From owner-svn-ports-head@FreeBSD.ORG  Fri Oct 26 08:46:41 2012
Return-Path: <owner-svn-ports-head@FreeBSD.ORG>
Delivered-To: svn-ports-head@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id 1314E529;
 Fri, 26 Oct 2012 08:46:41 +0000 (UTC) (envelope-from rea@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
 by mx1.freebsd.org (Postfix) with ESMTP id EC3D28FC12;
 Fri, 26 Oct 2012 08:46:40 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
 by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q9Q8ke8Z061485;
 Fri, 26 Oct 2012 08:46:40 GMT (envelope-from rea@svn.freebsd.org)
Received: (from rea@localhost)
 by svn.freebsd.org (8.14.4/8.14.4/Submit) id q9Q8keYN061480;
 Fri, 26 Oct 2012 08:46:40 GMT (envelope-from rea@svn.freebsd.org)
Message-Id: <201210260846.q9Q8keYN061480@svn.freebsd.org>
From: Eygene Ryabinkin <rea@FreeBSD.org>
Date: Fri, 26 Oct 2012 08:46:40 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Subject: svn commit: r306428 - in head: mail/exim security/vuxml
X-SVN-Group: ports-head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-ports-head@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: SVN commit messages for the ports tree for head
 <svn-ports-head.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-ports-head>,
 <mailto:svn-ports-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-head>
List-Post: <mailto:svn-ports-head@freebsd.org>
List-Help: <mailto:svn-ports-head-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-ports-head>,
 <mailto:svn-ports-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Oct 2012 08:46:41 -0000

Author: rea
Date: Fri Oct 26 08:46:40 2012
New Revision: 306428
URL: http://svn.freebsd.org/changeset/ports/306428

Log:
  mail/exim: upgrade to 4.80.1
  
  This is bugfix-only release, it eliminates remote code execution
  in the DKIM code.
  
  Security: http://www.vuxml.org/freebsd/b0f3ab1f-1f3b-11e2-8fe9-0022156e8794.html
  QA page: http://codelabs.ru/fbsd/ports/qa/mail/exim/4.80.1
  Feature safe: yes

Modified:
  head/mail/exim/Makefile
  head/mail/exim/distinfo
  head/security/vuxml/vuln.xml

Modified: head/mail/exim/Makefile
==============================================================================
--- head/mail/exim/Makefile	Fri Oct 26 08:37:10 2012	(r306427)
+++ head/mail/exim/Makefile	Fri Oct 26 08:46:40 2012	(r306428)
@@ -78,7 +78,7 @@ PLIST_SUB+=	SO_1024=""
 PLIST_SUB+=	SO_1024="@comment "
 .endif
 
-EXIM_VERSION=	4.80
+EXIM_VERSION=	4.80.1
 SA_EXIM_VERSION=4.2
 SO_1024_VERSION=3.2
 

Modified: head/mail/exim/distinfo
==============================================================================
--- head/mail/exim/distinfo	Fri Oct 26 08:37:10 2012	(r306427)
+++ head/mail/exim/distinfo	Fri Oct 26 08:46:40 2012	(r306428)
@@ -1,5 +1,5 @@
-SHA256 (exim/exim-4.80.tar.bz2) = 787b6defd37fa75311737bcfc42e9e2b2cc62c5d027eed35bb7d800b2d9a0984
-SIZE (exim/exim-4.80.tar.bz2) = 1649827
+SHA256 (exim/exim-4.80.1.tar.bz2) = 9565b10f06be224fd03adafae2e07e6fdbb479f8873e3894ddb13f98eeebe78f
+SIZE (exim/exim-4.80.1.tar.bz2) = 1650082
 SHA256 (exim/sa-exim-4.2.tar.gz) = 72e0a735547f18b05785e6c58a71d24623858f0f5234a5dc0e24cb453999e99a
 SIZE (exim/sa-exim-4.2.tar.gz) = 66575
 SHA256 (exim/spamooborona1024-src-3.2.tar.gz) = ab22a430f3860460045f6b213c68c89700a0cd10cbb6c7a808ece326c53787ee

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Fri Oct 26 08:37:10 2012	(r306427)
+++ head/security/vuxml/vuln.xml	Fri Oct 26 08:46:40 2012	(r306428)
@@ -51,6 +51,45 @@ Note:  Please add new entries to the beg
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="b0f3ab1f-1f3b-11e2-8fe9-0022156e8794">
+    <topic>Exim -- remote code execution</topic>
+    <affects>
+      <package>
+        <name>exim</name>
+        <range><ge>4.70</ge><lt>4.80.1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+        <p>This vulnerability affects Exim instances built with DKIM
+        enabled (this is the default for FreeBSD Exim port) and running
+        verification of DKIM signatures on the incoming mail
+        messages.</p>
+        <p>Phil Penncock reports:</p>
+        <blockquote cite="https://lists.exim.org/lurker/message/20121026.080330.74b9147b.en.html">
+          <p>This is a SECURITY release, addressing a CRITICAL remote
+            code execution flaw in versions of Exim between 4.70 and
+            4.80 inclusive, when built with DKIM support (the default).</p>
+          <p>This security vulnerability can be exploited by anyone
+            who can send email from a domain for which they control the
+            DNS.</p>
+          <p>You are not vulnerable if you built Exim with DISABLE_DKIM
+            or if you put this at the start of an ACL plumbed into
+            acl_smtp_connect or acl_smtp_rcpt:</p>
+          <pre>warn control = dkim_disable_verify</pre>
+        </blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2012-5671</cvename>
+      <url>https://lists.exim.org/lurker/message/20121026.080330.74b9147b.en.html</url>
+    </references>
+    <dates>
+      <discovery>2012-10-25</discovery>
+      <entry>2012-10-26</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="5f326d75-1db9-11e2-bc8f-d0df9acfd7e5">
     <topic>django -- multiple vulnerabilities</topic>
     <affects>