Update Exim Version

monza

Member
Nov 10, 2010
19
2
53
I have a client who pays for active cyber insurance for his business. The provider is requiring Exim 4.96 to be installed on the server for compliance. However, there is not one single version of cPanel that uses the latest version of EXIM. What are my options? Surely, I don't have to lose clients because cPanel is "insecure"!?!
 
Last edited:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
13,463
2,114
363
cPanel Access Level
Root Administrator
Hey there! I'm guessing you mean "4.96" instead of "1.96" for that version number.

cPanel 108, which is currently in the Edge tier, will have Exim 4.96 available. However, if your client is concerned about any specific CVE's or security issues, they have likely been backported to version 4.95 in versions 106 and 102.

Here is the output from an Edge server showing this:

Code:
[[email protected] ~]# /usr/local/cpanel/cpanel -V
107.9901 (build 459)
[[email protected] ~]# rpm -qa | grep -i exim
cpanel-exim-4.96-5.cp108~el8.x86_64
 

monza

Member
Nov 10, 2010
19
2
53
Hey there! I'm guessing you mean "4.96" instead of "1.96" for that version number.

cPanel 108, which is currently in the Edge tier, will have Exim 4.96 available. However, if your client is concerned about any specific CVE's or security issues, they have likely been backported to version 4.95 in versions 106 and 102.

Here is the output from an Edge server showing this:

Code:
[[email protected] ~]# /usr/local/cpanel/cpanel -V
107.9901 (build 459)
[[email protected] ~]# rpm -qa | grep -i exim
cpanel-exim-4.96-5.cp108~el8.x86_64
Obviously, I'm not going to run EDGE on a production server. If 4.95 has all CVE's backported from 4.96, I'm sure that would suffice. Is there documentation for this?
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
13,463
2,114
363
cPanel Access Level
Root Administrator
Oh for sure you wouldn't want to run Edge in production, but that will be making its way through the tiers before the end of this year. In fact, it just got moved to Current yesterday.

There isn't necessarily documentation on this, but the RPM system can tell you. For example, if you run this command:

Code:
rpm -q cpanel-exim --changelog | grep CVE
you'll get a list of CVEs that have been patched. You can also perform other searches on the change log by adjusting the grep command.
 
  • Like
Reactions: monza

monza

Member
Nov 10, 2010
19
2
53
Oh for sure you wouldn't want to run Edge in production, but that will be making its way through the tiers before the end of this year. In fact, it just got moved to Current yesterday.

There isn't necessarily documentation on this, but the RPM system can tell you. For example, if you run this command:

Code:
rpm -q cpanel-exim --changelog | grep CVE
you'll get a list of CVEs that have been patched. You can also perform other searches on the change log by adjusting the grep command.
Ok, the latest CVE was listed in the patch list, so I guess this will work for now.
 
  • Like
Reactions: cPRex