I have just uploaded exim4 4.76-4 to experimental. Compared to 4.76-3 the only addition are the changes from upstream's gnutls_fixes branch, making exim4 advertise and use TLS1.1 or TLS1.2 if available. We would appreciate some testing.

This weekend I looked down.

Thanks to the bad weather I have made some progress implementing release-goal in my/our packages:

• I have NMUed the last packages preventing me from dropping la files from gnutls and gcrypt. (Luk seems to have taken care of many others.)
• Both libtasn1-3 and libksba are multi-arch aware now.

On a sidenote, please keep testing gnutls 2.12.7 (in experimental) to prevent unwanted surprises when we upload to unstable.

Since exim is currently stuck in the perl 5.12 transition it is a very good idea to add "warn control = dkim_disable_verify" at the beginning of the rcpt acl on systems running testing. This will prevent attacks based on CVE-2011-1764.

This year we had very little snow again. Although winter started (too) early (first snow on October 16th) we topped out at little over 50cm in Au (in December). In a normal winter we should have 1m at least temporarily, and 2m is not a rare. Temperatures were high, too. I was usually wearing a layer less than normally. All this had me riding in Dam ls most of time, Diedamskopf only saw me in December, since they have little artificial snow, and natural one was missing. Summer temperatures (20 C) at start of April cut the season very short. My last snow day was on April 3rd. On the upside I did not hurt myself this year (knock, knock) and the weather was good often. Here is the balance sheet:

	2005/06	2006/07	2007/08	2008/09	2009/10	2010/11
number of (partial) days	25	17	29	37	30	30
Dam ls	10	10	5	10	16	23
Diedamskopf	15	4	24	23	13	4
Warth/Schr cken	0	3	0	4	1	3
total meters of altitude	124634	74096	219936	226774	202089	203918
highscore	10247m	8321m	12108m	11272m	11888m	10976m
# of runs	309	189	503	551	462	449

I have uploaded GnuTLS 2.12.0 to experimental. Please test.

GnuTLS has recently made Nettle its prefered crypto backend. I think Debian will need to continue to use libgcrypt for license reasons. While GnuTLS+libgcrypt and its dependencies are LGPL-2.1+ nettle itself is LGPL-2.1+, except for small GPL-2+ parts (serpent and blowfish). But these are being replaced by LGPL-2.1+ implementations currently. However nettle's public key library (libhogweed) uses and links against the GNU Multiple Precision Arithmetic Library which is LGPL-3+. Afaiui this is a deal-breaker, GPL-2 (without the "any later version" clause) and (L)GPL-3 are incompatible. A nontrivial number of GnuTLS using applications and libraries are licensed (L)GPL-2. I started checking but stopped at "j" after finding cherokee-1.0.20, cluster-glue-1.0.7, cups-1.4.6, drizzle-2010.09.180, echoping-6.0.2, elinks-0.12~pre5, gtk-vnc-0.4.2, inspircd-1.1.22+dfsg and jd-2.8.1~beta110214.

I would appreciate if you could test the proposed fixes for the exim4 privilege escalation bug CVE-2010-4345. Preliminary binary and source packages for squeeze/sid and lenny are available here:
deb http://www.bebt.de/debian/ sid exim4+cve
deb-src http://www.bebt.de/debian/ sid exim4+cve
deb http://www.bebt.de/debian/ lenny exim4+cve
deb-src http://www.bebt.de/debian/ lenny exim4+cve
You can also browse the changes in SVN (lenny and sid) or build your own binaries.

---

Changelog:

