Merge branch 'qualys-2020'

- all Qualys patches from 4.94.2
- all fixes from 4.94.2+fixes if not applied yet

5 files changed, 91 insertions, 9 deletions

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 9b8c92bbd..68d9c056f 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -51,6 +51,8 @@
 .set ACL "access control lists (ACLs)"
 .set I   "    "
 
+.set drivernamemax "64"
+
 .macro copyyear
 2020
 .endmacro
@@ -17392,7 +17394,7 @@ or if the message was submitted locally (not using TCP/IP), and the &%-bnq%&
 option was not set.
 
 
-.option recipients_max main integer 0
+.option recipients_max main integer 50000
 .cindex "limit" "number of recipients"
 .cindex "recipient" "maximum number"
 If this option is set greater than zero, it specifies the maximum number of
@@ -18802,6 +18804,11 @@ which the preconditions are tested. The order of expansion of the options that
 provide data for a transport is: &%errors_to%&, &%headers_add%&,
 &%headers_remove%&, &%transport%&.
 
+.new
+The name of a router is limited to be &drivernamemax; ASCII characters long;
+prior to Exim 4.95 names would be silently truncated at this length, but now
+it is enforced.
+.wen
 
 
 .option address_data routers string&!! unset
@@ -22345,6 +22352,12 @@ and &$original_domain$& is never set.
 .scindex IIDgenoptra1 "generic options" "transport"
 .scindex IIDgenoptra2 "options" "generic; for transports"
 .scindex IIDgenoptra3 "transport" "generic options for"
+.new
+The name of a transport is limited to be &drivernamemax; ASCII characters long;
+prior to Exim 4.95 names would be silently truncated at this length, but now
+it is enforced.
+.wen
+
 The following generic options apply to all transports:
 
 
@@ -27181,6 +27194,12 @@ permitted to use it as a relay. SMTP authentication is not of relevance to the
 transfer of mail between servers that have no managerial connection with each
 other.
 
+.new
+The name of an authenticator is limited to be &drivernamemax; ASCII characters long;
+prior to Exim 4.95 names would be silently truncated at this length, but now
+it is enforced.
+.wen
+
 .cindex "AUTH" "description of"
 .cindex "ESMTP extensions" AUTH
 Very briefly, the way SMTP authentication works is as follows:
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index df6efeea3..a5bce7e81 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -252,6 +252,63 @@ JH/53 Bug 2743: fix immediate-delivery via named queue.  Previously this would
       fail with a taint-check on the spoolfile name, and leave the message
       queued.
 
+HS/01 Enforce absolute PID file path name.
+
+HS/02 Handle SIGINT as we handle SIGTERM: terminate the Exim process.
+
+PP/01 Add a too-many-bad-recipients guard to the default config's RCPT ACL.
+
+PP/02 Bug 2643: Correct TLS DH constants.
+      A missing NUL termination in our code-generation tool had led to some
+      incorrect Diffie-Hellman constants in the Exim source.
+      Reported by kylon94, code-gen tool fix by Simon Arlott.
+
+PP/03 Impose security length checks on various command-line options.
+      Fixes CVE-2020-SPRSS reported by Qualys.
+
+PP/04 Fix Linux security issue CVE-2020-SLCWD and guard against PATH_MAX
+      better.  Reported by Qualys.
+
+PP/05 Fix security issue CVE-2020-PFPSN and guard against cmdline invoker
+      providing a particularly obnoxious sender full name.
+      Reported by Qualys.
+
+PP/06 Fix CVE-2020-28016 (PFPZA): Heap out-of-bounds write in parse_fix_phrase()
+
+PP/07 Refuse to allocate too little memory, block negative/zero allocations.
+      Security guard.
+
+PP/08 Change default for recipients_max from unlimited to 50,000.
+
+PP/09 Fix security issue with too many recipients on a message (to remove a
+      known security problem if someone does set recipients_max to unlimited,
+      or if local additions add to the recipient list).
+      Fixes CVE-2020-RCPTL reported by Qualys.
+
+PP/10 Fix security issue in SMTP verb option parsing
+      Fixes CVE-2020-EXOPT reported by Qualys.
+
+PP/11 Fix security issue in BDAT state confusion.
+      Ensure we reset known-good where we know we need to not be reading BDAT
+      data, as a general case fix, and move the places where we switch to BDAT
+      mode until after various protocol state checks.
+      Fixes CVE-2020-BDATA reported by Qualys.
+
+HS/03 Die on "/../" in msglog file names
+
+QS/01 Creation of (database) files in $spool_dir: only uid=0 or the uid of
+      the Exim runtime user are allowed to create files.
+
+QS/02 PID file creation/deletion: only possible if uid=0 or uid is the Exim
+      runtime user.
+
+QS/03 When reading the output from interpreted forward files we do not
+      pass the pipe between the parent and the interpreting process to
+      executed child processes (if any).
+
+QS/04 Always die if requested from internal logging, even is logging is
+      disabled.
+
 
