[exim-announce] Exim 4.76 Release: updated impact assessment

Top Page

Reply to this message
Author: Phil Pennock
To: exim-announce
Old-Topics: [exim-announce] Exim 4.76 Release
Subject: [exim-announce] Exim 4.76 Release: updated impact assessment
On 2011-05-09 at 05:16 -0400, Phil Pennock wrote:
> This is a SECURITY release: Exim versions 4.70 up to and including 4.75
> contained a security hole (format string attack) permitting remote
> execution of arbitrary code as the Exim run-time user. This is
> CVE-2011-1764. There is also another, lesser security issue. Both lie
> in the DKIM code and mitigation techniques are described below.

Further analysis revealed that the second security was more severe than
I realised at the time that I wrote the announcement. The second
security issue has been assigned CVE-2011-1407 and is also a remote code
execution flaw. For clarity: both issues were introduced with 4.70.

If you have already updated to Exim 4.76, then no further action is
required. If you are running 4.76 RC1, or have cherry-picked patches
back to your release, then please either update or start hunting some
fresh cherries.

> Note that as part of our work to improve Exim and protect against future
> security issues, some changes were made to the code to pass gcc with
> many more warnings enabled, and in some cases to compile with Clang.
> Although feedback so far has been positive, there remains a chance that
> these changes will cause compilation problems on lesser-tested
> platforms; please raise any issues encountered on the exim-users
> mailing-list.

Users of HP-UX will wish to apply the patch available at:

- -Phil