From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 8FAD41382C5 for ; Thu, 6 May 2021 13:01:45 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id ADFEAE09B0; Thu, 6 May 2021 13:01:42 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 3217BE09A8 for ; Thu, 6 May 2021 13:01:42 +0000 (UTC) From: "Andreas K. Huettel" To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] [News item review] Exim >=4.94 transports: tainted not permitted Date: Thu, 06 May 2021 15:01:33 +0200 Message-ID: <6358100.FjKLVJYuhi@pinacolada> Organization: Gentoo Linux In-Reply-To: References: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart18448090.hlxOUv9cDv"; micalg="pgp-sha512"; protocol="application/pgp-signature" X-Archives-Salt: f888694c-80d8-43f9-b890-8235c99676df X-Archives-Hash: 905ef5d0c417da69f3888cd438598ef2 --nextPart18448090.hlxOUv9cDv Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="iso-8859-1"; protected-headers="v1" From: "Andreas K. Huettel" To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] [News item review] Exim >=4.94 transports: tainted not permitted Date: Thu, 06 May 2021 15:01:33 +0200 Message-ID: <6358100.FjKLVJYuhi@pinacolada> Organization: Gentoo Linux In-Reply-To: References: Am Sonntag, 2. Mai 2021, 11:56:34 CEST schrieb Fabian Groffen: > Title: Exim >=3D4.94 disallows tainted variables in transport > configurations Author: Fabian Groffen > Posted: 2021-05-?? > Revision: 1 > News-Item-Format: 2.0 > Display-If-Installed: mail-mta/exim >=20 > Since the release of Exim-4.94, transports refuse to use tainted > data in constructing a delivery location. If you use this in your > transports, your configuration will break, causing errors and > possible downtime. >=20 > Particularly, the use of $local_part in any transport, should likely > be updated with $local_part_data. Check your local_delivery > transport, which historically used $local_part. >=20 > Unfortunately there is not much documentation on "tainted" data for > Exim[1], and to resolve this, non-official sources need to be used, > such as [2] and [3]. This is a safety mechanism that is part of Perl (essentially a way of=20 tracking data that is derived from "insecure" sources). So it probably would make sense to at least point towards that concept=20 in Perl. https://perldoc.perl.org/perlsec =2D-=20 Andreas K. H=FCttel dilfridge@gentoo.org Gentoo Linux developer (council, toolchain, base-system, perl, libreoffice) --nextPart18448090.hlxOUv9cDv Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQKTBAABCgB9FiEE6W4INB9YeKX6Qpi1TEn3nlTQogYFAmCT6K1fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEU5 NkUwODM0MUY1ODc4QTVGQTQyOThCNTRDNDlGNzlFNTREMEEyMDYACgkQTEn3nlTQ ogYybBAAjcKlHIOYgRaSD2wxOnhS4usbW2k8WpwHYBItbxNcs6eCBskHe8P86fef HSBA42oQ7XQNmipU4ZhCUdeFLS3SdZxpS6WWzrpZbT+avejs15dXM6WCguIwZKal Hs990sU2YqbaMQXPNu1nUAbKc58CZJbe1SVpG7PiUl2WxtAZZTQTEaviTWOmRFDe fzRLjnh3UOiRt4Z/62T24xoKdFkZiYwTmlOE/soGyMXvJtNqlNIZmQNqgxWLJHg8 4hRbdM/5KFbaWAh4fLlkXLD4JYl5AFkrJitcaUhrcGBesSW6/DoRcAx31CT7HMra PPoF4+NzemtkPw+D3Z46tfPM9XmaOGcw/6PwY8wV7JlRRGuu80qnhsI7AzpxN9VK 1SZ+QH4tntmuokmV3uUkEtOkodD0iV9aPdY+66w7bw/1SRFT9I8Dz8iHCdPTzaxz cdfRTxpHfZjTT/CjK1Uu0W/H8qXWqEF49AkLyztVtm5IbX0n7siWzNAHvUgmMBaZ 5TXx6FSzy6ZbIcDJ6uY3X8/xWYlMk2c0pN1RMr1oLjHD0r2Z2jPPtcwNVBBLprOg fVd1D8ZgI+uMtUaenwmGtZyDgdrEy/5vdEUm4EWfeYmGbqJxhyPLjUhTtfXjni07 RpgPVk6KKqr77fkMpcskejyNSZnmaWNUOCh7SabXKnVgmDf4Cd0= =CBT0 -----END PGP SIGNATURE----- --nextPart18448090.hlxOUv9cDv--