The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exim 4.74 Release

Discussion in 'Security' started by Kent Brockman, Jan 26, 2011.

  1. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Exim release 4.74 is now available from the primary ftp site:
    * ftp://ftp.exim.org/pub/exim/exim4/exim-4.74.tar.gz
    * ftp://ftp.exim.org/pub/exim/exim4/exim-4.74.tar.bz2
    _________________________________________________________________

    This is primarily a security and bug-fix release. While NewStuff
    and ChangeLog contain full details and README.UPDATING should be read,
    the most notable changes since 4.73 are:

    1. SECURITY FIX: CVE-2011-0017
    + Privilege escalation from exim run-time user to root
    + Linux-only
    2. Using 4.73 without defining WHITELIST_D_MACROS and running a
    daemon with a -D override would result in deliveries going
    unlogged. Fixed to be robust in the face of this misconfiguration.
    3. Log rotation with 4.73 was problematic as Exim disliked that
    /dev/null was writeable. Perhaps a little too paranoid.
    4. Support on some OSes for using dynamically loaded modules to
    implement most external lookups. Intended for packagers, to
    reduce runtime linking dependencies on the main Exim binary,
    not for general purpose building.

    There remain no known methods for an attacker to run code of their
    choosing as the Exim run-time user in any release from 4.70 onwards.
    In the event that such a method were discovered, then the ability
    leverage such access to gain root would turn such problems into a
    remote root exploit.

    _________________________________________________________________

    The website has not yet been updated to reflect the 4.74 release;
    we're working through some process issues to complete that. We
    apologise for any inconvenience caused in the meantime.

    The primary ftp server is in Cambridge, England. There is a list of
    mirrors in:
    * http://www.exim.org/mirmon/ftp_mirrors.html

    The master ftp server is now ftp.exim.org.

    The distribution files are signed with Phil Pennock's PGP key 0x3903637F
    (uid pdp@exim.org; signed by Nigel Metheringham's PGP key DDC03262).
    This key should be available from all modern PGP keyservers. The
    detached ASCII signature files are in the same directory as the
    tarbundles. The SHA1 hashes for the distribution files are:

    b981c2a519194d0812c88f07b441181737ca37ee exim-4.74.tar.bz2
    6d927e8b1b7b72de8eb7b630eb2cf901f5935a1d exim-4.74.tar.gz
    f2c918140815f710c2462e8f17dcec8fc325309d exim-html-4.74.tar.bz2
    eb29352c3669e2ca6043e27189c5e39bf2b1acc4 exim-html-4.74.tar.gz
    9c99aa854f62c8ebac13b005fce2fd8bf31ba1ab exim-pdf-4.74.tar.bz2
    4cb7821e3a9a8d7bc9e083fc5ac0bc773789fdb2 exim-pdf-4.74.tar.gz
    b891e6dd55f118549c42ab74d690104814c7d76a exim-postscript-4.74.tar.bz2
    c0a87489a1ea990d9ca1e340ae01789af61717f3 exim-postscript-4.74.tar.gz

    The distribution contains an ASCII copy of the 4.74 manual and
    other documents. Other formats of the documentation are also
    available:-
    * ftp://ftp.exim.org/pub/exim/exim4/exim-html-4.74.tar.gz
    * ftp://ftp.exim.org/pub/exim/exim4/exim-pdf-4.74.tar.gz
    * ftp://ftp.exim.org/pub/exim/exim4/exim-postscript-4.74.tar.gz

    The .bz2 versions of these tarbundles are also available.

    The ChangeLog for this, and several previous releases, is included
    in the distribution. Individual change log files are also available
    on the ftp site, the current one being:-
    * ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.74
    * ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.74.gz

    Brief documentation for new features is available in the NewStuff
    file in the distribution. Individual NewStuff files are also
    available on the ftp site, the current one being:-
    * ftp://ftp.exim.org/pub/exim/ChangeLogs/NewStuff-4.74
    * ftp://ftp.exim.org/pub/exim/ChangeLogs/NewStuff-4.74.gz
     
  2. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    With version 11.32, we will be inserting in the latest version of Exim.
     
  3. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    We have back-porting the new security fixes from 4.74. We will be releasing new 4.69 rpms with the back-port very shortly after testing is completed. These will be in EDGE today.

    As David pointed out, we will be offering 4.74 with cPanel 11.32+

    With the security fixes we previously back-ported to 4.69 this is the case for the rpms we are currently distributing. There should be no reason to panic!
     
    #3 cPanelNick, Jan 28, 2011
    Last edited by a moderator: Jan 28, 2011
  4. vimalkumar_k

    vimalkumar_k Member

    Joined:
    Feb 24, 2007
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
  5. vimalkumar_k

    vimalkumar_k Member

    Joined:
    Feb 24, 2007
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
  6. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Re: New Exim vulnerability?

    This issue is addressed in our exim-4.69-28_cpanel_maildir RPMs. This can be verified in the Exim RPM changelog:

    Code:
    
    # rpm -q --changelog exim-4.69-28_cpanel_maildir
    * Tue Feb 01 2011 John Lightsey <jd@cpanel.net> - 4.69-28
    - Update CVE-2011-0017 patch to fix use of -C flag by unprivileged users.
    
    * Thu Jan 27 2011 John Lightsey <jd@cpanel.net> - 4.69-27
    - CVE-2011-0017: Backport patch from EXIM 4.74 for arbitrary file overwrite bug.
    
    * Fri Dec 10 2010 J. Nick Koston <jd@cpanel.net> - 4.69-26
    - Apply dovecot buffer overflow patch
    - CVE-2010-4344: Apply string_format buffer overflow patch
    
    * Thu Dec 09 2010 John Lightsey <jd@cpanel.net> - 4.69-25
    - CVE-2010-4345: Compile with ALT_CONFIG_PREFIX=/etc/exim
    ....
    
     
  7. trophyman

    trophyman Registered

    Joined:
    Feb 17, 2011
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Re: New Exim vulnerability?

    My pci scanned failed and gave CVE-2010-2023 and CVE-2010-2024 as the reasons. Have these been patched? It says I need to update to exim 4.74

    When will cpanel included 4.74, and is it safe to manually update to 4.74 in the meantime?
     
  8. trophyman

    trophyman Registered

    Joined:
    Feb 17, 2011
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Will this fix CVE-2010-2023 and CVE-2010-2024 as well? My PCI scan failed for these reasons. Seems I am at 4.69

    Also, when is version 11.32+ due out?
     
  9. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    CVE-2010-2023 and CVE-2010-2024 do not affect cPanel environments as we need not use world writable (+sticky) mailboxes or MBX.
     
  10. crazyaboutlinux

    crazyaboutlinux Well-Known Member

    Joined:
    Nov 3, 2007
    Messages:
    938
    Likes Received:
    0
    Trophy Points:
    16
    awaiting for next cPanel release & Exim 4.74 Release
     
  11. trophyman

    trophyman Registered

    Joined:
    Feb 17, 2011
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Any word on the next cPanel release & Exim 4.74 Release?
     
  12. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    EDGE is now on version 11.29 (the version of 11.30 not yet approved for production use). Once we're done with 11.30, we'll be moving onto 11.32 which will have the latest version of Exim.
     
  13. mykkal

    mykkal Well-Known Member

    Joined:
    Feb 9, 2007
    Messages:
    120
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Atlanta, Georgia, United States
    It all just sounds so far away. distant.

    far far away
     
Loading...

Share This Page