[exim-announce] Exim 4.74 Release

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: exim-announce
Subject: [exim-announce] Exim 4.74 Release
Exim release 4.74 is now available from the primary ftp site:
* ftp://ftp.exim.org/pub/exim/exim4/exim-4.74.tar.gz
* ftp://ftp.exim.org/pub/exim/exim4/exim-4.74.tar.bz2
_________________________________________________________________

This is primarily a security and bug-fix release. While NewStuff
and ChangeLog contain full details and README.UPDATING should be read,
the most notable changes since 4.73 are:

 1. SECURITY FIX: CVE-2011-0017
       + Privilege escalation from exim run-time user to root
       + Linux-only
 2. Using 4.73 without defining WHITELIST_D_MACROS and running a
    daemon with a -D override would result in deliveries going
    unlogged.  Fixed to be robust in the face of this misconfiguration.
 3. Log rotation with 4.73 was problematic as Exim disliked that
    /dev/null was writeable.  Perhaps a little too paranoid.
 4. Support on some OSes for using dynamically loaded modules to
    implement most external lookups.  Intended for packagers, to
    reduce runtime linking dependencies on the main Exim binary,
    not for general purpose building.


There remain no known methods for an attacker to run code of their
choosing as the Exim run-time user in any release from 4.70 onwards.
In the event that such a method were discovered, then the ability
leverage such access to gain root would turn such problems into a
remote root exploit.

_________________________________________________________________

The website has not yet been updated to reflect the 4.74 release;
we're working through some process issues to complete that. We
apologise for any inconvenience caused in the meantime.

The primary ftp server is in Cambridge, England. There is a list of
mirrors in:
* http://www.exim.org/mirmon/ftp_mirrors.html

The master ftp server is now ftp.exim.org.

The distribution files are signed with Phil Pennock's PGP key 0x3903637F
(uid pdp@???; signed by Nigel Metheringham's PGP key DDC03262).
This key should be available from all modern PGP keyservers. The
detached ASCII signature files are in the same directory as the
tarbundles. The SHA1 hashes for the distribution files are:

b981c2a519194d0812c88f07b441181737ca37ee exim-4.74.tar.bz2
6d927e8b1b7b72de8eb7b630eb2cf901f5935a1d exim-4.74.tar.gz
f2c918140815f710c2462e8f17dcec8fc325309d exim-html-4.74.tar.bz2
eb29352c3669e2ca6043e27189c5e39bf2b1acc4 exim-html-4.74.tar.gz
9c99aa854f62c8ebac13b005fce2fd8bf31ba1ab exim-pdf-4.74.tar.bz2
4cb7821e3a9a8d7bc9e083fc5ac0bc773789fdb2 exim-pdf-4.74.tar.gz
b891e6dd55f118549c42ab74d690104814c7d76a exim-postscript-4.74.tar.bz2
c0a87489a1ea990d9ca1e340ae01789af61717f3 exim-postscript-4.74.tar.gz

The distribution contains an ASCII copy of the 4.74 manual and
other documents. Other formats of the documentation are also
available:-
* ftp://ftp.exim.org/pub/exim/exim4/exim-html-4.74.tar.gz
* ftp://ftp.exim.org/pub/exim/exim4/exim-pdf-4.74.tar.gz
* ftp://ftp.exim.org/pub/exim/exim4/exim-postscript-4.74.tar.gz

The .bz2 versions of these tarbundles are also available.

The ChangeLog for this, and several previous releases, is included
in the distribution. Individual change log files are also available
on the ftp site, the current one being:-
* ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.74
* ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.74.gz

Brief documentation for new features is available in the NewStuff
file in the distribution. Individual NewStuff files are also
available on the ftp site, the current one being:-
* ftp://ftp.exim.org/pub/exim/ChangeLogs/NewStuff-4.74
* ftp://ftp.exim.org/pub/exim/ChangeLogs/NewStuff-4.74.gz