Bug#818349: exim4-base: Still warns about purging the environment, even with add_environment set
Ben Hutchings
ben at decadent.org.uk
Wed Mar 16 19:10:04 UTC 2016
Control: severity -1 important
Control: retitle -1 NEWS doesn't clearly explain config changes needed for CVE-2016-1531
On Wed, 2016-03-16 at 19:39 +0100, Andreas Metzler wrote:
> On 2016-03-16 Ben Hutchings <ben at decadent.org.uk> wrote:
> >
> > Control: severity -1 serious
> > Control: tag -1 moreinfo
> >
> > Upgrading severity. I consider this release-critical because a package
> > should never:
> >
> > 1. Send spurious error messages from its cron job
> > 2. Recommend changing the configuration in a way that would undo a
> > security fix
> Hello,
>
> the situation is this:
>
> * Upstream made a change (cleaning the environment by default) that in
> their opinion could break existing systems. There is not a magic
> switch that can be thrown to fix this. The safe default value (empty
> environment) is exactly what causes the breakage. To point
> admininistrators of failing system in the right direction exim prints
> a warning when keep_environment is not set.
>
> * Afaik the Debian config works fine with empty environment which is why
> we have added an explicit 'keep_environment=" to prevent the runtime
> warning.
This is all good.
> * Otoh if you are running a custom configuration you will get
> the warning exactly as upstream has intended and you will need to
> decide whether you need to modify the environment. This also applies
> to configuration based on the Debian configuration. - You'll need to
> look at the configuration and decide whether modifying the runtime
> environment is necessary. (You'll get a dpkg confile prompt and need
> to merge the changes.)
The warning isn't really very clear, though.
> * In addition there is an entry in exim4-config.NEWS.
I saw that, but it also wasn't that clear about what changes were
needed.
> I am basically out of bright ideas on how to improve things from here.
> The whole thing is trade-off, on one side now some people get a warning
> message without experincing real breakage, on the other side if I patched
> out the warning message some people would just see a broken e-mail
> service without the helpful hint. Being in doubt I trusted upstream's
> choice.
>
> See http://article.gmane.org/gmane.mail.exim.devel/9142 and following.
Please expand the NEWS item to say that if you have a custom
configuration you *must* update it, and also refer to
https://exim.org/s
tatic/doc/CVE-2016-1531.txt which briefly explains the new variables.
Ben.
--
Ben Hutchings
If you seem to know what you are doing, you'll be given more to do.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-exim4-maintainers/attachments/20160316/90bcc0b6/attachment-0001.sig>
More information about the Pkg-exim4-maintainers
mailing list