Exim 4.80.1 Critical Security Release

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Exim 4.80.1 Critical Security Release

Gordon Dickens
As an FYI, the Exim developers released Exim 4.80.1 today which is a
critical security release addressing a remote code execution flaw in
Exim versions between 4.70 and 4.80 inclusive.

The release announcement is here:

https://lists.exim.org/lurker/message/20121026.080330.74b9147b.en.html

Basically, this vulnerability can be triggered by anyone who can send
you email from a domain for which they control the DNS, and thereby
provides them access to the Exim run-time user.  Quoting another post by
Exim developer, Phil Pennock: "Thanks to a certain Wired article, I
decided this area of the codebase (of many MTAs) would be likely to be
reviewed by more than just me, so it would be sheer hubris to hope that
this remained undiscovered by blackhats."

If your Exim version was compiled using the default options then your
installation is vulnerable.  Hence, the Exim versions provided in by
most Linux and Unix distributions are most certainly vulnerable until
updated.  So, make sure that you update your Exim version immediately
when the next Exim update becomes available for your distribution.

As per the above link, you can protect your installation from this
vulnerability if you put this at the start of your ACLs plumbed into
acl_smtp_connect or acl_smtp_rcpt:

     warn control = dkim_disable_verify

Thus, to protect your Exim4U installation until your Exim version is
updated, modify your /etc/exim/exim.conf file as follows:

After the line:

     acl_connect:

add:

     warn control = dkim_disable_verify

And, after the line:

     acl_check_rcpt:

add:

warn control = dkim_disable_verify

You can remove these modifications after your Exim version is updated to
protect against this vulnerability.

FYI,

Gordon


_______________________________________________
users mailing list
[hidden email]
https://exim4u.org/mailman/listinfo/users