Re: [exim] Exim 4.80.1 security release - details

Top Page
Delete this message
Reply to this message
Author: The Doctor
Date:  
To: exim-users
Subject: Re: [exim] Exim 4.80.1 security release - details
On Fri, Oct 26, 2012 at 04:35:48AM -0400, Phil Pennock wrote:
> Folks,
>
> During internal code review on Wednesday, I uncovered a remote code
> execution hole in Exim, affecting releases 4.70 to 4.80, in the DKIM
> handling. This can be triggered by anyone who can send you email from a
> domain for which they control the DNS, and gets them the Exim run-time
> user.
>
> Thanks to a certain Wired article, I decided this area of the codebase
> (of many MTAs) would be likely to be reviewed by more than just me, so
> it would be sheer hubris to hope that this remained undiscovered by
> blackhats.
>
> So Exim 4.80.1 has been cut, which has no new features, none of the
> other changes, and is "4.80 plus security fix"; the patch and
> notification were available to vendors from late Wednesday, and I sucked
> it up and accepted that I would be deeply unpopular with a Friday
> release, after the vendors had Thursday to prep.
>
> At 8am UTC, I released Exim 4.80.1. The patch should apply cleanly to
> any affected version of Exim, so your vendor should have a clean patch
> for you.
>
> For those who build/maintain their own Exim releases, but have not kept
> up-to-date on Exim and are not ready to move to 4.80/4.80.1, you will
> wish to study:
>
> http://git.exim.org/exim.git/commit/4263f395efd136dece52d765dfcff3c96f17506e
>
> Regards,
> -Phil
>



Phil when will exim.org be up?

I notice problems getting to the site.

> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/


-- 
Member - Liberal International    This is doctor@??? Ici doctor@???
God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! 
http://www.fullyfollow.me/rootnl2k  
USA petition to dissolve the Republic and vote to disoolve it in November 2012