summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2021-06-15hosts_require_heloJeremy Harris
2021-06-13Testsuite: EC certJeremy Harris
2021-06-08Fix server creds cache invalidationJeremy Harris
Broken-by: 5fd673807d
2021-06-07compiler quieteningJeremy Harris
2021-06-07Re-fix non-Linux buildJeremy Harris
2021-06-06tidyingJeremy Harris
Vroken-by: ef77ddc923
2021-06-06Fix non-Linux buildJeremy Harris
2021-06-06Observability: listen queue backlogJeremy Harris
2021-06-06Testsuite: testcase for multiple listener sockets readyJeremy Harris
2021-06-06Avoid rescanning listen select setJeremy Harris
2021-06-06Compute select fd_set outside daemon loopJeremy Harris
2021-06-05Testsuite: fix OCSP/OpenSSL/1.3 testcaseJeremy Harris
2021-06-05Fix SSL creds file watching on kevent platforms (BSDs) for symlinksJeremy Harris
2021-06-04DMARC: note unsupported library versions issueJeremy Harris
2021-06-04debug: fix openssl outputJeremy Harris
2021-06-04Testsuite: regen certificates suite with fixed Authority IdentifierJeremy Harris
2021-06-03DKIM: under GnuTLS, permit weak algorithmsJeremy Harris
Recent versions of GnuTLS by default disallow use of some methods now regarded as weak. This probably mean sha1, which is deprecated per DKIM standards.
2021-06-03Testsuite: use higher-spec certs, for more-recent GnuTLS versions which ↵Jeremy Harris
deprecate weaker ones Needed for GnuTLS 3.6.15 (on Fedora 33)
2021-05-28tidyingJeremy Harris
2021-05-28Update testcase output to match newly applied default config limitJeremy Harris
Broken-by: f07847e436
2021-05-28Fix testsuite output for DB casesJeremy Harris
Broken-by: 186e99bafc
2021-05-28tidyingJeremy Harris
2021-05-28Logging: avoid pause during log-open under testsuiteJeremy Harris
It results in rearranged logging output, causing testsuite case failures The downside is that we lose debug visbility of the extra process startup Broken-by: b6c1434e47
2021-05-28Fix dmarc buildJeremy Harris
Broken-by: b6c1434e47
2021-05-28Docs: enhance section on redirect router :defer: & :fail:Jeremy Harris
2021-05-27Merge branch 'qualys-2020'Heiko Schlittermann (HS12-RIPE)
- all Qualys patches from 4.94.2 - all fixes from 4.94.2+fixes if not applied yet
2021-05-27Fix BDAT issue for body w/o trailing CRLF (again Bug 1974)Heiko Schlittermann (HS12-RIPE)
(cherry picked from commit 919111edac911ba9c15422eafd7c5bf14d416d26)
2021-05-27testsuite: reproduce BDAT with missing eol (Bug 1974)Heiko Schlittermann (HS12-RIPE)
(cherry picked from commit e9cecc465a570c1a4f34b199eae6bdd0a52ee2b0)
2021-05-27Cleanup docs on cve-2020-qualys, point to the Exim websiteHeiko Schlittermann (HS12-RIPE)
(cherry picked from commit 6429b0fc79595f120703c022ae99aa10d698f909)
2021-05-27rewrite: revert to unchecked result of parse_extract_address()Heiko Schlittermann (HS12-RIPE)
Now it breaks 471, and overlong addresses won't make it into the rewrite process, as they are handled as empty. (cherry picked from commit 506286c62b8786a926dafb5bb05d3103492b86bc)
2021-05-27Honour the outcome of parse_extract_address(), testsuite 471Heiko Schlittermann (HS12-RIPE)
(cherry picked from commit 39d83bf19fc0c4364e0a665360b14194c62e4ab4)
2021-05-27Update upgrade notes and source about use of seteuid()Heiko Schlittermann (HS12-RIPE)
(cherry picked from commit bc13bbca6e07267dfe0c4d275bb0a2e9aabf1dfb) (cherry picked from commit fee1a06ec05e58e0cda8cf04f28240688736f945)
2021-05-27CVE-2020-28007: Link attack in Exim's log directoryQualys Security Advisory
