[exim] Exim 4.76 RC1 uploaded - SECURITY

Top Page

Reply to this message
Author: Phil Pennock
To: exim-users, exim-dev
New-Topics: [exim] Exim 4.76 RC2 uploaded - SECURITY
Subject: [exim] Exim 4.76 RC1 uploaded - SECURITY
I have uploaded Exim 4.76 RC1 to:

I regret to inform you that 4.76 is a security-fix release, again. In
this case, CVE-2011-1764: a format string attack in logging DKIM
information from an inbound mail may permit anyone who can send you
email to cause code to be executed as the Exim run-time user. No
exploit is known to exist, but we do not believe that an experienced
attacker would find the exploit hard to construct.

ChangeLog can be found at:

This RC is expected to be released as 4.76 before Monday. If you are
unhappy with running an RC in production over the weekend, then this
patch should apply cleanly to 4.75:

Untar the 4.75 source, then download the patch above with:
curl -o 475format.patch http://git....
read/review and then apply with:
patch -p2 < 475format.patch
and then build Exim as normal.

For the 4.76 RC, the files are signed with the PGP key 0x3903637F, which
has a uid "Phil Pennock <pdp@???>". Please use your own discretion
in assessing what trust paths you might have to this uid. This email
should be signed with the same key, which should provide some
authentication for the above patching instructions and, because of git's
security model, some protection against tampering for the patch I've
suggested for download.

Please update the release candidate wiki page with your experiences
using 4.76 RC1: http://wiki.exim.org/EximVersion476RC

Note that as part of our work to improve Exim and protect against future
security issues, some changes were made to the code to pass gcc with
many more warnings enabled, and in some cases to compile with Clang.
There is a chance that these changes will cause compilation problems on
lesser-tested platforms, so even if you run with just the patch, please
do test compiling the RC on at least one host. These changes should
only affect compilation: if the code compiles, there should be no risk
of change to run-time behaviour.

This release will also fix two known SIGSEGVs and one SIGFPE, none of
which are believed to be security impacting.

Checksums below. Detached PGP signatures in .asc files.

Thank you for your patience, testing and feedback,
- -Phil Pennock, pp The Exim Maintainers.

SHA1(exim-4.76_RC1.tar.bz2)= e34cf92c16bfd380116947f8b21480da7d9e16a5
SHA1(exim-4.76_RC1.tar.gz)= 6810f2fa289b3813811d383c0217f47f55d9b9f8
SHA1(exim-html-4.76_RC1.tar.bz2)= 8706faed5f033dfc9a73bc3a0741e98171a74828
SHA1(exim-html-4.76_RC1.tar.gz)= 02d99e9912620d413ac582b0cbd18bf6cde4ccdd
SHA1(exim-pdf-4.76_RC1.tar.bz2)= e4c6d30ee99cb2a15c938f851634f5891b34c656
SHA1(exim-pdf-4.76_RC1.tar.gz)= 59ad174a4bcf8c28e8c7c5008ce29de220ec9874
SHA1(exim-postscript-4.76_RC1.tar.bz2)= c36e500042db107a4ab93694a850a024595fd810
SHA1(exim-postscript-4.76_RC1.tar.gz)= 2d72144a81725f419438959a6e9c3e4976865063

SHA256(exim-4.76_RC1.tar.bz2)= 657272dacf15b45b5033e503021e1168054c2f460666b7dee7f01308bc90a326
SHA256(exim-4.76_RC1.tar.gz)= a12097e4917606abbadf426241d7a81a6b527eac9d67994f7ed3fd49a97a9e88
SHA256(exim-html-4.76_RC1.tar.bz2)= c655d70428d7e04ed751452b97757b208a8341c8ae4897825e07eb86e3e4ac3b
SHA256(exim-html-4.76_RC1.tar.gz)= 032496b365dce95a36eebba9899904b02c5d8e6014928c46a0dfcc7a6ec8802e
SHA256(exim-pdf-4.76_RC1.tar.bz2)= 3305c7eb9c8bbe783e466b81cfed03554c7d02c8e4816234d271750645a84115
SHA256(exim-pdf-4.76_RC1.tar.gz)= 0c7291985a98fb2e9f666f13170d102a1d4f913941fd48f76cf8bb6fb80bea5e
SHA256(exim-postscript-4.76_RC1.tar.bz2)= 6411e520faa089fea8620425cb86c5627be4ef648320bb6f89e44a303ee2389d
SHA256(exim-postscript-4.76_RC1.tar.gz)= 9dc62412fb6f3537c9ee164856b15150c293eec17b8d3251b014c87c3684cf54