[SA-exim] SA-Exim 4.2.1 released (security update)

Marc MERLIN marc at merlins.org
Wed Jan 11 23:16:34 PST 2006


Thanks to a report from Chris Morris, I confirmed that sa-exim 4.2 had
indeed an unsafe cronjob which didn't properly delete duplets with
spaces (I thought I meant to have removed spaces in Greylisting.pm,
but failed to do so)
Also, the log cleaning cron job has no reason to run as root anyway, so
I'm now recomending that it run as the spamd user (nobody in most cases)

Since the cronjob in shell was a bad idea anyway, I've used the
opportunity to upgrade to Mark Lawrence's contributed perl cronjob
which does the job in a saner way anyway.

If you do not use the old /etc/cron.hourly/greylistclean cron job, you
don't have to upgrade.
You can also apply one of the following fixes instead of upgrading:
--- ../sa-exim-4.2/Greylisting.pm       Thu Dec  2 18:44:12 2004
+++ Greylisting.pm      Mon Jan  9 08:30:12 2006
@@ -153,14 +153,14 @@
            # resource expensive)
            # envfrom could be cleaned outside of the loop, but the other method 
             # options might now want that
-           $envfrom =~ tr/!#%( )*+,-.0123456789:<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_abcdefghijklmnopqrstuvwxyz{|}~/_/c;
+           $envfrom =~ tr/!#%()*+,-.0123456789:<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_abcdefghijklmnopqrstuvwxyz{|}~/_/c;
            # clean variables to run properly under -T
            $envfrom =~ /(.+)/;
            $tmpvar = ($1 or "");
            # work around bug in perl untaint in perl 5.8
            $envfrom=undef;
            $envfrom=$tmpvar;
-           $rcptto  =~ tr/!#%( )*+,-.0123456789:<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_abcdefghijklmnopqrstuvwxyz{|}~/_/c;
+           $rcptto  =~ tr/!#%()*+,-.0123456789:<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_abcdefghijklmnopqrstuvwxyz{|}~/_/c;
            $rcptto =~ /(.+)/;
            $tmpvar = ($1 or "");
            $rcptto=undef;

Or remove /etc/cron.hourly/greylistclean, download and install
http://marc.merlins.org/linux/exim/files/sa-exim-cvs/greylistclean
instead

But of course, you are otherwise welcome to upgrade, there shouldn't be
any other changes in the code.

Changelog
   * 2006/01/09 - v4.2.1 (sa-exim.tar.gz or local_scan only)
     Security update (reported by Chris Morris)
       * Modified Greylisting.pm not to generate tuplets with spaces,
         although the cleaning cron job is now safe with regard to whitespace
       * Included Mark Lawrence's perl script to better clean old tuplets
       * Highly recommend to run under the least necessary priviledge: the
         exim user (mail, exim, Debian-exim) instead of root


Downloads:

http://marc.merlins.org/linux/exim/sa.html
http://sourceforge.net/projects/sa-exim/

Deb package is here:
http://marc.merlins.org/linux/exim/files/debian/
(compiled against unstable, you might have to rebuild for
testing/stable, or wait for official deb packages from Sander Smeenk)

Sorry about the screwup, it'll teach me to make releases while on Xmas
vacation

Marc
-- 
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems & security ....
                                      .... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/   |   Finger marc_f at merlins.org for PGP key



More information about the SA-Exim mailing list