Beware that the just released RC0 for Exim 4.96 may break your Dovecot
LDA delivery. It did break mine, which is similar to what is described
on
https://wiki.dovecot.org/LDA/Exim
Here is the relevant ChangeLog entry:
JH/25 Taint-check exec arguments for transport-initiated external processes.
Previously, tainted values could be used. This affects "pipe", "lmtp" and
"queryprogram" transport, transport-filter, and ETRN commands.
The ${run} expansion is also affected: in "preexpand" mode no part of
the command line may be tainted, in default mode the executable name
may not be tainted.
As of now I don't have a personal working solution to get untained data.
I did try a small hack, but Exim was smart enough to see what I was
doing, so I'm rolling back until I better unstand the tainting
facilities and how to untaint the data.
The concept is great, though.
• Jeremy Harris via Exim-announce [2022-04-23 20:23]:
> Hi all,
>
> Enough changes have accumulated since 4.95 for it to be worth
> spinning another release. The first Release Candidate is available
>
> - as tarball: https://ftp.exim.org/pub/exim/exim4/test
> - directly from Git: https://git.exim.org
> tag exim-4.96-RC0
>
> The signatures on the release tarballs (and this mail) should be
> mine, key ID 0xBCE58C8CE41F32DF.
>
> Please test and give feedback on the RC so that we can shake out
> issues before 4.96 goes official.
>
> The sourcebase is still open for feature additions at this point
> in the release process.
>
>
> New stuff we've added since 4.95:
>
> - A new ACL condition: seen. Records/tests a timestamp against a key.
> - A variant of the "mask" expansion operator to give normalised IPv6.
> - UTC output option for exim_dumpdb, exim_fixdb.
> - An event for failing TLS connects to the daemon.
> - The ACL "debug" control gains options "stop", "pretrigger" and "trigger".
> - Query-style lookups are now checked for quoting, if the query string is
> built using untrusted data ("tainted"). For now lack of quoting is merely
> logged; a future release will upgrade this to an error.
> - The expansion conditions match_<list-type> and inlist now set $value for
> the expansion of the "true" result of the ${if}. With a static list, this
> can be used for de-tainting.
>
> Notable removals since 4.95:
>
> - the "allow_insecure_tainted_data" main config option and the
> "taint" log_selector. These were previously deprecated.
>
> As usual, you should read the ChangeLog file for other changes.
> --
> Cheers,
> Jeremy
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-announce Exim details at http://www.exim.org/ ##
--
-- Kirill Miazine <km@???>
