar *tls_eccurve = NULL; #ifndef DISABLE_OCSP uschar *tls_ocsp_file = NULL; #endif Index: exim-4.83/src/globals.h =================================================================== --- exim-4.83.orig/src/globals.h +++ exim-4.83/src/globals.h @@ -114,6 +114,7 @@ extern uschar *tls_channelbinding_b64; / extern uschar *tls_crl; /* CRL File */ extern int tls_dh_max_bits; /* don't accept higher lib suggestions */ extern uschar *tls_dhparam; /* DH param file */ +extern uschar *tls_eccurve; /* EC curve */ #ifndef DISABLE_OCSP extern uschar *tls_ocsp_file; /* OCSP stapling proof file */ #endif Index: exim-4.83/src/readconf.c =================================================================== --- exim-4.83.orig/src/readconf.c +++ exim-4.83/src/readconf.c @@ -440,6 +440,7 @@ static optionlist optionlist_config[] = { "tls_crl", opt_stringptr, &tls_crl }, { "tls_dh_max_bits", opt_int, &tls_dh_max_bits }, { "tls_dhparam", opt_stringptr, &tls_dhparam }, + { "tls_eccurve", opt_stringptr, &tls_eccurve }, # ifndef DISABLE_OCSP { "tls_ocsp_file", opt_stringptr, &tls_ocsp_file }, # endif Index: exim-4.83/src/tls-openssl.c =================================================================== --- exim-4.83.orig/src/tls-openssl.c +++ exim-4.83/src/tls-openssl.c @@ -497,6 +497,59 @@ return TRUE; +#if !defined(OPENSSL_NO_ECDH) +static BOOL +init_ecdh(SSL_CTX *sctx, host_item *host) +{ +EC_KEY *ecdh; +int nid; + +# if !defined(OPENSSL_NO_ECDH) && OPENSSL_VERSION_NUMBER >= 0x10002000L +/* check if OpenSSL >= 1.0.2 auto ECDH temp key parameter selection should be used */ +if (Ustrcmp(tls_eccurve, "auto") == 0) + { + DEBUG(D_tls) debug_printf("ECDH temp key parameter settings: OpenSSL 1.2+ autoselection\n"); + SSL_CTX_set_ecdh_auto(sctx, 1); + return TRUE; + } +# endif + +if (tls_eccurve == NULL) + { + DEBUG(D_tls) + debug_printf("ECDH curve (default): prime256v1\n", tls_eccurve); + nid = NID_X9_62_prime256v1; + } +else + { + /* search curve name */ + DEBUG(D_tls) + debug_printf("ECDH curve: %s\n", tls_eccurve); + nid = OBJ_sn2nid((uschar *)tls_eccurve); + if (nid == 0) + { + tls_error(string_sprintf("Unkown curve name tls_eccurve \"%s\"", tls_eccurve), + host, NULL); + return FALSE; + } + } + +ecdh = EC_KEY_new_by_curve_name(nid); +if (ecdh == NULL) + { + tls_error("Unable to create ec curve", + host, NULL); + return FALSE; + } + +SSL_CTX_set_tmp_ecdh(sctx, ecdh); +EC_KEY_free(ecdh); + +return TRUE; +} +#endif + + #ifndef DISABLE_OCSP /************************************************* @@ -1134,6 +1187,11 @@ if (!init_dh(*ctxp, dhparam, host)) retu rc = tls_expand_session_files(*ctxp, cbinfo); if (rc != OK) return rc; +#if !defined(OPENSSL_NO_ECDH) +/* Initialize ECDH temp key parameter selection */ +if (!init_ecdh(*ctxp, host)) return DEFER; +#endif + /* If we need to handle SNI, do so */ #ifdef EXIM_HAVE_OPENSSL_TLSEXT if (host == NULL) /* server */ ++++++ silence-static-checkers.patch ++++++ Author: Lars Mueller <[email protected]> Date: Wed Jul 23 07:22:52 2014 -0700 Bug 1506: Silence static checkers. ยทยทยทยท Re-adds a return NULL which was removed because it was redundant. Static checkers don't parse the logic, so adding it back to make them happy. Index: exim-4.83/src/expand.c =================================================================== --- exim-4.83.orig/src/expand.c +++ exim-4.83/src/expand.c @@ -1879,6 +1879,8 @@ switch (vp->type) #endif } + +return NULL; /* Unknown variable. Silences static checkers. */ } -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
