Exim 4.77 Support

[Ivan A]

Exim 4.73 Release

Exim release 4.73 is now available from the primary ftp site:
* ftp://ftp.exim.org/pub/exim/exim4/exim-4.73.tar.gz
* ftp://ftp.exim.org/pub/exim/exim4/exim-4.73.tar.bz2
_________________________________________________________________

This is primarily a security and bug fix release. The changes
involved are:-

1. TWO MAJOR SECURITY FIXES:-
+ CVE-2010-4344 exim remote code execution flaw
+ CVE-2010-4345 exim privilege escalation
2. Improvements to OpenSSL support.
3. Convert to a more recent Clam/AV API.
4. Additional improvements to DKIM support
5. Remove reliance on C99 va_copy()

CVE-2010-4344 was actually resolved by a fix in release 4.70, but
not identified at the time as a security issue. Changes have been
made in release 4.73 to resolve CVE-2010-4345. We recommend that
users should migrate to 4.73 as soon as possible, however some
distributions are instead using older releases with specific
patches for these issues.

Due to packaging build issues no texinfo documentation files have
been produced - however they should be buildable from the
documentation source should you have the correct toolchain
available. The HTML documentation included is now built using the
same toolchain as the website documentation.
_________________________________________________________________

The primary ftp server is in Cambridge, England. There is a list of
mirrors in:
* the status of Exim Download Sites mirrors

The master ftp server is now ftp.exim.org.

The distribution files are signed with Nigel Metheringham's GPG key
(address is nigel@exim.org, key id is DDC03262), which is available
on the ftp site and on a number of keyservers. The ASCII signature
files are in the same directory as the tarbundles. The SHA1 hashes
for the distribution files are:

41a2025b250e212bf3d6890dc6636eeb4fa087b9 exim-4.73.tar.gz
e40a6beece6642ab372be1bc25ce53275b4fbc54 exim-4.73.tar.bz2
2ab231fd66e587fbcdd5c84107ce500ed0b15253 exim-html-4.73.tar.gz
c3973f9c41ae8d7f3b28d572f2e1dcb87ae6f996 exim-html-4.73.tar.bz2
b55c23b4bf6c1d5080e45bf9e90e43764b2bd776 exim-pdf-4.73.tar.gz
a3f4da6afc6f064730685001a20f824c060f5268 exim-pdf-4.73.tar.bz2
880ddd479c021c031612c11336fc2b14467d9d13 exim-postscript-4.73.tar.gz
481ad6527f8dba4b4b9602d288e5a919c506416f exim-postscript-4.73.tar.bz2

The distribution contains an ASCII copy of the 4.73 manual and
other documents. Other formats of the documentation are also
available:-
* ftp://ftp.exim.org/pub/exim/exim4/exim-html-4.73.tar.gz
* ftp://ftp.exim.org/pub/exim/exim4/exim-pdf-4.73.tar.gz
* ftp://ftp.exim.org/pub/exim/exim4/ex...pt-4.73.tar.gz

The .bz2 versions of these tarbundles are also available.

The ChangeLog for this, and several previous releases, is included
in the distribution. Individual change log files are also available
on the ftp site, the current one being:-
* ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.73
* ftp://ftp.exim.org/pub/exim/ChangeLo...ngeLog-4.73.gz

Brief documentation for new features is available in the NewStuff
file in the distribution. Individual NewStuff files are also
available on the ftp site, the current one being:-
* ftp://ftp.exim.org/pub/exim/ChangeLogs/NewStuff-4.73
* ftp://ftp.exim.org/pub/exim/ChangeLogs/NewStuff-4.73.gz

[cPanelDon]

Exim 4.73 Release
[...]
1. TWO MAJOR SECURITY FIXES:-
+ CVE-2010-4344 exim remote code execution flaw
+ CVE-2010-4345 exim privilege escalation
[...]

The Exim security fixes for the CVE identifiers have already been addressed per the following announcements and discussions:

• Critical: Exim security update (CVE-2010-4345) - cPanel Inc.
• Exim Remote Memory Corruption Vulnerability Notification (CVE-2010-4344) - cPanel Inc.
• [case 45290] Critical Exim Security Updates (CVE-2010-4344,CVE-2010-4345)
• Exim 0 Day Discussion

I believe that Exim version 4.7x is expected to coincide with DKIM per the following feature request: Add support for DKIM ("DomainKeys Identified Mail")

[Kent Brockman]

Sorry to bother you Don, but an updated and well patched Exim version is, I'd said, mandatory. I hope cPanel staff can dedicate more time to the Exim/DKIM upgrade issue as these are one of the most important feature requests.

[Reado]

Sorry to bother you Don, but an updated and well patched Exim version is, I'd said, mandatory. I hope cPanel staff can dedicate more time to the Exim/DKIM upgrade issue as these are one of the most important feature requests.

