pkgsrc-WIP-changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Update hauke/sendmail8_18 to v8.18.0.9



Module Name:	pkgsrc-wip
Committed By:	Hauke Fath <hauke%NetBSD.org@localhost>
Pushed By:	hauke
Date:		Fri Jan 26 14:13:49 2024 +0100
Changeset:	be6555ac88d61234aca1a0f453f2559ef5bd1f16

Modified Files:
	sendmail818/Makefile.common

Log Message:
Update hauke/sendmail8_18 to v8.18.0.9

From upstream's changelog:

sendmail snapshot 8.18.0.9 is available for testing.  It offers new
srv_features options 'u2' and 'g2' which instruct the server to
replace offending bare CR or bare LF with a space. This allows mails
from broken clients instead of rejecting them, but without the risk
of enabling "SMTP smuggling".

sendmail snapshot 8.18.0.6 is available for testing. This version
addresses the so-called SMTP smuggling problem (CVE-2023-51765) by
being more strict (see the release notes and doc/op/op.*).
This is a beta release for 8.18.1, please test and provide feedback.

8.18.1/8.18.1	202X/XX/XX
	sendmail is now stricter in following the RFCs and rejects
		some invalid input with respect to line endings
		and pipelining:
		- Prevent transaction stuffing by ensuring SMTP clients
		wait for the HELO/EHLO and DATA response before sending
		further SMTP commands.  This can be disabled using
		the new srv_features option 'F'.  Issue reported by
		Yepeng Pan and Christian Rossow from CISPA Helmholtz
		Center for Information Security.
		- Accept only CR LF . CR LF as end of an SMTP message
		as required by the RFCs, which can disabled by the
		new srv_features option 'O'.
		- Do not accept a CR or LF except in the combination
		CR LF (as required by the RFCs).  These checks can
		be disabled by the new srv_features options
		'U' and 'G', respectively.
		It is recommended to only turn these protections off
		for trusted networks due to the potential for abuse.
	Full DANE support is available if OpenSSL versions 1.1.1 or 3.x
		are used, i.e., TLSA RR 2-x-y and 3-x-y are supported
		as required by RFC 7672.
	OpenSSL version 3.0.x is supported.  Note: OpenSSL 3 loads by
		default an openssl.cnf file from a location specified
		in the library which may cause unwanted behaviour
		in sendmail.  Hence sendmail sets the environment
		variable OPENSSL_CONF to /etc/mail/sendmail.ossl
		to override the default.  The file name can be
		changed by defining confOPENSSL_CNF in the mc file;
		using an empty value prevents setting OPENSSL_CONF.
		Note: referring to a file which does not exist does
		not cause an an error.
	Two new values have been added for {verify}:
		"DANE_TEMP": DANE verification failed temporarily.
		"DANE_NOTLS": DANE was required but STARTTLS was not
		offered by the server.
		The default rules return a temporary error for these
		cases, so delivery is not attempted.
	If the TLS setup code in the client fails and DANE requirements
		exist then {verify} will be set to "DANE_TEMP" thus
		preventing delivery by default.
	DANE related logging has been slightly changed for clarification:
		"DANE configured in DNS but no STARTTLS available"
		changed to
		"DANE configured in DNS but STARTTLS not offered"
	When the compile time option USE_EAI is enabled, vacation could
		fail to respond when it should (the code change in
		8.17.2 was incomplete).  Problem reported by Alex
		Hautequest.
	If SMTPUTF8 BODY=7BIT are used as parameters for the MAIL command
		the parsing of UTF8 addresses could fail (USE_EAI).
	If a reply to a previous RCPT was received while sending
		another RCPT in pipelining mode then parts of the
		reply could have been assigned to the wrong RCPT.
	New DontBlameSendmail option CertOwner to relax requirement
		for certificate public and private key ownership.
		Based on suggestion from Marius Strobl of the
		FreeBSD project.
	clt_features was not checked for connections via Unix domain
		sockets.
	CONFIG: FEATURE(`enhdnsbl') did not handle multiple replies
		from DNS lookups thus potentially causing random
		"false negatives".
		Note: the fix creates an incompatibility:
		the arguments must not have a trailing dot anymore
		because the -a. option has been removed (as it only
		applies to the entire result, not individual values).
	VACATION: Add support for Return-Path header to set sender
		to match OpenBSD and NetBSD functionality.
	VACATION: Honor RFC3834 and avoid an auto-reply if
		'Auto-Submitted: no' is found in the headers to
		match OpenBSD and NetBSD functionality.
	VACATION: Avoid an auto-reply if a 'List-Id:' is found in
		the headers to match OpenBSD functionality.
	VACATION: Add support for $SUBJECT in .vacation.msg which
		is replaced with the first line of the subject of the
		original message to match OpenBSD and NetBSD
		functionality.
	Portability:
		Add support for Darwin 23.
	New Files:
		cf/feature/fips3.m4
		devtools/OS/Darwin.23.x

To see a diff of this commit:
https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=commitdiff;h=be6555ac88d61234aca1a0f453f2559ef5bd1f16

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

diffstat:
 sendmail818/Makefile.common | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diffs:
diff --git a/sendmail818/Makefile.common b/sendmail818/Makefile.common
index be99ea4927..0f3b30d1c8 100644
--- a/sendmail818/Makefile.common
+++ b/sendmail818/Makefile.common
@@ -29,7 +29,7 @@ PATCHDIR=	${.CURDIR}/../../wip/sendmail818/patches
 
 USE_LANGUAGES=	c99
 
-DIST_VERS=	8.18.0.2
+DIST_VERS=	8.18.0.9
 
 MAKE_ENV+=	BSD_BINOWN=${BINOWN} BSD_BINGRP=${BINGRP} \
 		BSD_MANOWN=${MANOWN} BSD_MANGRP=${MANGRP} \


Home | Main Index | Thread Index | Old Index