nutmeg's blog

GnuTLS 3.0.x is finally available in unstable (and squeeze). Please consider upgrading. (Development package: libgnutls28-dev)

exim 4.77 rc4 is available for testing in experimental. This release contains an incompatible change. Exim no longer performs string expansion on the second string of the match_* expansion conditions: "match_address", "match_domain", "match_ip" and "match_local_part". Named lists can still be used.

See explanation and rationale on exim-announce mailing list.

I have just uploaded exim4 4.76-4 to experimental. Compared to 4.76-3 the only additions are the changes from upstream's gnutls_fixes branch, making exim4 advertise and use TLS1.1 or TLS1.2 if available.

We would appreciate some testing.

This weekend I looked down.

Thanks to the bad weather I have made some progress implementing release-goal in my/our packages:

• I have NMUed the last packages preventing me from dropping la files from gnutls and gcrypt. (Luk seems to have taken care of many others.)
• Both libtasn1-3 and libksba are multi-arch aware now.

On a sidenote, please keep testing gnutls 2.12.7 (in experimental) to prevent unwanted surprises when we upload to unstable.

Since exim is currently stuck in the perl 5.12 transition it is a very good idea to add "warn control = dkim_disable_verify" at the beginning of the rcpt acl on systems running testing. This will prevent attacks based on CVE-2011-1764.

This year we had very little snow again. Although winter started (too) early (first snow on October 16th) we topped out at little over 50cm in Au (in December). In a normal winter we should have 1m at least temporarily, and 2m is not a rare. Temperatures were high, too. I was usually wearing a layer less than normally. All this had me riding in Damüls most of time, Diedamskopf only saw me in December, since they have little artificial snow, and natural one was missing. Summer temperatures (20°C) at start of April cut the season very short. My last snow day was on April 3rd. On the upside I did not hurt myself this year (knock, knock) and the weather was good often.

Here is the balance sheet:

I have uploaded GnuTLS 2.12.0 to experimental. Please test.

GnuTLS has recently made Nettle its prefered crypto backend. I think Debian will need to continue to use libgcrypt for license reasons. While GnuTLS+libgcrypt and its dependencies are LGPL-2.1+ nettle itself is LGPL-2.1+, except for small GPL-2+ parts (serpent and blowfish). But these are being replaced by LGPL-2.1+ implementations currently. However nettle's public key library (libhogweed) uses and links against the GNU Multiple Precision Arithmetic Library which is LGPL-3+.

Afaiui this is a deal-breaker, GPL-2 (without the "any later version" clause) and (L)GPL-3 are incompatible. A nontrivial number of GnuTLS using applications and libraries are licensed (L)GPL-2. I started checking but stopped at "j" after finding cherokee-1.0.20, cluster-glue-1.0.7, cups-1.4.6, drizzle-2010.09.180, echoping-6.0.2, elinks-0.12~pre5, gtk-vnc-0.4.2, inspircd-1.1.22+dfsg and jd-2.8.1~beta110214.

I would appreciate if you could test the proposed fixes for the exim4 privilege escalation bug CVE-2010-4345. Preliminary binary and source packages for squeeze/sid and lenny are available here:
deb http://www.bebt.de/debian/ sid exim4+cve
deb-src http://www.bebt.de/debian/ sid exim4+cve
deb http://www.bebt.de/debian/ lenny exim4+cve
deb-src http://www.bebt.de/debian/ lenny exim4+cve

You can also browse the changes in SVN (lenny and sid) or build your own binaries.

Changelog:

• 67_unnecessaryCopt.dpatch: Do not use exim's -C option in utility scripts. This would not work with ALT_CONFIG_PREFIX.
• Pull changes related to fixing CVE-2010-4345 from exim 4.73 rc1. Closes: #606527
  • 1_cfile_norw_eximuid: Don't allow a configure file which is writeable by the Exim user or group.
  • 2_permcheck_configurefile: Check configure file permissions even for non-default files if still privileged.
  • 3_remove_ALT_CONFIG_ROOT_ONLY: Remove ALT_CONFIG_ROOT_ONLY build option, effectively making it always true.
  • 4_FD_CLOEXEC: Set FD_CLOEXEC on SMTP sockets after forking in the daemon, to ensure that rogue child processes cannot use them.
  • 5_TRUSTED_CONFIG_LIST: Add TRUSTED_CONFIG_LIST compile option.
  • 6_nonroot_system_filter_user: If the system filter needs to be run as root, let that be explicitly configured. The default is now the Exim run-time user.
  • 7_filter_D_option: Add a (compiletime) whitelist of acceptable values for the -D option.
  • 8_updatedocumentation: Update documentation to reflect the changes.
• 4_FD_CLOEXEC replaces 80_fdleak.dpatch, drop the latter.
• Build with WHITELIST_D_MACROS=OUTGOING. Post patch 7_filter_D_option exim will not regain root privileges (usually necessary for local delivery) if the -D option was used. Macro identifiers listed in WHITELIST_D_MACROS are exempted from this restriction. mailscanner (4.79.11-2.2) uses -DOUTGOING.
• Build with TRUSTED_CONFIG_LIST=/etc/exim4/trusted_configs. Post patch 3_remove_ALT_CONFIG_ROOT_ONLY exim will not re-gain root privileges (usually necessary for local delivery) if the -C option was used. This makes it impossible to start a fully functional damon with an alternate configuration file. /etc/exim4/trusted_configs (can) contain a list of filenames (one per line, full path given) to which this restriction does not apply.

NEWS entry:

Exim versions up to and including 4.72 are vulnerable to CVE-2010-4345. This is a privilege escalation issue that allows the exim user to gain root privileges by specifying an alternate configuration file using the -C option. The macro override facility (-D) might also be misused for this purpose.

In reaction to this security vulnerability upstream has made a number of user visible changes. This package includes these changes.

If exim is invoked with the -C or -D option the daemon will not regain root privileges though re-execution. This is usually necessary for local delivery, though. Therefore it is generally not possible anymore to run an exim daemon with -D or -C options.

However this version of exim has been built with TRUSTED_CONFIG_LIST=/etc/exim4/trusted_configs. TRUSTED_CONFIG_LIST defines a list of configuration files which are trusted; if a config file is owned by root and matches a pathname in the list, then it may be invoked by the Exim build-time user without Exim relinquishing root privileges.

As a hotfix to not break existing installations of mailscanner we have also set WHITELIST_D_MACROS=OUTGOING. i.e. it is still possible to start exim with -DOUTGOING while being able to do local deliveries.

If you previously were using -D switches you will need to change your setup to use a separate configuration file. The ".include" mechanism makes this easy.

The system filter is run as exim_user instead of root by default. If your setup requies root privileges when running the system filter you will need to set the system_filter_user exim main configuration option.

Update 2011-01-02: The packages for sid (4.72-3) have already been uploaded, upstream's fix 4.73rc1 is available in experimental.

Update 2011-01-06: 4.72-3 has propagated to testing. The lenny backport has also been updated.