• 67_unnecessaryCopt.dpatch: Do not use exim's -C option in utility scripts. This would not work with ALT_CONFIG_PREFIX.
• Pull changes related to fixing CVE-2010-4345 from exim 4.73 rc1. Closes: #606527
  • 1_cfile_norw_eximuid: Don't allow a configure file which is writeable by the Exim user or group.
  • 2_permcheck_configurefile: Check configure file permissions even for non-default files if still privileged.
  • 3_remove_ALT_CONFIG_ROOT_ONLY: Remove ALT_CONFIG_ROOT_ONLY build option, effectively making it always true.
  • 4_FD_CLOEXEC: Set FD_CLOEXEC on SMTP sockets after forking in the daemon, to ensure that rogue child processes cannot use them.
  • 5_TRUSTED_CONFIG_LIST: Add TRUSTED_CONFIG_LIST compile option.
  • 6_nonroot_system_filter_user: If the system filter needs to be run as root, let that be explicitly configured. The default is now the Exim run-time user.
  • 7_filter_D_option: Add a (compiletime) whitelist of acceptable values for the -D option.
  • 8_updatedocumentation: Update documentation to reflect the changes.
• 4_FD_CLOEXEC replaces 80_fdleak.dpatch, drop the latter.
• Build with WHITELIST_D_MACROS=OUTGOING. Post patch 7_filter_D_option exim will not regain root privileges (usually necessary for local delivery) if the -D option was used. Macro identifiers listed in WHITELIST_D_MACROS are exempted from this restriction. mailscanner (4.79.11-2.2) uses -DOUTGOING.
• Build with TRUSTED_CONFIG_LIST=/etc/exim4/trusted_configs. Post patch 3_remove_ALT_CONFIG_ROOT_ONLY exim will not re-gain root privileges (usually necessary for local delivery) if the -C option was used. This makes it impossible to start a fully functional damon with an alternate configuration file. /etc/exim4/trusted_configs (can) contain a list of filenames (one per line, full path given) to which this restriction does not apply.

NEWS entry: Exim versions up to and including 4.72 are vulnerable to CVE-2010-4345. This is a privilege escalation issue that allows the exim user to gain root privileges by specifying an alternate configuration file using the -C option. The macro override facility (-D) might also be misused for this purpose. In reaction to this security vulnerability upstream has made a number of user visible changes. This package includes these changes. If exim is invoked with the -C or -D option the daemon will not regain root privileges though re-execution. This is usually necessary for local delivery, though. Therefore it is generally not possible anymore to run an exim daemon with -D or -C options. However this version of exim has been built with TRUSTED_CONFIG_LIST=/etc/exim4/trusted_configs. TRUSTED_CONFIG_LIST defines a list of configuration files which are trusted; if a config file is owned by root and matches a pathname in the list, then it may be invoked by the Exim build-time user without Exim relinquishing root privileges. As a hotfix to not break existing installations of mailscanner we have also set WHITELIST_D_MACROS=OUTGOING. i.e. it is still possible to start exim with -DOUTGOING while being able to do local deliveries. If you previously were using -D switches you will need to change your setup to use a separate configuration file. The ".include" mechanism makes this easy. The system filter is run as exim_user instead of root by default. If your setup requies root privileges when running the system filter you will need to set the system_filter_user exim main configuration option.

Hugin 2010.4.0 beta1 is available in experimental (after the next mirror pulse). The major feature is inclusion of a (patent-free) control point detector (cpfind). No need for getting autopano-sift(-c) from third part repositories anymore. My first tests were pretty promising, cpfind is very fast and seems to find reasonable controlpoints. It does not seem to be possible to limit the number of control points anymore, though. Unofficial lenny backports are available here.

Rant follows. I have upgraded my PC to squeeze this weekend. While this generally worked fine, udev (version 160-1) made my day. As usual I had not read the release notes previously and was hit by

Please upgrade your kernel before or while upgrading udev.

AT YOUR OWN RISK, you can force the installation of this version of udev WHICH DOES NOT WORK WITH YOUR RUNNING KERNEL AND WILL BREAK YOUR SYSTEM

dpkg to the rescue:

dpkg -i /var/cache/apt/archives/linux-base_2.6.32-21_all.deb 
dpkg -i /var/cache/apt/archives/linux-image-2.6.32-5-amd64_2.6.32-21_i386.deb  /var/cache/apt/archives/linux-image-2.6-amd64_2.6.32+28_i386.deb 
reboot

Afterwards the upgrade succeded. (For reference: The correct solution would probably have been to run apt-get install linux-image-2.6-amd64 and rebooting, before starting the dist-upgrade.) udev was not finished with me, though, the syntax for udev rules has changed again. ("NAME="%k" is ignored, because it breaks kernel supplied names", "SYSFS = will be removed in a future udev version, please use ATTR =", "BUS= will be removed in a future udev version, please use SUBSYSTEM=", etc.) So I started googling and rewriting my custom rules for USB-sticks and USB cardreader. After many reboots (the only way to test these rules nowadays), thing were still not working. My cardreader is not an exotic but a common one, i.e. it does not report media changes. (The guide for writing udev rules shares this opinion.) Previously I had:

BUS=="scsi", KERNEL=="sd*", SYSFS model =="Compact Flash",SYSFS vendor =="Generic-",NAME all_partitions ="cardreader/cf"

which caused udev to generate /dev/cardreader/cf1, /dev/cardreader/cf2, etc. on bootup (without media present), enabling me to configure /etc/fstab to allow mounting of /dev/cardreader/cf1 without superuser privileges. After googling I ended up with this new rule:

SUBSYSTEMS=="scsi", KERNEL=="sd*", DRIVERS=="sd", ATTRS vendor =="Generic-", ATTRS model =="SD/MMC          ", SYMLINK+="cardreader/sd%n", OPTIONS+="all_partitions"

and while I get ...

argenau:~# ls -l /dev/cardreader/sd
lrwxrwxrwx 1 root root 6 Sep 19 14:42 /dev/cardreader/sd -> ../sdd

... there is still no /dev/cardreader/sd1 (unless I insert a card and run fdisk -l /dev/cardreader/sd as superuser). Looks like OPTIONS+="all_partitions" is ignored. And indeed I find this in udev's changelog:

udev 152
[...]
The option "all_partitions" was removed from udev. This should not be needed for usual hardware. Udev can not safely make assumptions about non-existing partition major/minor numbers, and therefore no longer provide this unreliable and unsafe option.

Joy. Thanks udev for telling me consumer devices have been fixed overnight, USB cardreaders have suddenly started reporting media change events.

I have recently switched to the wmaker-crm fork of WindowMaker. There are some new features but no huge changes. I am happily using git next branch plus these patches.

I have uploaded a new cvs/git snapshot of exim4 to experimental. This is 4.72 RC plus some DKIM related fixes that were commited afterwards. For a complete list of changes take a look at the upstream changelog. Lenny packages are here.

Since we had little snow this year shows a negative trend. Less days spent snowboarding, less meters of altitude. In December and around christmas I basically went snowboarding instead of talking a walk, stopping after an hour or two. The first reasonable day was January 23rd. My season ended April 17th with a perfect day at Warth. Here is the balance sheet:

	2005/06	2006/07	2007/08	2008/09	2009/10
number of (partial) days	25	17	29	37	30
Dam ls	10	10	5	10	16
Diedamskopf	15	4	24	23	13
Warth/Schr cken	0	3	0	4	1
total meters of altitude	124634	74096	219936	226774	202089
highscore	10247m	8321m	12108m	11272m	11888m
# of runs	309	189	503	551	462

On good days I had problems stopping ;-), ending up with three 11000m+ days. Not included above is one day in Brand (with the company I work for, I also did this last year) and my very first time at Lech am Arlberg. The road from Bregenzerwald to Lech is usually closed in winter due to danger of avalanches which is what stopped me before. This year it was open for some time due to little snow. I had great day there, although the snow cannons did not manage to cover all rocks.

I have prepared an update of gnutls26 for lenny, incorporating these changes:

• Finally add an entry to the NEWS.Debian file concerning the deprecation of RSA-MD2 and RSA-MD5 for signature verification. Closes: #514578
• CVE-2009-2730 fix breaks openpgp auth. 27_fix_openpgp.diff
• 28_GNUTLS-SA-2009-3.diff: Make gnutls check expiration times of X.509 certificates. Expired certificates are not marked as trusted anymore even if they are signed by a trusted CA. CVE-2009-1417. Closes: #528281

I would appreciate testing. Source and binaries for i386 and amd64 are available here.

I have just uploaded Exim 4.70 rc4 to experimental. Please test. etch backport continues to be available here.

I am still not used to find a printed copy of the (L)GPL in home-appliances. My new Philips 32PFL840H/12 did, thanks to the usage of e.g. libgphoto2.

Following up on the call for testers I have uploaded a cvs snapshot of exim4 to experimental. A backport for lenny is available here.

Just a small memorial for my latest holiday in Italy at Lake Garda. Not only was hiking to Croz dell'Altissimo

from Molvino really very nice but the view from the summit is awesome. In front of you there is sheer almost vertical drop of about 800 m to Val delle Seghe and on the other side of the valley looms Cima Brenta.

I have packaged the latest SVN of the pending 2009.2.0 release (i.e post beta3) of hugin. Source and binary packages are here, the Debian pieces live in pkg-phototools GIT repository. Another nice new feature besides the ones listed in the announcement is the possibility to display (bad) controlpoints in the OpenGL preview window.

We have finally managed to upload hugin 0.8.0 to experimental. It will probably end up in sid soonish. Upstream is already busy preparing 2009.2 (swiftly sidestepping any possibility for a 1.0 ever ;-) lenny backport available on this site.