Bug#818349: exim4-base: Still warns about purging the environment, even with add_environment set
Control: severity -1 important Control: retitle -1 NEWS doesn't clearly explain config changes needed for CVE-2016-1531 On Wed, 2016-03-16 at 19:39 +0100, Andreas Metzler wrote: > On 2016-03-16 Ben Hutchingswrote: > > > > Control: severity -1 serious > > Control: tag -1 moreinfo > > > > Upgrading severity. I consider this release-critical because a package > > should never: > > > > 1. Send spurious error messages from its cron job > > 2. Recommend changing the configuration in a way that would undo a > > security fix > Hello, > > the situation is this: > > * Upstream made a change (cleaning the environment by default) that in > their opinion could break existing systems. There is not a magic > switch that can be thrown to fix this. The safe default value (empty > environment) is exactly what causes the breakage. To point > admininistrators of failing system in the right direction exim prints > a warning when keep_environment is not set. > > * Afaik the Debian config works fine with empty environment which is why > we have added an explicit 'keep_environment=" to prevent the runtime > warning. This is all good. > * Otoh if you are running a custom configuration you will get > the warning exactly as upstream has intended and you will need to > decide whether you need to modify the environment. This also applies > to configuration based on the Debian configuration. - You'll need to > look at the configuration and decide whether modifying the runtime > environment is necessary. (You'll get a dpkg confile prompt and need > to merge the changes.) The warning isn't really very clear, though. > * In addition there is an entry in exim4-config.NEWS. I saw that, but it also wasn't that clear about what changes were needed. > I am basically out of bright ideas on how to improve things from here. > The whole thing is trade-off, on one side now some people get a warning > message without experincing real breakage, on the other side if I patched > out the warning message some people would just see a broken e-mail > service without the helpful hint. Being in doubt I trusted upstream's > choice. > > See http://article.gmane.org/gmane.mail.exim.devel/9142 and following. Please expand the NEWS item to say that if you have a custom configuration you *must* update it, and also refer to https://exim.org/s tatic/doc/CVE-2016-1531.txt which briefly explains the new variables. Ben. -- Ben Hutchings If you seem to know what you are doing, you'll be given more to do. signature.asc Description: This is a digitally signed message part
Bug#818349: exim4-base: Still warns about purging the environment, even with add_environment set
On Wed, 2016-03-16 at 17:41 +0100, Andreas Metzler wrote: [...] > exim4 (4.84.2-1)'s says this in > > a) debian/changelog > * Add macros MAIN_KEEP_ENVIRONMENT and MAIN_ADD_ENVIRONMENT to set the new > options. Set "keep_environment =" by default to avoid a runtime warning. > Bump exim4-config Breaks to exim4-daemon-* (<< 4.84.2). [...] This belongs in NEWS, not just changelog. Ben. -- Ben Hutchings If you seem to know what you are doing, you'll be given more to do. signature.asc Description: This is a digitally signed message part
Processed: Re: Bug#818349: exim4-base: Still warns about purging the environment, even with add_environment set
Processing control commands: > severity -1 important Bug #818349 [exim4-base] exim4-base: Still warns about purging the environment, even with add_environment set Severity set to 'important' from 'serious' > retitle -1 NEWS doesn't clearly explain config changes needed for > CVE-2016-1531 Bug #818349 [exim4-base] exim4-base: Still warns about purging the environment, even with add_environment set Changed Bug title to 'NEWS doesn't clearly explain config changes needed for CVE-2016-1531' from 'exim4-base: Still warns about purging the environment, even with add_environment set' -- 818349: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818349 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#818349: exim4-base: Still warns about purging the environment, even with add_environment set
On 2016-03-16 Matthew Vernonwrote: > Package: exim4-base > Version: 4.84.2-1 > Severity: important > Hi, > I upgraded my jessie systems to 4.84.2-1 and added an add_environment > setting thus: > add_environment = <; PATH=/bin:/usr/bin > The upstream advisory says: > "If both options are not used in the configuration, Exim issues a > warning on startup. This warning disappears if at least one of these > options is used (even if set to an empty value)." > Yet: > root@mws-priv-21:~# /usr/sbin/exim4 -bP | grep environment > LOG: MAIN > Warning: purging the environment. > Suggested action: use keep_environment. > add_environment = <; PATH=/bin:/usr/bin > keep_environment = > This is clearly not the correct behaviour, and I'm getting a lot of > cron mail :-( Hello, exim4 (4.84.2-1)'s says this in a) debian/changelog * Add macros MAIN_KEEP_ENVIRONMENT and MAIN_ADD_ENVIRONMENT to set the new options. Set "keep_environment =" by default to avoid a runtime warning. Bump exim4-config Breaks to exim4-daemon-* (<< 4.84.2). [...] Upstream followups on the CVE fix (Thanks, Heiko Schlittermann!): [...] + Runtime warning is only generated if (and only if) keep_environment is unset and environment is nonempty. b) /usr/share/doc/exim4-base/spec.txt.gz Current versions of Exim issue a warning during startup if you do not mention keep_environment in your runtime configuration file and if there is anything in your environment. Future versions may not issue that warning anymore. So, this is documented behavior, pulling an enhancement for the issue from upstream. cu Andreas
Bug#818349: exim4-base: Still warns about purging the environment, even with add_environment set
On 2016-03-16 Ben Hutchingswrote: > Control: severity -1 serious > Control: tag -1 moreinfo > Upgrading severity. I consider this release-critical because a package > should never: > 1. Send spurious error messages from its cron job > 2. Recommend changing the configuration in a way that would undo a > security fix Hello, the situation is this: * Upstream made a change (cleaning the environment by default) that in their opinion could break existing systems. There is not a magic switch that can be thrown to fix this. The safe default value (empty environment) is exactly what causes the breakage. To point admininistrators of failing system in the right direction exim prints a warning when keep_environment is not set. * Afaik the Debian config works fine with empty environment which is why we have added an explicit 'keep_environment=" to prevent the runtime warning. * Otoh if you are running a custom configuration you will get the warning exactly as upstream has intended and you will need to decide whether you need to modify the environment. This also applies to configuration based on the Debian configuration. - You'll need to look at the configuration and decide whether modifying the runtime environment is necessary. (You'll get a dpkg confile prompt and need to merge the changes.) * In addition there is an entry in exim4-config.NEWS. I am basically out of bright ideas on how to improve things from here. The whole thing is trade-off, on one side now some people get a warning message without experincing real breakage, on the other side if I patched out the warning message some people would just see a broken e-mail service without the helpful hint. Being in doubt I trusted upstream's choice. See http://article.gmane.org/gmane.mail.exim.devel/9142 and following. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'