* [gentoo-dev] [News item review] Exim >=4.94 transports: tainted not permitted
@ 2021-05-02 9:56 Fabian Groffen
2021-05-02 10:23 ` Ulrich Mueller
2021-05-06 13:01 ` Andreas K. Huettel
0 siblings, 2 replies; 5+ messages in thread
From: Fabian Groffen @ 2021-05-02 9:56 UTC (permalink / raw
To: gentoo-dev
[-- Attachment #1: Type: text/plain, Size: 1070 bytes --]
Title: Exim >=4.94 disallows tainted variables in transport configurations
Author: Fabian Groffen <grobian@gentoo.org>
Posted: 2021-05-??
Revision: 1
News-Item-Format: 2.0
Display-If-Installed: mail-mta/exim
Since the release of Exim-4.94, transports refuse to use tainted data in
constructing a delivery location. If you use this in your transports,
your configuration will break, causing errors and possible downtime.
Particularly, the use of $local_part in any transport, should likely be
updated with $local_part_data. Check your local_delivery transport,
which historically used $local_part.
Unfortunately there is not much documentation on "tainted" data for
Exim[1], and to resolve this, non-official sources need to be used, such
as [2] and [3].
[1] https://lists.exim.org/lurker/message/20201109.222746.24ea3904.en.html
[2] https://mox.sh/sysadmin/tainted-filename-errors-in-exim-4.94/
[3] https://jimbobmcgee.wordpress.com/2020/07/29/de-tainting-exim-configuration-variables/
--
Fabian Groffen
Gentoo on a different level
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-dev] [News item review] Exim >=4.94 transports: tainted not permitted
2021-05-02 9:56 [gentoo-dev] [News item review] Exim >=4.94 transports: tainted not permitted Fabian Groffen
@ 2021-05-02 10:23 ` Ulrich Mueller
2021-05-02 10:42 ` Fabian Groffen
2021-05-06 13:01 ` Andreas K. Huettel
1 sibling, 1 reply; 5+ messages in thread
From: Ulrich Mueller @ 2021-05-02 10:23 UTC (permalink / raw
To: gentoo-dev
[-- Attachment #1: Type: text/plain, Size: 1297 bytes --]
>>>>> On Sun, 02 May 2021, Fabian Groffen wrote:
> Title: Exim >=4.94 disallows tainted variables in transport configurations
Title is too long (GLEP 42 allows 50 chars max).
> Author: Fabian Groffen <grobian@gentoo.org>
> Posted: 2021-05-??
> Revision: 1
> News-Item-Format: 2.0
> Display-If-Installed: mail-mta/exim
> Since the release of Exim-4.94, transports refuse to use tainted data in
> constructing a delivery location. If you use this in your transports,
> your configuration will break, causing errors and possible downtime.
> Particularly, the use of $local_part in any transport, should likely be
> updated with $local_part_data. Check your local_delivery transport,
> which historically used $local_part.
> Unfortunately there is not much documentation on "tainted" data for
> Exim[1], and to resolve this, non-official sources need to be used, such
> as [2] and [3].
I have no idea what this news item is trying to tell me. But I don't use
Exim, so probably that's the reason. :) Maybe mention at least that Exim
is a mailer?
Ulrich
> [1] https://lists.exim.org/lurker/message/20201109.222746.24ea3904.en.html
> [2] https://mox.sh/sysadmin/tainted-filename-errors-in-exim-4.94/
> [3] https://jimbobmcgee.wordpress.com/2020/07/29/de-tainting-exim-configuration-variables/
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 507 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-dev] [News item review] Exim >=4.94 transports: tainted not permitted
2021-05-02 10:23 ` Ulrich Mueller
@ 2021-05-02 10:42 ` Fabian Groffen
0 siblings, 0 replies; 5+ messages in thread
From: Fabian Groffen @ 2021-05-02 10:42 UTC (permalink / raw
To: Ulrich Mueller; +Cc: gentoo-dev
[-- Attachment #1: Type: text/plain, Size: 520 bytes --]
On 02-05-2021 12:23:30 +0200, Ulrich Mueller wrote:
> >>>>> On Sun, 02 May 2021, Fabian Groffen wrote:
>
> > Title: Exim >=4.94 disallows tainted variables in transport configurations
>
> Title is too long (GLEP 42 allows 50 chars max).
ah, missed that
> I have no idea what this news item is trying to tell me. But I don't use
> Exim, so probably that's the reason. :) Maybe mention at least that Exim
> is a mailer?
