Control: tags -1 patch Hi Paul, Andreas,
On 10-05-2021 05:58, Justin B Rye wrote: > (Is it possible we could shorten this by pointing to some external > reference here?) I'd like this too. > So if I'm getting this formatting right it would be: There was one bug, and I improved the display of the programlistings a bit (we reserve <screen> for the command window). Attached my local commit, ready to push if no updates arrive. Paul
From a6b790206c76974b5b9eb32d75674fee5655efff Mon Sep 17 00:00:00 2001
From: Paul Gevers <elb...@debian.org>
Date: Thu, 13 May 2021 22:27:50 +0200
Subject: [PATCH] issues.dbk: Exim 4.94 major upgrade: tainted data
Closes: #988078
---
en/issues.dbk | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 72 insertions(+), 1 deletion(-)
diff --git a/en/issues.dbk b/en/issues.dbk
index 82a8a60b..43c9534e 100644
--- a/en/issues.dbk
+++ b/en/issues.dbk
@@ -337,7 +337,78 @@ kernel.unprivileged_userns_clone = 0
</para>
</section>
- <section id="before-first-reboot">
+ <section>
+ <title>Exim 4.94</title>
+ <para>
+ Please consider the version of Exim in bullseye a
+ <emphasis>major</emphasis> Exim upgrade. It introduces the
+ concept of tainted data read from untrusted sources, like e.g.
+ message sender or recipient. This tainted data (e.g.
+ <literal>$local_part</literal> or <literal>$domain</literal>)
+ cannot be used among other things as a file or directory name or
+ command name.
+ </para>
+ <para>
+ This <emphasis>will break</emphasis> configurations which are
+ not updated accordingly. Old Debian Exim configuration files
+ also will not work unmodified; the new configuration needs to be
+ installed with local modifications merged in.
+ </para>
+ <para>
+ Typical nonworking examples include:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Delivery to <filename>/var/mail/$local_part</filename>. Use
+ <literal>$local_part_data</literal> in combination with
+ <literal>check_local_user</literal>.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Using
+ </para>
+ <programlisting>
+data = ${lookup{$local_part}lsearch{/some/path/$domain/aliases}}
+</programlisting>
+ <para>
+ instead of
+ </para>
+ <programlisting>
+data = ${lookup{$local_part}lsearch{/some/path/$domain_data/aliases}}
+</programlisting>
+ <para>
+ for a virtual domain alias file.
+ </para>
+ </listitem>
+ </itemizedlist>
+ <para>
+ The basic strategy for dealing with this change is to use the
+ result of a lookup in further processing instead of the original
+ (remote provided) value.
+ </para>
+ <para>
+ To ease upgrading there is a new main configuration option to
+ temporarily downgrade taint errors to warnings, letting the old
+ configuration work with the newer Exim. To make use of this
+ feature add
+ </para>
+ <programlisting>
+.ifdef _OPT_MAIN_ALLOW_INSECURE_TAINTED_DATA
+ allow_insecure_tainted_data = yes
+.endif
+</programlisting>
+ <para>
+ to the Exim configuration (e.g. to
+ <filename>/etc/exim4/exim4.conf.localmacros</filename>)
+ <emphasis>before</emphasis> upgrading and check the logfile for
+ taint warnings. This is a temporary workaround which is already
+ marked for removal on introduction.
+ </para>
+ </section>
+
+ <section id="before-first-reboot">
<title>Things to do post upgrade before rebooting</title>
<!-- If there is nothing to do -->
<para>
--
2.30.2
OpenPGP_signature
Description: OpenPGP digital signature
