[exim-dev] Kickoff for next release

Top Page

Reply to this message
Author: Jeremy Harris
Date:  
To: exim-dev@exim.org
Subject: [exim-dev] Kickoff for next release
I'm starting the release procedure for the next release.

As usual there will be a number of Release Candidate builds
as we shake it down. Commits of any kind are acceptable at
this stage; at some future point I'll declare "bug fixes only".

Please test the Release Candidates. Production use is sometime
the only way bugs get found.

Developers: please check Bugzilla for the bugs assigned to you,
and make commits as needed. Also assess your work-in-progress;
anything which you think needs a full release-cycle of soaking
should be pushed into the 4,next branch rather than the mainline.
I just synced 4.next, and enabled it in the buildfarm.



(You can skip the rest of this message if you don't care about
what's been done since the last release of Exim)



The current NewStuff file reads:

Version 4.91
- --------------

 1. Dual-certificate stacks on servers now support OCSP stapling, under GnuTLS
    version 3.5.6 or later.


 2. DANE is now supported under GnuTLS version 3.0.0 or later.  Both GnuTLS and
    OpenSSL versions are moved to mainline support from Experimental.


3. Feature macros for the compiled-in set of malware scanner interfaces.

 4. SPF support is promoted from Experimental to mainline status.  The template
    src/EDITME makefile does not enable its inclusion.


 5. Logging control for DKIM verification.  The existing DKIM log line is
    controlled by a "dkim_verbose" selector which is _not_ enabled by default.
    A new tag "DKIM=<domain>" is added to <= lines by default, controlled by
    a "dkim" log_selector.


6. Receive duration on <= lines, under a new log_selector "receive_time".

 7. Options "ipv4_only" and "ipv4_prefer" on the dnslookup router and on
    routing rules in the manualroute router.


 8. Expansion item ${sha3:<string>} / ${sha3_<N>:<string>} now also supported
    under OpenSSL version 1.1.1 or later.


 9. DKIM operations can now use the Ed25519 algorithm in addition to RSA, under
    GnuTLS 3.6.0 or later.


10. Builtin feature-macros _CRYPTO_HASH_SHA3 and _CRYPTO_SIGN_ED25519, library
    version dependent.


11. "exim -bP macro <name>" returns caller-usable status.

12. Expansion item ${authresults {<machine>}} for creating an
    Authentication-Results: header.


13. EXPERIMENTAL_ARC. See the experimental.spec file.

14: A dane:fail event, intended to facilitate reporting.


The ChangeLog file reads:

GF/01 DEFER rather than ERROR on redis cluster MOVED response.
     When redis_servers is set to a list of > 1 element, and the Redis servers
     in that list are in cluster configuration, convert the REDIS_REPLY_ERROR
     case of MOVED into a DEFER case instead, thus moving the query onto the
     next server in the list. For a cluster of N elements, all N servers must
     be defined in redis_servers.


JH/01 Replace the store_release() internal interface with store_newblock(),
      which internalises the check required to safely use the old one, plus
      the allocate and data copy operations duplicated in both (!) of the
      extant use locations.


JH/02 Disallow '/' characters in queue names specified for the "queue=" ACL
      modifier.  This matches the restriction on the commandline.


JH/03 Fix pgsql lookup for multiple result-tuples with a single column.
      Previously only the last row was returned.


JH/04 Bug 2217: Tighten up the parsing of DKIM signature headers. Previously
      we assumed that tags in the header were well-formed, and parsed the
      element content after inspecting only the first char of the tag.
      Assumptions at that stage could crash the receive process on malformed
      input.


JH/05 Bug 2215: Fix crash associated with dnsdb lookup done from DKIM ACL.
      While running the DKIM ACL we operate on the Permanent memory pool so that
      variables created with "set" persist to the DATA ACL.  Also (at any time)
      DNS lookups that fail create cache records using the Permanent pool.  But
      expansions release any allocations made on the current pool - so a dnsdb
      lookup expansion done in the DKIM ACL releases the memory used for the
      DNS negative-cache, and bad things result.  Solution is to switch to the
      Main pool for expansions.
      While we're in that code, add checks on the DNS cache during store_reset,
      active in the testsuite.
      Problem spotted, and debugging aided, by Wolfgang Breyha.


JH/06 Fix issue with continued-connections when the DNS shifts unreliably.
      When none of the hosts presented to a transport match an already-open
      connection, close it and proceed with the list.  Previously we would
      queue the message.  Spotted by Lena with Yahoo, probably involving
      round-robin DNS.


