This is a SECURITY release: Exim versions 4.70 up to and including 4.75
contained a security hole (format string attack) permitting remote
execution of arbitrary code as the Exim run-time user. This is
CVE-2011-1764. There is also another, lesser security issue. Both lie
in the DKIM code and mitigation techniques are described below.
Note that as part of our work to improve Exim and protect against future
security issues, some changes were made to the code to pass gcc with
many more warnings enabled, and in some cases to compile with Clang.
Although feedback so far has been positive, there remains a chance that
these changes will cause compilation problems on lesser-tested
platforms; please raise any issues encountered on the exim-users
The distribution files are signed with Phil Pennock's PGP key 0x3903637F
(uid pdp@???; signed by Nigel Metheringham's PGP key DDC03262).
This key should be available from all modern PGP keyservers. Please use
your own discretion in assessing what trust paths you might have to this
uid; the "Release verification" section of the experimental Release
Policy might be of assistance:
The detached ASCII signature files are in the same directory as the
tarbundles. The SHA1 and SHA256 hashes for the distribution files are at
the end of this email.
Disabling DKIM verification will avoid the security issues. This
can be done without recompilation by adding to the start of your
RCPT ACL the line:
warn control = dkim_disable_verify
In addition, not defining an ACL for acl_smtp_dkim will avoid the lesser
security issue, which permits a crafted DKIM identity to cause matching
to be performed against lookup items, not just strings. I believe that
the results will not be included in an email or non-debug logs, so this
results in attacker-controlled file-system access, tripping IDS systems
but not offering an avenue of attack.
Our quick fix for the latter issue does have the side-effect of falsely
rejecting some (unusual) DKIM signatures, which we do not believe will
have any material impact in the real world. We'll work on a more
forgiving solution for a future release.