 Exim version 4.94
 -----------------
diff --git a/doc/doc-txt/Exim4.upgrade b/doc/doc-txt/Exim4.upgrade
index 528d94d9c..86d4a4dda 100644
--- a/doc/doc-txt/Exim4.upgrade
+++ b/doc/doc-txt/Exim4.upgrade
@@ -468,11 +468,12 @@ Generic Router Options
 . The way that require_files works has been changed. Each item in the list is
   now separately expanded as the test proceeds. The use of leading ! and +
   characters is unchanged. However, user and group checking is done differently.
-  Previously, seteuid() was used, but seteuid() is no longer used in Exim (see
-  "Security" below). Instead, Exim now scans along the components of the file
-  path and checks the access for the given uid and gid. It expects "x" access
-  on directories and "r" on the final file. This means that file access control
-  lists (on those operating systems that have them) are ignored.
+  Previously, seteuid() was used, but seteuid() is no longer used (see
+  "Security" below) for checking the files required by this option. Instead,
+  Exim now scans along the components of the file path and checks the access
+  for the given uid and gid. It expects "x" access on directories and "r" on
+  the final file. This means that file access control lists (on those
+  operating systems that have them) are ignored.
 
 
 Other Consequences of the Director/Router Merge
@@ -1380,8 +1381,11 @@ Security
 --------
 
 Exim 3 could be run in a variety of ways as far as security was concerned. This
-has all been simplified in Exim 4. The security-conscious might like to know
-that it no longer makes any use of the seteuid() function.
+has all been simplified in Exim 4. Exim dropped the use of seteuid() in
+most places. But recent (2020-10/2021-04) vulnerabilities forced us to
+re-introduce seteuid() for opening the database files (hint files) as secure as
+possible. For future (>= 4.95) versions we work on a solution that
+does not need the seteuid call.
 
 . A UID and GID are required to be specified when Exim is compiled. They can be
   now specified by name as well as by number, so the relevant options are now
diff --git a/doc/doc-txt/OptionLists.txt b/doc/doc-txt/OptionLists.txt
index 183f6b722..59be0a06b 100644
--- a/doc/doc-txt/OptionLists.txt
+++ b/doc/doc-txt/OptionLists.txt
@@ -466,7 +466,7 @@ receive_timeout                      time            0s            main
 received_header_text                 string*         +             main
 received_headers_max                 integer         30            main
 recipient_unqualified_hosts          host list       unset         main              4.00 replacing receiver_unqualified_hosts
-recipients_max                       integer         0             main              1.60
+recipients_max                       integer         50000         main              1.60 default changed in 4.95 (was 0)
 recipients_max_reject                boolean         false         main              1.70
 redirect_router                      string          unset         routers           4.00
 remote_max_parallel                  integer         1             main
diff --git a/doc/doc-txt/cve-2020-qualys b/doc/doc-txt/cve-2020-qualys
new file mode 100644
index 000000000..d5716444d
--- /dev/null
+++ b/doc/doc-txt/cve-2020-qualys
@@ -0,0 +1,2 @@
+For the vulnerabilites reported by Qualys in October 2020 please see the
+Exim Website: https://exim.org/static/doc/security/CVE-2020-qualys/