Folks,
During internal code review on Wednesday, I uncovered a remote code
execution hole in Exim, affecting releases 4.70 to 4.80, in the DKIM
handling. This can be triggered by anyone who can send you email from a
domain for which they control the DNS, and gets them the Exim run-time
user.
Thanks to a certain Wired article, I decided this area of the codebase
(of many MTAs) would be likely to be reviewed by more than just me, so
it would be sheer hubris to hope that this remained undiscovered by
blackhats.
So Exim 4.80.1 has been cut, which has no new features, none of the
other changes, and is "4.80 plus security fix"; the patch and
notification were available to vendors from late Wednesday, and I sucked
it up and accepted that I would be deeply unpopular with a Friday
release, after the vendors had Thursday to prep.
At 8am UTC, I released Exim 4.80.1. The patch should apply cleanly to
any affected version of Exim, so your vendor should have a clean patch
for you.
For those who build/maintain their own Exim releases, but have not kept
up-to-date on Exim and are not ready to move to 4.80/4.80.1, you will
wish to study:
http://git.exim.org/exim.git/commit/4263f395efd136dece52d765dfcff3c96f17506e
Regards,
-Phil