Fair point.
Thanks,
Fabian
--
Fabian Groffen
Gentoo on a different level
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-dev] [News item review] Exim >=4.94 transports: tainted not permitted
2021-05-02 9:56 [gentoo-dev] [News item review] Exim >=4.94 transports: tainted not permitted Fabian Groffen
2021-05-02 10:23 ` Ulrich Mueller
@ 2021-05-06 13:01 ` Andreas K. Huettel
2021-05-06 13:07 ` Fabian Groffen
1 sibling, 1 reply; 5+ messages in thread
From: Andreas K. Huettel @ 2021-05-06 13:01 UTC (permalink / raw
To: gentoo-dev
[-- Attachment #1: Type: text/plain, Size: 1260 bytes --]
Am Sonntag, 2. Mai 2021, 11:56:34 CEST schrieb Fabian Groffen:
> Title: Exim >=4.94 disallows tainted variables in transport
> configurations Author: Fabian Groffen <grobian@gentoo.org>
> Posted: 2021-05-??
> Revision: 1
> News-Item-Format: 2.0
> Display-If-Installed: mail-mta/exim
>
> Since the release of Exim-4.94, transports refuse to use tainted
> data in constructing a delivery location. If you use this in your
> transports, your configuration will break, causing errors and
> possible downtime.
>
> Particularly, the use of $local_part in any transport, should likely
> be updated with $local_part_data. Check your local_delivery
> transport, which historically used $local_part.
>
> Unfortunately there is not much documentation on "tainted" data for
> Exim[1], and to resolve this, non-official sources need to be used,
> such as [2] and [3].
This is a safety mechanism that is part of Perl (essentially a way of
tracking data that is derived from "insecure" sources).
So it probably would make sense to at least point towards that concept
in Perl.
https://perldoc.perl.org/perlsec
--
Andreas K. Hüttel
dilfridge@gentoo.org
Gentoo Linux developer
(council, toolchain, base-system, perl, libreoffice)
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 981 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-dev] [News item review] Exim >=4.94 transports: tainted not permitted
2021-05-06 13:01 ` Andreas K. Huettel
@ 2021-05-06 13:07 ` Fabian Groffen
0 siblings, 0 replies; 5+ messages in thread
From: Fabian Groffen @ 2021-05-06 13:07 UTC (permalink / raw
To: gentoo-dev
[-- Attachment #1: Type: text/plain, Size: 789 bytes --]
On 06-05-2021 15:01:33 +0200, Andreas K. Huettel wrote:
> > Unfortunately there is not much documentation on "tainted" data for
> > Exim[1], and to resolve this, non-official sources need to be used,
> > such as [2] and [3].
>
> This is a safety mechanism that is part of Perl (essentially a way of
> tracking data that is derived from "insecure" sources).
>
> So it probably would make sense to at least point towards that concept
> in Perl.
I think the concept is clear to most from the descriptions one can find.
The big problem however is the solution, how to fix one's configuration.
Luckily it seems people find their way to Exim's bugtracker to get help
there.
Thanks for the suggestion though,
Fabian
--
Fabian Groffen
Gentoo on a different level
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-05-06 13:07 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-05-02 9:56 [gentoo-dev] [News item review] Exim >=4.94 transports: tainted not permitted Fabian Groffen
2021-05-02 10:23 ` Ulrich Mueller
2021-05-02 10:42 ` Fabian Groffen
2021-05-06 13:01 ` Andreas K. Huettel
2021-05-06 13:07 ` Fabian Groffen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox