The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exim 4.76 Release

Discussion in 'Security' started by Kent Brockman, May 9, 2011.

  1. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Exim release 4.76 is now available from the primary ftp site:
    * ftp://ftp.exim.org/pub/exim/exim4/exim-4.76.tar.gz
    * ftp://ftp.exim.org/pub/exim/exim4/exim-4.76.tar.bz2
    _________________________________________________________________

    This is a SECURITY release: Exim versions 4.70 up to and including 4.75 contained a security hole (format string attack) permitting remote execution of arbitrary code as the Exim run-time user. This is CVE-2011-1764. There is also another, lesser security issue. Both lie in the DKIM code and mitigation techniques are described below.

    Note that as part of our work to improve Exim and protect against future security issues, some changes were made to the code to pass gcc with many more warnings enabled, and in some cases to compile with Clang.
    Although feedback so far has been positive, there remains a chance that these changes will cause compilation problems on lesser-tested platforms; please raise any issues encountered on the exim-users mailing-list.

    _________________________________________________________________

    The primary ftp server is in Cambridge, England. There is a list of mirrors in:
    * the status of Exim Download Sites mirrors

    The master ftp server is ftp.exim.org.

    The distribution files are signed with Phil Pennock's PGP key 0x3903637F (uid pdp@exim.org; signed by Nigel Metheringham's PGP key DDC03262).
    This key should be available from all modern PGP keyservers. Please use your own discretion in assessing what trust paths you might have to this uid; the "Release verification" section of the experimental Release Policy might be of assistance:
    * EximReleasePolicyProposedDraft - Exim Wiki

    The detached ASCII signature files are in the same directory as the tarbundles. The SHA1 and SHA256 hashes for the distribution files are at the end of this email.

    The distribution contains an ASCII copy of the 4.76 manual and other documents. Other formats of the documentation are also
    available:-
    * ftp://ftp.exim.org/pub/exim/exim4/exim-html-4.76.tar.gz
    * ftp://ftp.exim.org/pub/exim/exim4/exim-pdf-4.76.tar.gz
    * ftp://ftp.exim.org/pub/exim/exim4/exim-postscript-4.76.tar.gz

    The .bz2 versions of these tarbundles are also available.

    The ChangeLog for this, and several previous releases, is included in the distribution. Individual change log files are also available on the ftp site, the current one being:-
    * ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.76
    * ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.76.gz

    Brief documentation for new features is available in the NewStuff file in the distribution. Individual NewStuff files are also available on the ftp site, the current one being:-
    * ftp://ftp.exim.org/pub/exim/ChangeLogs/NewStuff-4.76
    * ftp://ftp.exim.org/pub/exim/ChangeLogs/NewStuff-4.76.gz

    _________________________________________________________________

    Security notes for 4.75:

    Disabling DKIM verification will avoid the security issues. This can be done without recompilation by adding to the start of your RCPT ACL the line:
    warn control = dkim_disable_verify

    In addition, not defining an ACL for acl_smtp_dkim will avoid the lesser security issue, which permits a crafted DKIM identity to cause matching to be performed against lookup items, not just strings. I believe that the results will not be included in an email or non-debug logs, so this results in attacker-controlled file-system access, tripping IDS systems but not offering an avenue of attack.

    Our quick fix for the latter issue does have the side-effect of falsely rejecting some (unusual) DKIM signatures, which we do not believe will have any material impact in the real world. We'll work on a more forgiving solution for a future release.
     
  2. d_t

    d_t Well-Known Member

    Joined:
    Sep 20, 2003
    Messages:
    243
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Bucharest
  3. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Yep, but it is enough outdated to be affected by older security problems....
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello Kent :)

    We backport patches, known as CVEs, for the version of Exim used with cPanel. You can use the following command to check for this information:

    Code:
    rpm -q --changelog exim | grep CVE
    An example of the output will be:

    Code:
    # rpm -q --changelog exim | grep CVE
    - fix for CVEs CVE-2010-2024, CVE-2010-2023
    - Update CVE-2011-0017 patch to fix use of -C flag by unprivileged users.
    - CVE-2011-0017: Backport patch from EXIM 4.74 for arbitrary file overwrite bug.
    - CVE-2010-4344: Apply string_format buffer overflow patch
    - CVE-2010-4345: Compile with ALT_CONFIG_PREFIX=/etc/exim
    - CVE-2010-4345: Compile with ALT_CONFIG_PREFIX=/etc
    To note, it's been determined that Exim version 4.69 is not vulnerable to the security hole you have referenced.

    Thank you.
     
  5. mykkal

    mykkal Well-Known Member

    Joined:
    Feb 9, 2007
    Messages:
    120
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Atlanta, Georgia, United States
    David, Exim 4.69 its not vulnerable because it doesn't support DKIM. Only the deprecated Domain Keys...

     
Loading...

Share This Page