Viewing all changes in revision 33.
- Committer: Bazaar Package Importer
- Date: 2011-02-08 11:31:29 UTC
- Revision ID: james.westby@ubuntu.com-20110208113129-ri8y5c2s6hurn80t
* SECURITY UPDATE: local privilege escalation via alternate config file
(LP: #697934)
- debian/patches/80_CVE-2010-4345.patch: backport massive behaviour-
altering changes from upstream git to fix issue.
- debian/patches/81_CVE-2010-4345-docs.patch: backport documentation
changes.
- debian/patches/67_unnecessaryCopt.dpatch: Do not use exim's -C option
in utility scripts. This would not work with ALT_CONFIG_PREFIX.
Patch obtained from Debian's 4.69-9+lenny2.
- Build with WHITELIST_D_MACROS=OUTGOING. After this security update,
exim will not regain root privileges (usually necessary for local
delivery) if the -D option was used. Macro identifiers listed in
WHITELIST_D_MACROS are exempted from this restriction. mailscanner
(4.79.11-2.2) uses -DOUTGOING.
- Build with TRUSTED_CONFIG_LIST=/etc/exim4/trusted_configs. After this
security update, exim will not re-gain root privileges (usually
necessary for local delivery) if the -C option was used. This makes
it impossible to start a fully functional damon with an alternate
configuration file. /etc/exim4/trusted_configs (can) contain a list
of filenames (one per line, full path given) to which this
restriction does not apply.
- debian/exim4-daemon-*.NEWS: Add description of changes. Thanks to
Debian and Andreas Metzler for the text.
- CVE-2010-4345
* SECURITY UPDATE: arbitrary file append via symlink attack (LP: #708023)
- debian/patches/82_CVE-2011-0017.patch: check setuid and setgid return
codes in src/exim.c, src/log.c.
- CVE-2011-0017
* SECURITY UPDATE: denial of service and possible arbitrary code
execution via hard link to another user's file (LP: #609620)
- debian/patches/CVE-2010-2023.patch: check for links in
src/transports/appendfile.c.
- CVE-2010-2023
* SECURITY UPDATE: denial of service and possible arbitrary code
execution via symlink on a lock file (LP: #609620)
- debian/patches/CVE-2010-2024.patch: improve lock file handling in
src/exim_lock.c, src/transports/appendfile.c.
- CVE-2010-2024
* debian/rules: disable debconf-updatepo so the security update doesn't
alter translations.
(LP: #697934)
- debian/patches/80_CVE-2010-4345.patch: backport massive behaviour-
altering changes from upstream git to fix issue.
- debian/patches/81_CVE-2010-4345-docs.patch: backport documentation
changes.
- debian/patches/67_unnecessaryCopt.dpatch: Do not use exim's -C option
in utility scripts. This would not work with ALT_CONFIG_PREFIX.
Patch obtained from Debian's 4.69-9+lenny2.
- Build with WHITELIST_D_MACROS=OUTGOING. After this security update,
exim will not regain root privileges (usually necessary for local
delivery) if the -D option was used. Macro identifiers listed in
WHITELIST_D_MACROS are exempted from this restriction. mailscanner
(4.79.11-2.2) uses -DOUTGOING.
- Build with TRUSTED_CONFIG_LIST=/etc/exim4/trusted_configs. After this
security update, exim will not re-gain root privileges (usually
necessary for local delivery) if the -C option was used. This makes
it impossible to start a fully functional damon with an alternate
configuration file. /etc/exim4/trusted_configs (can) contain a list
of filenames (one per line, full path given) to which this
restriction does not apply.
- debian/exim4-daemon-*.NEWS: Add description of changes. Thanks to
Debian and Andreas Metzler for the text.
- CVE-2010-4345
* SECURITY UPDATE: arbitrary file append via symlink attack (LP: #708023)
- debian/patches/82_CVE-2011-0017.patch: check setuid and setgid return
codes in src/exim.c, src/log.c.
- CVE-2011-0017
* SECURITY UPDATE: denial of service and possible arbitrary code
execution via hard link to another user's file (LP: #609620)
- debian/patches/CVE-2010-2023.patch: check for links in
src/transports/appendfile.c.
- CVE-2010-2023
* SECURITY UPDATE: denial of service and possible arbitrary code
execution via symlink on a lock file (LP: #609620)
- debian/patches/CVE-2010-2024.patch: improve lock file handling in
src/exim_lock.c, src/transports/appendfile.c.
- CVE-2010-2024
* debian/rules: disable debconf-updatepo so the security update doesn't
alter translations.
- files added:
- .pc
- .pc/20_PDKIM-Upgrade-PolarSSL.diff
- .pc/20_PDKIM-Upgrade-PolarSSL.diff/src
- .pc/20_PDKIM-Upgrade-PolarSSL.diff/src/pdkim
- .pc/30_dontoverridecflags.dpatch
- .pc/30_dontoverridecflags.dpatch/OS
- .pc/31_eximmanpage.dpatch
- .pc/31_eximmanpage.dpatch/doc
- .pc/32_exim4.dpatch
- .pc/32_exim4.dpatch/OS
- .pc/32_exim4.dpatch/src
- .pc/33_eximon.binary.dpatch
- .pc/33_eximon.binary.dpatch/OS
- .pc/34_eximstatsmanpage.dpatch
- .pc/34_eximstatsmanpage.dpatch/src
- .pc/35_install.dpatch
- .pc/35_install.dpatch/scripts
- .pc/36_typoinexipick.diff
- .pc/36_typoinexipick.diff/src
- .pc/50_localscan_dlopen.dpatch
- .pc/50_localscan_dlopen.dpatch/src
- .pc/60_convert4r4.dpatch
- .pc/60_convert4r4.dpatch/src
- .pc/66_enlarge-dh-parameters-size.dpatch
- .pc/66_enlarge-dh-parameters-size.dpatch/src
- .pc/67_unnecessaryCopt.dpatch
- .pc/67_unnecessaryCopt.dpatch/src
- .pc/70_remove_exim-users_references.dpatch
- .pc/70_remove_exim-users_references.dpatch/src
- .pc/71_exiq_grep_error_on_messages_without_size.dpatch
- .pc/71_exiq_grep_error_on_messages_without_size.dpatch/src
- .pc/80_CVE-2010-4345.patch
- .pc/80_CVE-2010-4345.patch/src
- .pc/81_CVE-2010-4345-docs.patch
- .pc/81_CVE-2010-4345-docs.patch/doc
- .pc/82_CVE-2011-0017.patch
- .pc/82_CVE-2011-0017.patch/src
- .pc/83_CVE-2010-2023.patch
- .pc/83_CVE-2010-2023.patch/src
- .pc/83_CVE-2010-2023.patch/src/transports
- .pc/84_CVE-2010-2024.patch
- .pc/84_CVE-2010-2024.patch/src
- .pc/84_CVE-2010-2024.patch/src/transports
- files removed:
- debian/patches/.dpkg-source-applied
- files modified:
- debian/EDITME.exim4-heavy.diff
expand all
collapse all
added
removed
