[exim-announce] Exim 4.76 Release

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: exim-announce
New-Topics: [exim-announce] Exim 4.76 Release: updated impact assessment
Subject: [exim-announce] Exim 4.76 Release
Exim release 4.76 is now available from the primary ftp site:
* ftp://ftp.exim.org/pub/exim/exim4/exim-4.76.tar.gz
* ftp://ftp.exim.org/pub/exim/exim4/exim-4.76.tar.bz2
_________________________________________________________________

This is a SECURITY release: Exim versions 4.70 up to and including 4.75
contained a security hole (format string attack) permitting remote
execution of arbitrary code as the Exim run-time user. This is
CVE-2011-1764. There is also another, lesser security issue. Both lie
in the DKIM code and mitigation techniques are described below.

Note that as part of our work to improve Exim and protect against future
security issues, some changes were made to the code to pass gcc with
many more warnings enabled, and in some cases to compile with Clang.
Although feedback so far has been positive, there remains a chance that
these changes will cause compilation problems on lesser-tested
platforms; please raise any issues encountered on the exim-users
mailing-list.

_________________________________________________________________

The primary ftp server is in Cambridge, England. There is a list of
mirrors in:
* http://www.exim.org/mirmon/ftp_mirrors.html

The master ftp server is ftp.exim.org.

The distribution files are signed with Phil Pennock's PGP key 0x3903637F
(uid pdp@???; signed by Nigel Metheringham's PGP key DDC03262).
This key should be available from all modern PGP keyservers. Please use
your own discretion in assessing what trust paths you might have to this
uid; the "Release verification" section of the experimental Release
Policy might be of assistance:
* http://wiki.exim.org/EximReleasePolicyProposedDraft

The detached ASCII signature files are in the same directory as the
tarbundles. The SHA1 and SHA256 hashes for the distribution files are at
the end of this email.

The distribution contains an ASCII copy of the 4.76 manual and
other documents. Other formats of the documentation are also
available:-
* ftp://ftp.exim.org/pub/exim/exim4/exim-html-4.76.tar.gz
* ftp://ftp.exim.org/pub/exim/exim4/exim-pdf-4.76.tar.gz
* ftp://ftp.exim.org/pub/exim/exim4/exim-postscript-4.76.tar.gz

The .bz2 versions of these tarbundles are also available.

The ChangeLog for this, and several previous releases, is included
in the distribution. Individual change log files are also available
on the ftp site, the current one being:-
* ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.76
* ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.76.gz

Brief documentation for new features is available in the NewStuff
file in the distribution. Individual NewStuff files are also
available on the ftp site, the current one being:-
* ftp://ftp.exim.org/pub/exim/ChangeLogs/NewStuff-4.76
* ftp://ftp.exim.org/pub/exim/ChangeLogs/NewStuff-4.76.gz

_________________________________________________________________

Security notes for 4.75:

Disabling DKIM verification will avoid the security issues. This
can be done without recompilation by adding to the start of your
RCPT ACL the line:
warn control = dkim_disable_verify

In addition, not defining an ACL for acl_smtp_dkim will avoid the lesser
security issue, which permits a crafted DKIM identity to cause matching
to be performed against lookup items, not just strings. I believe that
the results will not be included in an email or non-debug logs, so this
results in attacker-controlled file-system access, tripping IDS systems
but not offering an avenue of attack.

Our quick fix for the latter issue does have the side-effect of falsely
rejecting some (unusual) DKIM signatures, which we do not believe will
have any material impact in the real world. We'll work on a more
forgiving solution for a future release.

_________________________________________________________________

Release Checksums

SHA1:
b0df27b0407eef2d79e130597916cde18f2bbe30 exim-4.76.tar.bz2
13121644a9dfd6c066f65db4ad6703a3dc432c8a exim-4.76.tar.gz
a3ca9861f7d77188a38f251e5d1d5050b76332cd exim-html-4.76.tar.bz2
fd2ce339fc184463ce6766c5a70bb30306dcbbdb exim-html-4.76.tar.gz
80cafed859a78772b1c7ab6eae98c8ef44ad6c97 exim-pdf-4.76.tar.bz2
85572f9083e42368065e8d4791e2b435934da37f exim-pdf-4.76.tar.gz
a63c9e6327447e13f9c4ad6a213c9da5e22019db exim-postscript-4.76.tar.bz2
7e46742a2700c4066d446e3bc0cb245470abdb03 exim-postscript-4.76.tar.gz

SHA256:
4625b0fb916835ae60a73311a8956267fa1248e888f584c337a5b7df20174e95 exim-4.76.tar.bz2
9976c9efe6c304b1bf891a1695931aa5d18dc374f7d77e2fa082aac753b2272d exim-4.76.tar.gz
744ae2d523d937c133ae8877dc2262310a8ab2e4f6bbe38f494f7af52b3b9e88 exim-html-4.76.tar.bz2
77a445f12060c29de0b11055b9391c088660a7a14508b1000fb1e92750bbe156 exim-html-4.76.tar.gz
58ee11f0e0f518a39ee1b53d68e69aa44de5d9e8da8adcfe77dbe51a1b7a7a68 exim-pdf-4.76.tar.bz2
c1d2419f8bcce4c94bec70c0ad1c5359ea4d58223c5b17ea5dd38030c7b1b263 exim-pdf-4.76.tar.gz
1890533456cafe4f805298f363bad5cde297ca5535c4cf806c9bde60d16238e5 exim-postscript-4.76.tar.bz2
47874011ae0765b293189aab5fd5475fca7113453bc98abe7be72e889abff37b exim-postscript-4.76.tar.gz

- -Phil Pennock, pp The Exim Maintainers.