exim4 (4.80~rc2-1) experimental; urgency=low Ldap lookups returning multi-valued attributes now separate the attributes with only a comma, not a comma-space sequence. The GnuTLS support has been mostly rewritten. exim main configuration options gnutls_require_kx, gnutls_require_mac and gnutls_require_protocols, are no longer supported. (They are ignored if present now, but will trigger an error in later releases.) Their functionality is entirely subsumed into tls_require_ciphers. In turn, tls_require_ciphers is no longer an Exim list and is not parsed by Exim, but is instead given to gnutls_priority_init(3). See /exim4-base/usr/share/doc/exim4-base/README.UPDATING.gz for details. -- Andreas Metzler Sat, 22 Oct 2011 19:16:58 +0200 exim4 (4.77~rc4-1) experimental; urgency=low Exim no longer performs string expansion on the second string of the match_* expansion conditions: "match_address", "match_domain", "match_ip" & "match_local_part". Named lists can still be used. The previous behavior made it too easy to create (remotely) vulnerable configurations. A more detailed rationale and explanation can be found on https://lists.exim.org/lurker/message/20111003.122326.fbcf32b7.en.html -- Andreas Metzler Thu, 05 Oct 2011 19:22:52 +0200 exim4 (4.72-3) unstable; urgency=low Exim versions up to and including 4.72 are vulnerable to CVE-2010-4345. This is a privilege escalation issue that allows the exim user to gain root privileges by specifying an alternate configuration file using the -C option. The macro override facility (-D) might also be misused for this purpose. In reaction to this security vulnerability upstream has made a number of user visible changes. This package includes these changes. --------------------------------------------------------- If exim is invoked with the -C or -D option the daemon will not regain root privileges though re-execution. This is usually necessary for local delivery, though. Therefore it is generally not possible anymore to run an exim daemon with -D or -C options. However this version of exim has been built with TRUSTED_CONFIG_LIST=/etc/exim4/trusted_configs. TRUSTED_CONFIG_LIST defines a list of configuration files which are trusted; if a config file is owned by root and matches a pathname in the list, then it may be invoked by the Exim build-time user without Exim relinquishing root privileges. As a hotfix to not break existing installations of mailscanner we have also set WHITELIST_D_MACROS=OUTGOING. i.e. it is still possible to start exim with -DOUTGOING while being able to do local deliveries. If you previously were using -D switches you will need to change your setup to use a separate configuration file. The ".include" mechanism makes this easy. --------------------------------------------------------- The system filter is run as exim_user instead of root by default. If your setup requies root privileges when running the system filter you will need to set the system_filter_user exim main configuration option. --------------------------------------------------------- -- Andreas Metzler Sat, 18 Dec 2010 18:57:16 +0100 exim4 (4.60-2) unstable; urgency=low The exim4 daemon packages now include a symlink from /usr/sbin/exim4 to /usr/sbin/exim. This can break exim 3 cron and init scripts if the last exim 3 you had installed was any earlier than 3.36-5 and the conffiles from your exim 3 package are still around. Be sure to have any exim 4 earlier than 3.36-5 _purged_ (not removed) before installing this package. -- Marc Haber Wed, 24 Jan 2006 14:58:08 +0100