I agree. +1

[cPanelDon]

The present ETA for upgrading Exim is slated for version 11.32, in line with the request for DKIM, as discussed here: Add support for DKIM ("DomainKeys Identified Mail")

[Kent Brockman]

Hello boys, today the guys at Cambridge released the version 4.74. It is a minor update and think it should get into 11.32 just to maintain exim finally up to date after so many years

[cPanelKenneth]

Hello boys, today the guys at Cambridge released the version 4.74. It is a minor update and think it should get into 11.32 just to maintain exim finally up to date after so many years

We'll include whatever is the latest version of Exim when version 11.32 is delivered to you (the customers).

[mykkal]

Exim stable release is now Exim 4.76. It has significant standardized feature updates and bug fixes over 4.74. Can cpanel work on release this version?

Also, I think cpanel should work just as hard to support the latest versions of Exim as they do with apache. As the net matures it will be very important that we are using a standard mailer which affords us the best performance & delivery.

Exim Internet Mailer

This is actually taken from another foum post. http://forums.cpanel.net/f185/exim-4...se-208571.html

This is a SECURITY release: Exim versions 4.70 up to and including 4.75 contained a security hole (format string attack) permitting remote execution of arbitrary code as the Exim run-time user. This is CVE-2011-1764. There is also another, lesser security issue. Both lie in the DKIM code and mitigation techniques are described below.

[ljprevo]

Ok, I know I am 3 months behind on this, but why is it that my "RELEASE" version of WHM have exim 4.69, they started this discussion back in Jan. and here it is August and there is no patch for this yet?

[monarobase]

Ok, I know I am 3 months behind on this, but why is it that my "RELEASE" version of WHM have exim 4.69, they started this discussion back in Jan. and here it is August and there is no patch for this yet?

11.32 is the next big release, so it's hopefully coming in the next few months along with DKIM support

[ljprevo]

11.32 is the next big release, so it's hopefully coming in the next few months along with DKIM support

Next few MONTHS!! Wow that is a long time to run on software that have vulnerabilities.

Here is what I got from a scan

Exim < 4.74 Local Privilege Escalation smtp (25/tcp) CVE-2011-0017 Medium 6.8 Fail

Exim < 4.74 Local Privilege Escalation urd (465/tcp) CVE-2011-0017 Medium 6.8 Fail

Bind9 9.4-ESV < 9.4-ESV-R4, 9.6.2 < 9.6.2-P3, 9.6-ESV < 9.6-ESV-R3, 9.7.x < 9.7.2-P3 Multiple Vulnerabilities domain (53/udp) CVE-2010-3613, CVE-2010-3614, CVE-2010-3615 Medium 6.4 Fail

Exim < 4.72 Multiple Vulnerabilities urd (465/tcp) CVE-2010-2023, CVE-2010-2024 Medium 6.0 Fail

Exim < 4.72 Multiple Vulnerabilities smtp (25/tcp) CVE-2010-2023, CVE-2010-2024Medium 6.0 Fail

[mykkal]

They're almost half a decade behind. Maybe we should hunger strike or burn ourselves in protest like that Vietnamese monk...

[DjiXas]

they're almost half a decade behind. Maybe we should hunger strike or burn ourselves in protest like that vietnamese monk...

lol

http://i.imgur.com/u0xRJ.gif

[cPanelMichael]

Next few MONTHS!! Wow that is a long time to run on software that have vulnerabilities.

Here is what I got from a scan

Exim < 4.74 Local Privilege Escalation smtp (25/tcp) CVE-2011-0017 Medium 6.8 Fail

Exim < 4.74 Local Privilege Escalation urd (465/tcp) CVE-2011-0017 Medium 6.8 Fail

Bind9 9.4-ESV < 9.4-ESV-R4, 9.6.2 < 9.6.2-P3, 9.6-ESV < 9.6-ESV-R3, 9.7.x < 9.7.2-P3 Multiple Vulnerabilities domain (53/udp) CVE-2010-3613, CVE-2010-3614, CVE-2010-3615 Medium 6.4 Fail

Exim < 4.72 Multiple Vulnerabilities urd (465/tcp) CVE-2010-2023, CVE-2010-2024 Medium 6.0 Fail

Exim < 4.72 Multiple Vulnerabilities smtp (25/tcp) CVE-2010-2023, CVE-2010-2024Medium 6.0 Fail

We backport patches, known as CVEs, for the version of Exim used with cPanel. You can use the following command to check for this information:

Code:

# rpm -q --changelog exim | grep CVE

An example of the output will be:

Code:

[~]# rpm -q --changelog exim | grep CVE
- fix for CVEs CVE-2010-2024, CVE-2010-2023
- Update CVE-2011-0017 patch to fix use of -C flag by unprivileged users.
- CVE-2011-0017: Backport patch from EXIM 4.74 for arbitrary file overwrite bug.
- CVE-2010-4344: Apply string_format buffer overflow patch
- CVE-2010-4345: Compile with ALT_CONFIG_PREFIX=/etc/exim
- CVE-2010-4345: Compile with ALT_CONFIG_PREFIX=/etc

Even though cPanel currently uses Exim 4.69, it's not vulnerable to those security issues because we backport security patches.

Thank you.

[mykkal]

FYI everyone. The current version is Exim 4.76. That has all the lastest and greatest standards, etc...

Hopefully we can get that version before they release Exim 5