Re: [exim] Exim 4.80.1 security release - details

Top Page
Delete this message
Reply to this message
Author: Chris Gerhard
Date:  
To: exim-users
New-Topics: Re: [exim] Exim 4.80.1 security release - details - regarding fedora
Subject: Re: [exim] Exim 4.80.1 security release - details
Thank you Phil,

To build this on OpenIndiana (and I would assume Solaris) apart from the
usual changes to the Local/Makefile I had to modify one file which
expected /bin/sh to be a bash like shell.

*** scripts/lookups-Makefile.orig    Fri Oct 26 14:06:47 2012
--- scripts/lookups-Makefile    Fri Oct 26 13:37:32 2012
***************
*** 1,4 ****
--- 1,5 ----
   #! /bin/sh
+ alias local=typeset


# We turn the configure-built build-$foo/lookups/Makefile.predynamic
into Makefile

Without this you get errors of the form:

`Makefile' is up to date.

Missing CFLAGS_DYNAMIC inhibits building dynamic module lookup
../scripts/lookups-Makefile[86]: local: not found [No such file or
directory]
../scripts/lookups-Makefile[87]: local: not found [No such file or
directory]
../scripts/lookups-Makefile[65]: local: not found [No such file or
directory]
../scripts/lookups-Makefile[66]: local: not found [No such file or
directory]
Inhibited dynamic modules prevents building dynamic
*** Error code 1
The following command caused the error:
cd build-${build:-`/usr/bin/bash scripts/os-type`-`/usr/bin/bash
scripts/arch-type`}; \
build= /usr/bin/bash ../scripts/Configure-Makefile; \
/usr/bin/bash ../scripts/lookups-Makefile
make: Fatal error: Command failed for target `configure'


On 10/26/12 09:35, Phil Pennock wrote:
> Folks,
>
> During internal code review on Wednesday, I uncovered a remote code
> execution hole in Exim, affecting releases 4.70 to 4.80, in the DKIM
> handling. This can be triggered by anyone who can send you email from a
> domain for which they control the DNS, and gets them the Exim run-time
> user.
>
> Thanks to a certain Wired article, I decided this area of the codebase
> (of many MTAs) would be likely to be reviewed by more than just me, so
> it would be sheer hubris to hope that this remained undiscovered by
> blackhats.
>
> So Exim 4.80.1 has been cut, which has no new features, none of the
> other changes, and is "4.80 plus security fix"; the patch and
> notification were available to vendors from late Wednesday, and I sucked
> it up and accepted that I would be deeply unpopular with a Friday
> release, after the vendors had Thursday to prep.
>
> At 8am UTC, I released Exim 4.80.1. The patch should apply cleanly to
> any affected version of Exim, so your vendor should have a clean patch
> for you.
>
> For those who build/maintain their own Exim releases, but have not kept
> up-to-date on Exim and are not ready to move to 4.80/4.80.1, you will
> wish to study:
>
>    http://git.exim.org/exim.git/commit/4263f395efd136dece52d765dfcff3c96f17506e

>
> Regards,
> -Phil
>