Your message dated Sat, 05 Jan 2013 14:36:35 +0100
with message-id <[email protected]>
and subject line Re: Bug#697444: unblock: exim4/4.80-7
has caused the Debian Bug report #697444,
regarding unblock: exim4/4.80-7
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
697444: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697444
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package exim4. This is a minimal single-bugfix upload
for #697057.
Debian's exim configuration optionally allows to use spfquery to run
SPF-checks on incoming mail. Due to insufficient quoting it is
possible to pass on arbitrary arguments to spfquery and therefore
bypass SPF checks.
unblock exim4/4.80-7
thanks, cu andreas
File lists identical (after any substitutions)
Control files of package exim4: lines which differ (wdiff format)
-----------------------------------------------------------------
Version: [-4.80-6-] {+4.80-7+}
Control files of package exim4-base: lines which differ (wdiff format)
----------------------------------------------------------------------
Version: [-4.80-6-] {+4.80-7+}
Control files of package exim4-config: lines which differ (wdiff format)
------------------------------------------------------------------------
Version: [-4.80-6-] {+4.80-7+}
Control files of package exim4-daemon-heavy: lines which differ (wdiff format)
------------------------------------------------------------------------------
Version: [-4.80-6-] {+4.80-7+}
Control files of package exim4-daemon-heavy-dbg: lines which differ (wdiff format)
----------------------------------------------------------------------------------
Version: [-4.80-6-] {+4.80-7+}
Control files of package exim4-daemon-light: lines which differ (wdiff format)
------------------------------------------------------------------------------
Version: [-4.80-6-] {+4.80-7+}
Control files of package exim4-daemon-light-dbg: lines which differ (wdiff format)
----------------------------------------------------------------------------------
Version: [-4.80-6-] {+4.80-7+}
Control files of package exim4-dbg: lines which differ (wdiff format)
---------------------------------------------------------------------
Version: [-4.80-6-] {+4.80-7+}
Control files of package exim4-dev: lines which differ (wdiff format)
---------------------------------------------------------------------
Version: [-4.80-6-] {+4.80-7+}
Control files of package eximon4: lines which differ (wdiff format)
-------------------------------------------------------------------
Version: [-4.80-6-] {+4.80-7+}
diff -Nru exim4-4.80/debian/changelog exim4-4.80/debian/changelog
--- exim4-4.80/debian/changelog 2012-11-21 19:08:56.000000000 +0100
+++ exim4-4.80/debian/changelog 2013-01-02 19:37:26.000000000 +0100
@@ -1,3 +1,11 @@
+exim4 (4.80-7) unstable; urgency=low
+
+ * Use exim's ${quote:xxx} operator when invoking spfquery to disallow
+ bypassing of SPF validation by using special mailbox names. (Thanks to
+ Lekensteyn for diagnosis and testing.) Closes: #697057
+
+ -- Andreas Metzler <[email protected]> Wed, 02 Jan 2013 19:37:21 +0100
+
exim4 (4.80-6) unstable; urgency=low
* Cherrypick two changes from GIT:
diff -Nru exim4-4.80/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt exim4-4.80/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt
--- exim4-4.80/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt 2012-09-23 12:07:23.000000000 +0200
+++ exim4-4.80/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt 2013-01-02 19:36:16.000000000 +0100
@@ -265,10 +265,10 @@
log_message = SPF check failed.
!acl = acl_local_deny_exceptions
condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
- \"$sender_host_address\" --identity \
+ ${quote:$sender_host_address} --identity \
${if def:sender_address_domain \
- {--scope mfrom --identity \"$sender_address\"}\
- {--scope helo --identity \"$sender_helo_name\"}}}\
+ {--scope mfrom --identity ${quote:$sender_address}}\
+ {--scope helo --identity ${quote:$sender_helo_name}}}}\
{no}{${if eq {$runrc}{1}{yes}{no}}}}
defer
--- End Message ---
--- Begin Message ---
On 2013-01-05 14:11, Andreas Metzler wrote:
> Package: release.debian.org
> Severity: normal
> User: [email protected]
> Usertags: unblock
>
> Please unblock package exim4. This is a minimal single-bugfix upload
> for #697057.
>
> Debian's exim configuration optionally allows to use spfquery to run
> SPF-checks on incoming mail. Due to insufficient quoting it is
> possible to pass on arbitrary arguments to spfquery and therefore
> bypass SPF checks.
>
> unblock exim4/4.80-7
>
> thanks, cu andreas
Thanks for the report. However, exim4 has been unblocked by Adam since
the 2nd of January (AFAICT), so I am closing this bug now.
grep-excuses <source> from devscripts can be helpful in detecting
whether or not a given a package have a hint.
~Niels
--- End Message ---
