著者: Phil Pennock 日付: To: Marius Stan CC: exim-users 題目: Re: [exim] Exim 4.80.1 security release - details
On 2012-10-26 at 11:45 +0300, Marius Stan wrote: > On 26.10.2012 11:35, Phil Pennock wrote:
> > During internal code review on Wednesday, I uncovered a remote code
> > execution hole in Exim, affecting releases 4.70 to 4.80, in the DKIM
> > handling. This can be triggered by anyone who can send you email from a
> > domain for which they control the DNS, and gets them the Exim run-time
> > user.
> Hi Phil,
> If an existing exim instalation doesn't verify received DKIMs is it
> still vulnerable ?
Be careful: "verify DKIM on received mails" is *not* the same as "has
defined a DKIM ACL".
If Exim was built normally (without DISABLE_DKIM) then the DKIM logic is
present. Then, even if you don't define a DKIM ACL, Exim does
verification anyway for inbound mails, to set various needed variables.
*IF* you have:
warn control = dkim_disable_verify
at the start of an ACL which has been plumbed into acl_smtp_connect or
acl_smtp_rcpt, then you are safe.
If you do not explicitly set the dkim_disable_verify control, then you
are vulnerable.