Re: [exim] Security release for CVE-2016-1531: 4.84.2, 4.85.…

Top Page
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: exim-users
Subject: Re: [exim] Security release for CVE-2016-1531: 4.84.2, 4.85.2, 4.86.2, 4.87 RC5
Hi,

Andreas M. Kirchwitz <amk@???> (Mo 07 Mär 2016 02:03:52 CET):
> Heiko Schlittermann <hs@???> wrote:
> Thanks for the security updates! Highly appreciated.
>
> Unfortunately, it looks like this warning message also has the
> potential to break existing installations because
>
>       "<eximbin> -C /dev/null -bP <configvar>"

>
> is sometimes used to get preconfigured configuration settings.
>
> For example, "exicyclog" (shipped with Exim) does that and now the
> cron daemon issues a warning when running it. Of course, stderr
> could be redirected to /dev/null but in fact there's nothing wrong
> here, and on real problems admins should still see error messages.


Yes, that's an issue with the new warnings about tls_advertise_hosts
being unset too. I'm working on it, to suppress these warnings
in these testing modes.

I'm not sure if the changes will be backported to the security releases
of the older Exims, but probably to the +fixes branches on top of the
security releases.

> Admins who do not read the release notes may also not read the
> mainlog. They will never notice that warning anyway.


But.. if you're looking for problems, you'll read the mainlog.
And I'd suppose every admin should. Daily operation isn't influenced,
but debugging is aided :)

> Clearing the complete environment also raises some questions like
> do I have to make exceptions for LANG and TZ? And will Exim work
> without any PATH? When it comes to delivery, MTAs usually call
> external programms and those call others and so on. I've never put
> much thought into that before but now I'm wondering how it ever
> worked. :-) Recommendations welcome!


Tha't not totally clear. Exim itself doesn't use any environment. BUT it
may use the environment indirect, by using libraries (LDAP being some
example). I suppose that libldap check LDAP* variables. I'm not sure
about other lookups (Berkeley DB?)

And for calling external programs Exim always forced you to put the
complete path there: ${run{/usr/bin/foo}…}. BUT, indeed, if the external
program relies on some PATH or other environment, it's time to think
about it.

    keep_environment = TZ : LANG : ^LC_ : ^LDAP
    add_environment = <; PATH=/bin:/usr/bin:/usr/local/bin


could be a good starting point.

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -