Exim-4.86.2

[Pierre Labastie]

​http://mirrors-uk.go-parts.com/eximftp/exim/exim4/ doen't exist anymore (see ​http://www.exim.org/mirmon/ftp_mirrors.html). I propose:

​http://mirrors-usa.go-parts.com/eximftp/exim/exim4/exim-4.86.2.tar.bz2 and still: ​ftp://ftp.exim.org/pub/exim/exim4/exim-4.86.2.tar.bz2

Security Fix: ​ftp://ftp.exim.org/pub/exim/exim4/ChangeLog

Change log file for Exim from version 4.21
-------------------------------------------

Exim version 4.86.2
-------------------
Portability relase of 4.86.1

Exim version 4.86.1
-------------------
HS/04 Add support for keep_environment and add_environment options.
      This fixes CVE-2016-1531.

and from ​http://www.exim.org/static/doc/CVE-2016-1531.txt

Security fix for CVE-2016-1531
==============================

All installations having Exim set-uid root and using 'perl_startup' are
vulnerable to a local privilege escalation. Any user who can start an
instance of Exim (and this is normally *any* user) can gain root
privileges.

New options
-----------

We had to introduce two new configuration options:

    keep_environment =
    add_environment =

Both options are empty per default. That is, Exim cleans the complete
environment on startup. This affects Exim itself and any subprocesses,
as transports, that may call other programs via some alias mechanisms,
as routers (queryprogram), lookups, and so on.

** THIS MAY BREAK your existing installation **

If both options are not used in the configuration, Exim issues a warning
on startup. This warning disappears if at least one of these options is
used (even if set to an empty value).

keep_environment should contain a list of trusted environment variables.
(Do you trust PATH?). This may be a list of names and REs.

    keep_environment = ^LDAP_ : FOO_PATH

To add (or override) variables, you can use add_environment:

    add_environment = <; PATH=/sbin:/usr/sbin


New behaviour
-------------

Now Exim changes it's working directory to / right after startup,
even before reading it's configuration. (Later Exim changes it's working
directory to $spool_directory, as usual.)

Exim only accepts an absolute configuration file path now, when using
the -C option.

[Pierre Labastie]

I am having trouble with this version of exim.

• First, it does not want to build without an existing /var/spool/exim/log/mainlog file.
• Second, if I type "/usr/sbin/exim -bd -q15m", either I am told I have not right (if I am user pierre) or it does not show up in processes if I start it as root.

I think I followed the book instructions for the preceding version. But I guess there is an issue with the new keep_environment, add_environment variables.

[Pierre Labastie]

OK, I think I have found where the issue comes from: the log files should be created by the exim program when first started, but since exim run as user exim and /var/spool is note world writable and is owned by root, it fails. It is new with this version: to test I built exim-4.86. For that version, sudo exim -v -bi worked and created the /var/spool/exim hierarchy. While for 4.86.2, it doesn't. A workaround is to create /var/spool/exim with owner and group exim before running sudo exim -v -bi.

[Pierre Labastie]

Fixed at r17073