We patch this vulnerability by opening (instead of just creating) the log file in an unprivileged (exim) child process, and by passing this file descriptor back to the privileged (root) parent process. The two functions log_send_fd() and log_recv_fd() are inspired by OpenSSH's functions mm_send_fd() and mm_receive_fd(); thanks! This patch also fixes: - a NULL-pointer dereference in usr1_handler() (this signal handler is installed before process_log_path is initialized); - a file-descriptor leak in dmarc_write_history_file() (two return paths did not close history_file_fd). Note: the use of log_open_as_exim() in dmarc_write_history_file() should be fine because the documentation explicitly states "Make sure the directory of this file is writable by the user exim runs as." (cherry picked from commit 2502cc41d1d92c1413eca6a4ba035c21162662bd) (cherry picked from commit 93e9a18fbf09deb59bd133986f4c89aeb2d2d86a)
2021-05-27CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()Heiko Schlittermann (HS12-RIPE)
Based on Phil Pennock's commit 76a1ce77. Modified by Qualys. (cherry picked from commit f218fef171cbe9e61d10f15399aab8fa6956535b) (cherry picked from commit 8b1e9bc2cac17ee24d595c97dcf97d9b016f8a46)
2021-05-27SECURITY: Avoid modification of constant data in dkim handlingHeiko Schlittermann (HS12-RIPE)
Based on Heiko Schlittermann's commits f880c7f3 and c118c7f4. This fixes: 6/ In src/pdkim/pdkim.c, pdkim_update_ctx_bodyhash() is sometimes called with a global orig_data and hence canon_data, and the following line can therefore modify data that should be constant: 773 canon_data->len = b->bodylength - b->signed_body_bytes; For example, the following proof of concept sets lineending.len to 0 (this should not be possible): (sleep 10; echo 'EHLO test'; sleep 3; echo 'MAIL FROM:<>'; sleep 3; echo 'RCPT TO:postmaster'; sleep 3; echo 'DATA'; date >&2; sleep 30; printf 'DKIM-Signature:a=rsa-sha1;c=simple/simple;l=0\r\n\r\n\r\nXXX\r\n.\r\n'; sleep 30) | nc -n -v 192.168.56.102 25 (gdb) print lineending $1 = {data = 0x55e18035b2ad "\r\n", len = 2} (gdb) print &lineending.len $3 = (size_t *) 0x55e180385948 <lineending+8> (gdb) watch *(size_t *) 0x55e180385948 Hardware watchpoint 1: *(size_t *) 0x55e180385948 Old value = 2 New value = 0 (gdb) print lineending $5 = {data = 0x55e18035b2ad "\r\n", len = 0} (cherry picked from commit 92359a62a0e31734ad8069c66f64b37f9eaaccbe) (cherry picked from commit c5f2f5cf2a6b45ae7ba0ed15e04fbe014727b210)
2021-05-27SECURITY: Leave a clean smtp_out input buffer even in case of read errorHeiko Schlittermann (HS12-RIPE)
Based on Heiko Schlittermann's commit 54895bc3. This fixes: 7/ In src/smtp_out.c, read_response_line(), inblock->ptr is not updated when -1 is returned. This does not seem to have bad consequences, but is maybe not the intended behavior. (cherry picked from commit 30f5d98786fb4e6ccfdd112fe65c153f0ee34c5f) (cherry picked from commit d600f6c4d0c5d33e3988dfbfee248ff6a1536673)
2021-05-27SECURITY: Always exit when LOG_PANIC_DIE is setQualys Security Advisory
(cherry picked from commit e20aa895b37f449d5c81c3e7b102fc534b5d23ba) (cherry picked from commit 3b8c0ceb7339329188e19efb907da950dbe691d1)
2021-05-27CVE-2020-28012: Missing close-on-exec flag for privileged pipeQualys Security Advisory
(cherry picked from commit 72dad1e64bb3d1ff387938f59678098cab1f60a3) (cherry picked from commit 645a31d16195bb6b73f0a0d0c04b2251e5b28421)
2021-05-27CVE-2020-28024: Heap buffer underflow in smtp_ungetc()Qualys Security Advisory
(cherry picked from commit 998e5a9db121c3eff15cac16859bdffd7adcbe57) (cherry picked from commit 638f7ca75694bcbb70cfbe7db2ef52af4aca5c83)