JH/07 Bug 2214: Fix SMTP responses resulting from non-accept result of MIME ACL.
      Previously a spurious "250 OK id=" response was appended to the proper
      failure response.


JH/08 The "support for" informational output now, which built with Content
      Scanning support, has a line for the malware scanner interfaces compiled
      in.  Interface can be individually included or not at build time.


JH/09 The "aveserver", "kavdaemon" and "mksd" interfaces are now not included
      by the template makefile "src/EDITME".  The "STREAM" support for an older
      ClamAV interface method is removed.


JH/10 Bug 2223: Fix mysql lookup returns for the no-data case (when the number of
      rows affected is given instead).


JH/11 The runtime Berkeley DB library version is now additionally output by
      "exim -d -bV".  Previously only the compile-time version was shown.


JH/12 Bug 2230: Fix cutthrough routing for nonfirst messages in an initiating
      SMTP connection.  Previously, when one had more receipients than the
      first, an abortive onward connection was made.  Move to full support for
      multiple onward connections in sequence, handling cutthrough connection
      for all multi-message initiating connections.


JH/13 Bug 2229: Fix cutthrough routing for nonstandard port numbers defined by
      routers.  Previously, a multi-recipient message would fail to match the
      onward-connection opened for the first recipient, and cause its closure.


JH/14 Bug 2174: A timeout on connect for a callout was also erroneously seen as
      a timeout on read on a GnuTLS initiating connection, resulting in the
      initiating connection being dropped.  This mattered most when the callout
      was marked defer_ok.  Fix to keep the two timeout-detection methods
      separate.


JH/15 Relax results from ACL control request to enable cutthrough, in
      unsupported situations, from error to silently (except under debug)
      ignoring.  This covers use with PRDR, frozen messages, queue-only and
      fake-reject.


HS/01 Fix Buffer overflow in base64d() (CVE-2018-6789)

JH/16 Fix bug in DKIM verify: a buffer overflow could corrupt the malloc
      metadata, resulting in a crash in free().


PP/01 Fix broken Heimdal GSSAPI authenticator integration.
      Broken in f2ed27cf5, missing an equals sign for specified-initialisers.
      Broken also in d185889f4, with init system revamp.


JH/17 Bug 2113: Fix conversation closedown with the Avast malware scanner.
      Previously we abruptly closed the connection after reading a malware-
      found indication; now we go on to read the "scan ok" response line,
      and send a quit.


JH/18 Bug 2239: Enforce non-usability of control=utf8_downconvert in the mail
      ACL.  Previously, a crash would result.


JH/19 Speed up macro lookups during configuration file read, by skipping non-
      macro text after a replacement (previously it was only once per line) and
      by skipping builtin macros when searching for an uppercase lead character.


JH/20 DANE support moved from Experimental to mainline.  The Makefile control
      for the build is renamed.


JH/21 Fix memory leak during multi-message connections using STARTTLS.  A buffer
      was allocated for every new TLS startup, meaning one per message.  Fix
      by only allocating once (OpenSSL) or freeing on TLS-close (GnuTLS).


JH/22 Bug 2236: When a DKIM verification result is overridden by ACL, DMARC
      reported the original.  Fix to report (as far as possible) the ACL
      result replacing the original.


JH/23 Fix memory leak during multi-message connections using STARTTLS under
      OpenSSL.  Certificate information is loaded for every new TLS startup,
      and the resources needed to be freed.


JH/24 Bug 2242: Fix exim_dbmbuild to permit directoryless filenames.

JH/25 Fix utf8_downconvert propagation through a redirect router.  Previously it
      was not propagated.


JH/26 Bug 2253: For logging delivery lines under PRDR, append the overall
      DATA response info to the (existing) per-recipient response info for
      the "C=" log element.  It can have useful tracking info from the
      destination system.  Patch from Simon Arlott.


JH/27 Bug 2251: Fix ldap lookups that return a single attribute having zero-
      length value.  Previously this would segfault.


HS/02 Support Avast multiline protoocol, this allows passing flags to
      newer versions of the scanner.


JH/28 Ensure that variables possibly set during message acceptance are marked
      dead before release of memory in the daemon loop.  This stops complaints
      about them when the debug_store option is enabled.  Discovered specifically
      for sender_rate_period, but applies to a whole set of variables.
      Do the same for the queue-runner loop, for variables set from spool
      message files.


- --
Cheers,
Jeremy