Saturday, September 30, 2023

Re: exim

On 2023/09/30 15:35, Solène Rapenne wrote:
> What would marking it BROKEN solve? People upgrading to 7.4 will keep
> the old version, but indeed new user won't be able to install it.

It would mean that new users won't be able to install it.

True it won't help 7.3-stable etc. But hard to say what we can fix
or workaround without good reliable information about the problems.

What I've gleaned from (non exim related) IRC channels and what was
published are,

- worst issues are in SPA (NTLM) auth
- there's an int underflow issue in libspf2 parsing macros
(which seemingly was reported to exim not libspf2 upstream,
nit that libspf2 upstream are usually fast either)
- some other (lower priority?) issues

I wouldn't expect huge problems for most users from disabling SPA,
so regardless of what we do for -current/7.4 I suppose we could at
least do that for -stable which would at least improve things a bit.

Guessing spf is probably a bit more widely used in configs so
that maybe harder to disable.

> I'd prefer to see it removed, including a quirks entry with the reason,
> if it's such a trashfire that shouldn't be used

That does still leave an old version installed, however.

So here's an alternative diff to disable SPA... (I have added a quirks
vulnerability marker on -current so pkg_add will warn about it - that
can go to -stable too).

Index: Makefile
===================================================================
RCS file: /cvs/ports/mail/exim/Makefile,v
retrieving revision 1.143
diff -u -p -r1.143 Makefile
--- Makefile 26 Sep 2023 12:28:11 -0000 1.143
+++ Makefile 30 Sep 2023 15:13:39 -0000
@@ -7,7 +7,7 @@ PKGNAME-main = exim-${VERSION}
FULLPKGNAME-eximon = exim-eximon-${VERSION}
FULLPKGPATH-eximon = ${PKGPATH},-eximon
REVISION-eximon = 0
-REVISION-main = 0
+REVISION-main = 1

CATEGORIES = mail

Index: patches/patch-Local_Makefile
===================================================================
RCS file: /cvs/ports/mail/exim/patches/patch-Local_Makefile,v
retrieving revision 1.8
diff -u -p -r1.8 patch-Local_Makefile
--- patches/patch-Local_Makefile 9 Aug 2022 13:51:10 -0000 1.8
+++ patches/patch-Local_Makefile 30 Sep 2023 15:13:39 -0000
@@ -126,10 +126,9 @@ Index: Local/Makefile
# AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi
# AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi heimdal-krb5
-# AUTH_PLAINTEXT=yes
--# AUTH_SPA=yes
--# AUTH_TLS=yes
+AUTH_PLAINTEXT=yes
-+AUTH_SPA=yes
+ # AUTH_SPA=yes
+-# AUTH_TLS=yes
+AUTH_TLS=yes

# Heimdal through 1.5 required pkg-config 'heimdal-gssapi'; Heimdal 7.1

No comments:

Post a Comment