Re: [exim] Security release for CVE-2016-1531: 4.84.2, 4.85.…

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Andreas M. Kirchwitz
Datum:  
To: exim-users
Neue Treads: [exim] Warnings even in testing modes (Was: Security release for CVE-2016-1531: 4.84.2, 4.85.2, ) 4.86.2, 4.87 RC5, [exim] Suppress warnings in tool/list modes (Was: Security release for CVE-2016-1531: 4.84.2, 4.85.2, 4.86.2, 4.87 RC5)
Betreff: Re: [exim] Security release for CVE-2016-1531: 4.84.2, 4.85.2, 4.86.2, 4.87 RC5
Heiko Schlittermann <hs@???> wrote:

> New options
> -----------
>
> We had to introduce two new configuration options:
>
>     keep_environment =
>     add_environment =

>
> [...]
>
> ** THIS MAY BREAK your existing installation **
>
> If both options are not used in the configuration, Exim issues a warning
> on startup. This warning disappears if at least one of these options is
> used (even if set to an empty value).


Thanks for the security updates! Highly appreciated.

Unfortunately, it looks like this warning message also has the
potential to break existing installations because

    "<eximbin> -C /dev/null -bP <configvar>"


is sometimes used to get preconfigured configuration settings.

For example, "exicyclog" (shipped with Exim) does that and now the
cron daemon issues a warning when running it. Of course, stderr
could be redirected to /dev/null but in fact there's nothing wrong
here, and on real problems admins should still see error messages.

Admins who do not read the release notes may also not read the
mainlog. They will never notice that warning anyway.

Clearing the complete environment also raises some questions like
do I have to make exceptions for LANG and TZ? And will Exim work
without any PATH? When it comes to delivery, MTAs usually call
external programms and those call others and so on. I've never put
much thought into that before but now I'm wondering how it ever
worked. :-) Recommendations welcome!

    Greetings, Andreas