On 2011-01-19 at 13:50 +0100, Pascal Bourdais wrote:
> # exim -bV
> Exim version 4.68 #8 built 03-Sep-2009 09:01:10
There are known issues with that version. There have been security
notices from major vendors urging people to upgrade.
If you are not using a vendor's packages, but installing Exim yourself,
then you should subscribe to:
http://lists.exim.org/mailman/listinfo/exim-announce
Then you would have read both:
http://www.gossamer-threads.com/lists/exim/announce/89583
http://www.gossamer-threads.com/lists/exim/announce/89810
In short: there is a buffer overflow vulnerability in versions before
4.70, which was released in November 2009. This was discovered[*] in
December 2010, when 4.72 was current. 4.73 has since been released,
which additionally fixes the privilege escalation problem used in the
attacks to get from the Exim run-time user to the "root" account.
-Phil
[*] Where "discovered" means "revealed to be a problem to the Exim
maintainers, after a report of a compromise", so the underground
exploit community had known of this beforehand; probably by reading
the changelog which for 4.70 explicitly noted that a buffer overflow
issue had been fixed.
