Re: [exim-dev] [exim-announce] Exim 4.96-RC0 released

Top Page
This message is part of the following thread:
M-+-++\the complete thread tree sorted by date
M\M\MMMJeremy Harris at <-
MMMMM.MFrank Elsner at ->
Delete this message
Reply to this message
Author: Kirill Miazine
Date:  
To: exim-dev
Subject: Re: [exim-dev] [exim-announce] Exim 4.96-RC0 released
Beware that the just released RC0 for Exim 4.96 may break your Dovecot
LDA delivery. It did break mine, which is similar to what is described
on https://wiki.dovecot.org/LDA/Exim

Here is the relevant ChangeLog entry: 

JH/25 Taint-check exec arguments for transport-initiated external processes.
      Previously, tainted values could be used.  This affects "pipe", "lmtp" and
      "queryprogram" transport, transport-filter, and ETRN commands.
      The ${run} expansion is also affected: in "preexpand" mode no part of
      the command line may be tainted, in default mode the executable name
      may not be tainted.


As of now I don't have a personal working solution to get untained data.
I did try a small hack, but Exim was smart enough to see what I was
doing, so I'm rolling back until I better unstand the tainting
facilities and how to untaint the data.

The concept is great, though.

• Jeremy Harris via Exim-announce [2022-04-23 20:23]:
> Hi all,
>
> Enough changes have accumulated since 4.95 for it to be worth
> spinning another release. The first Release Candidate is available
> 
> - as tarball:        https://ftp.exim.org/pub/exim/exim4/test
> - directly from Git: https://git.exim.org
>                      tag exim-4.96-RC0

>
> The signatures on the release tarballs (and this mail) should be
> mine, key ID 0xBCE58C8CE41F32DF.
>
> Please test and give feedback on the RC so that we can shake out
> issues before 4.96 goes official.
>
> The sourcebase is still open for feature additions at this point
> in the release process.
>
>
> New stuff we've added since 4.95:
> 
>  - A new ACL condition: seen. Records/tests a timestamp against a key.
>  - A variant of the "mask" expansion operator to give normalised IPv6.
>  - UTC output option for exim_dumpdb, exim_fixdb.
>  - An event for failing TLS connects to the daemon.
>  - The ACL "debug" control gains options "stop", "pretrigger" and "trigger".
>  - Query-style lookups are now checked for quoting, if the query string is
>     built using untrusted data ("tainted").  For now lack of quoting is merely
>     logged; a future release will upgrade this to an error.
>  - The expansion conditions match_<list-type> and inlist now set $value for
>     the expansion of the "true" result of the ${if}.  With a static list, this
>     can be used for de-tainting.

>
> Notable removals since 4.95:
> 
>   - the "allow_insecure_tainted_data" main config option and the
>     "taint" log_selector.  These were previously deprecated.

>
> As usual, you should read the ChangeLog file for other changes.
> --
> Cheers,
> Jeremy




> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-announce Exim details at http://www.exim.org/ ## 


-- 
    -- Kirill Miazine <km@???>


This message was posted to the following mailing lists:
Exim-dev
Mailing List Info | Nearby Messages		<-[exim-dev] [Bug 2872] Unable to select ONLY TLSv1.3 CHACHA20-POLY1305 cipher[exim-dev] [Bug 2878] New: mention that authentication cancellation affects $authentication_failed variable->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)