Re: [exim] Exim 4.80.1 security release - details

Top Page
This message is part of the following thread:
M+-+--+\the complete thread tree sorted by date
MM.M-\MMCyborg at <-
MM\M\M.MPhil Pennock at ->
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Marius Stan
CC: exim-users
Subject: Re: [exim] Exim 4.80.1 security release - details
On 2012-10-26 at 11:45 +0300, Marius Stan wrote:
> On 26.10.2012 11:35, Phil Pennock wrote:
> > During internal code review on Wednesday, I uncovered a remote code
> > execution hole in Exim, affecting releases 4.70 to 4.80, in the DKIM
> > handling. This can be triggered by anyone who can send you email from a
> > domain for which they control the DNS, and gets them the Exim run-time
> > user.
> Hi Phil,
> If an existing exim instalation doesn't verify received DKIMs is it
> still vulnerable ?

Be careful: "verify DKIM on received mails" is *not* the same as "has
defined a DKIM ACL".

If Exim was built normally (without DISABLE_DKIM) then the DKIM logic is
present. Then, even if you don't define a DKIM ACL, Exim does
verification anyway for inbound mails, to set various needed variables.

*IF* you have:

warn control = dkim_disable_verify

at the start of an ACL which has been plumbed into acl_smtp_connect or
acl_smtp_rcpt, then you are safe.

If you do not explicitly set the dkim_disable_verify control, then you
are vulnerable.

Regards,
- -Phil

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Exim 4.80.1 security release - detailsRe: [exim] Exim 4.80.1 security release - details->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)