2021-05-27CVE-2020-28009: Integer overflow in get_stdinput()Qualys Security Advisory
(cherry picked from commit bbf1bb10bee5a1d7cbcc97f178b348189219eb7d) (cherry picked from commit 1241deaefb71c40436320af7d0bd04c7c9e54241)
2021-05-27CVE-2020-28015+28021: New-line injection into spool header fileQualys Security Advisory
(cherry picked from commit 31b1a42d0bd29cb05f85e56d3343b13bef20a2bd) (cherry picked from commit fcddccd650178ceeec3655c6c40f420164a8706e)
2021-05-27CVE-2020-28026: Line truncation and injection in spool_read_header()Heiko Schlittermann (HS12-RIPE)
This also fixes: 2/ In src/spool_in.c: 462 while ( (len = Ustrlen(big_buffer)) == big_buffer_size-1 463 && big_buffer[len-1] != '\n' 464 ) 465 { /* buffer not big enough for line; certs make this possible */ 466 uschar * buf; 467 if (big_buffer_size >= BIG_BUFFER_SIZE*4) goto SPOOL_READ_ERROR; 468 buf = store_get_perm(big_buffer_size *= 2, FALSE); 469 memcpy(buf, big_buffer, --len); The --len in memcpy() chops off a useful byte (we know for sure that big_buffer[len-1] is not a '\n' because we entered the while loop). Based on a patch done by Qualys. (cherry picked from commit f0c307458e1ee81abbe7ed2d4a8d16b5cbd8a799) (cherry picked from commit 4daba4bec729a57fb0863af786a1395e70794c76)
2021-05-27CVE-2020-28022: Heap out-of-bounds read and write in extract_option()Heiko Schlittermann (HS12-RIPE)
Based on Phil Pennock's commit c5017adf. (cherry picked from commit 9e941e1807b624b255c9ec0f41a0b3a89e144de3) (cherry picked from commit 33d4c87653ddbbea9fd8cb8eb2ff78c149850006)
2021-05-27CVE-2020-28017: Integer overflow in receive_add_recipient()Heiko Schlittermann (HS12-RIPE)
Based on Phil Pennock's commit e3b441f7. (cherry picked from commit 18a19e18242edc5ab2082fa9c41cd6210d1b6087) (cherry picked from commit 605716b999a4ca6c7d5777ab7463058e9b055dc2)
2021-05-27SECURITY: Refuse negative and large store allocationsHeiko Schlittermann (HS12-RIPE)
Based on Phil Pennock's commits b34d3046 and e6c1606a. Done by Qualys. (cherry picked from commit 09d36bd64fc5bf71d8882af35c41ac4e8599acc1) (cherry picked from commit f9c58fb385343b8e3fa13988efcbd30ae3285ea7)
2021-05-27CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()Heiko Schlittermann (HS12-RIPE)
Based on Phil Pennock's 8a50c88a, done by Qualys (cherry picked from commit 8161c16ec7320ac6164954bade23179a0ed095eb) (cherry picked from commit 71585e8fcb8704a9f431f5a8d019280cccaad069)
2021-05-27CVE-2020-28011: Heap buffer overflow in queue_run()Qualys Security Advisory
(cherry picked from commit 6e1fb878e95f8e6f838ffde5258c7a969c981865) (cherry picked from commit 08102cbe8102f99b31655aa0e926c45b427efe6d)
2021-05-27CVE-2020-28010: Heap out-of-bounds write in main()Heiko Schlittermann (HS12-RIPE)
Based on Phil Pennock's 0f57feb4. Done by Qualys, modified by me. (cherry picked from commit b0982c2776048948ebae48574b70fa487684cb8c) (cherry picked from commit dbc3ab675c2e5e2a07ed13dc5ede4daa018600e7)
2021-05-27CVE-2020-28018: Use-after-free in tls-openssl.cQualys Security Advisory
(cherry picked from commit 6290686dd59d8158d100c67e8f96df27158a6fc5) (cherry picked from commit a53a7fcfb8216764e4420d8d263356b4ed7d5cef)
2021-05-27CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()Qualys Security Advisory
(cherry picked from commit cad30cd3fb96196e908e0d66b1b45fdf377c850c) (cherry picked from commit 1c261b90f627f0489f7dfcf1e66b46cce67f477d)
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-22 06:03:06 +0000