[exim] Exim 4.74 imminent, security fix

Top Page

Reply to this message
Author: Phil Pennock
To: Exim Users
New-Topics: [exim] dynamically loaded lookups - was Re: Exim 4.74 imminent, security fix
Subject: [exim] Exim 4.74 imminent, security fix
I know, it's a Friday. Well, read on, you *should* be able to enjoy the
weekend still.

We're going to release Exim 4.74 shortly. It contains another security
fix, but one which should not be an issue *on its own*. This will be
for CVE-2011-0017.

The problem does not grant remote access. But, if an attacker can get
to run code as the Exim run-time user (as they could before 4.70), then
this is another way that they could escalate privileges to root.

Because there's no known way to get to the Exim run-time user, we're
treating this as serious but not critical. As such, we are including
other changes in this release, as we normally do. This includes fixes
to let /dev/null be used as a config file and other clean-ups there.

Also, this release includes changes to let lookups by dynamically loaded
by Exim, so that library dependencies can be constrained to .so files.
This is known to work on Linux and FreeBSD. This is primarily intended
for use by OS packagers, since if you're building your own Exim you
should know which libraries you need and it will be faster to not have
to repeatedly load modules.

While this dynamic module support is mostly the same as the patches
which have been used for some time by some OS packagers, there is an ABI
change, so modules from previous patched Exim builds will not work with
this, the first "official" support of dynamically loaded modules.