Exim release 4.80.1 is now available from the primary ftp site:
This is a SECURITY release, addressing a CRITICAL remote code execution
flaw in versions of Exim between 4.70 and 4.80 inclusive, when built
with DKIM support (the default). This release is identical to 4.80
except for the small changes needed to plug the security hole. The next
release of Exim will, eventually, be 4.82, which will include the many
improvements we've made since 4.80, but which will require the normal
release candidate baking process before release.
You are not vulnerable if you built Exim with DISABLE_DKIM or if you
put this at the start of an ACL plumbed into acl_smtp_connect or
warn control = dkim_disable_verify
I apologise for the impact of releasing this on a Friday. I do not
consider there to be an acceptable alternative. This issue, which is
known by the CVE ID of CVE-2012-5671, was found during internal code
review of an area of the Exim codebase relevant to another issue, DKIM
signing and verification, which has been the subject of US-CERT
VU#268267 and Common Weakness identifiers CWE-347 and CWE-326. As such,
I expect that this area of code in various MTAs will be studied by many
security conscious people around about now, so there is a significant
risk that someone unfriendly has also discovered this, concurrently to
our finding it. We discovered the issue on Wednesday, gave Thursday for
the OS packagers to get emergency packages prepared, and are releasing
on the next available work day.
This is why we have made the smallest feasible changes to prevent
exploit: we want this change to be as safe as possible to expedite into
production. This security vulnerability can be exploited by anyone who
can send email from a domain for which they control the DNS. The class
of attack is known as a "heap-based buffer overflow"; your OS might be
built with protections to mitigate against these attacks.
To avoid confusion between "4.80.1" and "4.81", we will skip the "4.81"
version number and the next release will be "4.82".
I'd like to thank my employer, Apcera Inc, for supporting my commitment
to the Exim community.
The primary ftp server is in Cambridge, England. There is a list of
The master ftp server is ftp.exim.org
The distribution files are signed with Phil Pennock's PGP key
0x403043153903637F (uid pdp@???; signed by Nigel Metheringham's PGP key
0x85AB833FDDC03262). This key should be available from all modern PGP
keyservers. Please use your own discretion in assessing what trust paths you
might have to this uid; the "Release verification" section of the Release
Policy might be of assistance:
The detached ASCII signature files are in the same directory as the
tarbundles. The SHA1 and SHA256 hashes for the distribution files are at
the end of this email. This shall likely be the last release
announcement to include SHA1 hashes.
The distribution contains an ASCII copy of the 4.80.1 manual and
other documents. Other formats of the documentation are also
The .bz2 versions of these tarbundles are also available.
We know that the security details for verifying releases, in the
documentation is out of date, and has been for the past few releases.
This has been fixed for 4.82.
The ChangeLog for this, and several previous releases, is included
in the distribution. Individual change log files are also available
on the ftp site, the current one being:-
There are no new features, thus no NewStuff-4.80.1 file.
- -Phil Pennock, pp The Exim Maintainers.