Re: [exim] Security release for CVE-2016-1531: 4.84.2, 4.85.…

Top Page

Reply to this message
Author: Andreas M. Kirchwitz
Date:  
To: exim-users
New-Topics: [exim] Warnings even in testing modes (Was: Security release for CVE-2016-1531: 4.84.2, 4.85.2, ) 4.86.2, 4.87 RC5, [exim] Suppress warnings in tool/list modes (Was: Security release for CVE-2016-1531: 4.84.2, 4.85.2, 4.86.2, 4.87 RC5)
Subject: Re: [exim] Security release for CVE-2016-1531: 4.84.2, 4.85.2, 4.86.2, 4.87 RC5
Heiko Schlittermann <hs@???> wrote:

> New options
> -----------
>
> We had to introduce two new configuration options:
>
>     keep_environment =
>     add_environment =

>
> [...]
>
> ** THIS MAY BREAK your existing installation **
>
> If both options are not used in the configuration, Exim issues a warning
> on startup. This warning disappears if at least one of these options is
> used (even if set to an empty value).


Thanks for the security updates! Highly appreciated.

Unfortunately, it looks like this warning message also has the
potential to break existing installations because

    "<eximbin> -C /dev/null -bP <configvar>"


is sometimes used to get preconfigured configuration settings.

For example, "exicyclog" (shipped with Exim) does that and now the
cron daemon issues a warning when running it. Of course, stderr
could be redirected to /dev/null but in fact there's nothing wrong
here, and on real problems admins should still see error messages.

Admins who do not read the release notes may also not read the
mainlog. They will never notice that warning anyway.

Clearing the complete environment also raises some questions like
do I have to make exceptions for LANG and TZ? And will Exim work
without any PATH? When it comes to delivery, MTAs usually call
external programms and those call others and so on. I've never put
much thought into that before but now I'm wondering how it ever
worked. :-) Recommendations welcome!

    Greetings, Andreas