[exim-announce] Exim 4.80.1 Security Release

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: exim-announce
Subject: [exim-announce] Exim 4.80.1 Security Release
Exim release 4.80.1 is now available from the primary ftp site:
* ftp://ftp.exim.org/pub/exim/exim4/exim-4.80.1.tar.gz
* ftp://ftp.exim.org/pub/exim/exim4/exim-4.80.1.tar.bz2
_________________________________________________________________

This is a SECURITY release, addressing a CRITICAL remote code execution
flaw in versions of Exim between 4.70 and 4.80 inclusive, when built
with DKIM support (the default). This release is identical to 4.80
except for the small changes needed to plug the security hole. The next
release of Exim will, eventually, be 4.82, which will include the many
improvements we've made since 4.80, but which will require the normal
release candidate baking process before release.

You are not vulnerable if you built Exim with DISABLE_DKIM or if you
put this at the start of an ACL plumbed into acl_smtp_connect or
acl_smtp_rcpt:

warn control = dkim_disable_verify

I apologise for the impact of releasing this on a Friday. I do not
consider there to be an acceptable alternative. This issue, which is
known by the CVE ID of CVE-2012-5671, was found during internal code
review of an area of the Exim codebase relevant to another issue, DKIM
signing and verification, which has been the subject of US-CERT
VU#268267 and Common Weakness identifiers CWE-347 and CWE-326. As such,
I expect that this area of code in various MTAs will be studied by many
security conscious people around about now, so there is a significant
risk that someone unfriendly has also discovered this, concurrently to
our finding it. We discovered the issue on Wednesday, gave Thursday for
the OS packagers to get emergency packages prepared, and are releasing
on the next available work day.

This is why we have made the smallest feasible changes to prevent
exploit: we want this change to be as safe as possible to expedite into
production. This security vulnerability can be exploited by anyone who
can send email from a domain for which they control the DNS. The class
of attack is known as a "heap-based buffer overflow"; your OS might be
built with protections to mitigate against these attacks.

To avoid confusion between "4.80.1" and "4.81", we will skip the "4.81"
version number and the next release will be "4.82".

I'd like to thank my employer, Apcera Inc, for supporting my commitment
to the Exim community.
_________________________________________________________________

The primary ftp server is in Cambridge, England. There is a list of
mirrors in:
* http://www.exim.org/mirmon/ftp_mirrors.html

The master ftp server is ftp.exim.org.

The distribution files are signed with Phil Pennock's PGP key
0x403043153903637F (uid pdp@???; signed by Nigel Metheringham's PGP key
0x85AB833FDDC03262). This key should be available from all modern PGP
keyservers. Please use your own discretion in assessing what trust paths you
might have to this uid; the "Release verification" section of the Release
Policy might be of assistance:
* http://wiki.exim.org/EximReleasePolicy

The detached ASCII signature files are in the same directory as the
tarbundles. The SHA1 and SHA256 hashes for the distribution files are at
the end of this email. This shall likely be the last release
announcement to include SHA1 hashes.

The distribution contains an ASCII copy of the 4.80.1 manual and
other documents. Other formats of the documentation are also
available:-
* ftp://ftp.exim.org/pub/exim/exim4/exim-html-4.80.1.tar.gz
* ftp://ftp.exim.org/pub/exim/exim4/exim-pdf-4.80.1.tar.gz
* ftp://ftp.exim.org/pub/exim/exim4/exim-postscript-4.80.1.tar.gz

The .bz2 versions of these tarbundles are also available.

We know that the security details for verifying releases, in the
documentation is out of date, and has been for the past few releases.
This has been fixed for 4.82.

The ChangeLog for this, and several previous releases, is included
in the distribution. Individual change log files are also available
on the ftp site, the current one being:-
* ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.80.1
* ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.80.1.gz

There are no new features, thus no NewStuff-4.80.1 file.
_________________________________________________________________

Release Checksums

SHA256:
9565b10f06be224fd03adafae2e07e6fdbb479f8873e3894ddb13f98eeebe78f exim-4.80.1.tar.bz2
2cac05ce27a5d5b409ce5657957047233d36f9396d0203d240a5b7aed2a969de exim-4.80.1.tar.gz
206ef4acc2641f10f3f23f8ee97cd1f7125486938ea1fc231ac2a1d5d6c9be09 exim-html-4.80.1.tar.bz2
0286d02f85e0a9a4a00d7bc74b6378c36181f5bb2500969039593d336cb142d7 exim-html-4.80.1.tar.gz
d65cec38449432db60b090a82c688dd65d40c6b0c64953fbe4d3b765a2c74aee exim-pdf-4.80.1.tar.bz2
c2ed7d6ecce24631ac0a92894af09e1cdc90b7ba61f03a91a34d40f7dd762a1f exim-pdf-4.80.1.tar.gz
3c656be9196b94be96bcf1e775e7138bfcd49843acec0e0b16923f114ca26c2b exim-postscript-4.80.1.tar.bz2
1f0dc4daca46f59c7c52d90ff10cb635509be5f6f1bbb793ee05745e29fcbfa9 exim-postscript-4.80.1.tar.gz

SHA1:
714e40d440641050a1d9946cd937aad0d1a6b746 exim-4.80.1.tar.bz2
eeb6d1e4c7c1dc0e4de55ba61316718e44d810b3 exim-4.80.1.tar.gz
d23ec94c23228a1f540d8343c6c2c5f1833b0dd0 exim-html-4.80.1.tar.bz2
49b2f226f1355a11ba4d193a06a84f6a3dce3003 exim-html-4.80.1.tar.gz
e24304f9f087faf79e22b8ca8b3e27154c7e4cc9 exim-pdf-4.80.1.tar.bz2
86594290072917649f165270ad61399aaf0c9c72 exim-pdf-4.80.1.tar.gz
ffdc6a08093c4ec9f26bce24d3f16b5cf91f5454 exim-postscript-4.80.1.tar.bz2
d9c5951b7b415e09146d594fda864725096f596d exim-postscript-4.80.1.tar.gz

- -Phil Pennock, pp The Exim Maintainers.