Re: [exim-dev] [exim-announce] Exim 4.96-RC0 released

Pàgina inicial
Delete this message
Reply to this message
Autor: Kirill Miazine
Data:  
A: exim-dev
Assumpte: Re: [exim-dev] [exim-announce] Exim 4.96-RC0 released
Beware that the just released RC0 for Exim 4.96 may break your Dovecot
LDA delivery. It did break mine, which is similar to what is described
on https://wiki.dovecot.org/LDA/Exim

Here is the relevant ChangeLog entry:

JH/25 Taint-check exec arguments for transport-initiated external processes.
      Previously, tainted values could be used.  This affects "pipe", "lmtp" and
      "queryprogram" transport, transport-filter, and ETRN commands.
      The ${run} expansion is also affected: in "preexpand" mode no part of
      the command line may be tainted, in default mode the executable name
      may not be tainted.


As of now I don't have a personal working solution to get untained data.
I did try a small hack, but Exim was smart enough to see what I was
doing, so I'm rolling back until I better unstand the tainting
facilities and how to untaint the data.

The concept is great, though.

• Jeremy Harris via Exim-announce [2022-04-23 20:23]:
> Hi all,
>
> Enough changes have accumulated since 4.95 for it to be worth
> spinning another release. The first Release Candidate is available
>
> - as tarball:        https://ftp.exim.org/pub/exim/exim4/test
> - directly from Git: https://git.exim.org
>                      tag exim-4.96-RC0

>
> The signatures on the release tarballs (and this mail) should be
> mine, key ID 0xBCE58C8CE41F32DF.
>
> Please test and give feedback on the RC so that we can shake out
> issues before 4.96 goes official.
>
> The sourcebase is still open for feature additions at this point
> in the release process.
>
>
> New stuff we've added since 4.95:
>
>  - A new ACL condition: seen. Records/tests a timestamp against a key.
>  - A variant of the "mask" expansion operator to give normalised IPv6.
>  - UTC output option for exim_dumpdb, exim_fixdb.
>  - An event for failing TLS connects to the daemon.
>  - The ACL "debug" control gains options "stop", "pretrigger" and "trigger".
>  - Query-style lookups are now checked for quoting, if the query string is
>     built using untrusted data ("tainted").  For now lack of quoting is merely
>     logged; a future release will upgrade this to an error.
>  - The expansion conditions match_<list-type> and inlist now set $value for
>     the expansion of the "true" result of the ${if}.  With a static list, this
>     can be used for de-tainting.

>
> Notable removals since 4.95:
>
>   - the "allow_insecure_tainted_data" main config option and the
>     "taint" log_selector.  These were previously deprecated.

>
> As usual, you should read the ChangeLog file for other changes.
> --
> Cheers,
> Jeremy





> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-announce Exim details at http://www.exim.org/ ##



-- 
    -- Kirill Miazine <km@???>