Re: [exim] Exim 4.80.1 security release - details

Top Page
Delete this message
Reply to this message
Author: Mike Ridgers
Date:  
To: 'Exim-users'
Subject: Re: [exim] Exim 4.80.1 security release - details
Dear all,
Further to my last message I will attempt to distil my question as much as possible as I think it was perhaps not very clear what I was asking:

As per below solution to the recently disclosed critical vulnerability in Exim:
https://lists.exim.org/lurker/message/20121026.080330.74b9147b.en.html

Quote:
"put this at the start of an ACL plumbed into acl_smtp_connect or acl_smtp_rcpt:
warn control = dkim_disable_verify"

My questions:
1. Does adding the 'warn control = dkim_disable_verify' under the 'acl_check_rcpt:' line negate the need to have 'control = dkim_disable_verify' stated separately against each 'accept' in the ACL below it as below ?
2. From the config below can anyone see if I'm still vulnerable to this very serious vulnerability - I have many critical servers running Exim & am very concerned that they are vulnerable.

--------------------------------
acl_check_rcpt:
        warn control = dkim_disable_verify
  accept  hosts = :
          control = dkim_disable_verify    
deny    message       = Restricted characters in address
          domains       = +local_domains : +relay_to_domains
          local_parts   = ^[.] : ^.*[@%!/|]
deny    message       = Restricted characters in address
          domains       = !+local_domains : !+relay_to_domains
          local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
require verify        = sender
accept  hosts         = +relay_from_hosts
          control       = submission
          control       = dkim_disable_verify
accept  authenticated = *
          control       = submission
          control       = dkim_disable_verify
require message = relay not permitted
          domains = +local_domains : +relay_to_domains
require verify = recipient
accept
--------------------------


Regards,
Mike.


On 2012-12-03 01:21, Phil Pennock wrote:
> On 2012-12-02 at 18:33 +0000, Jeremy Harris wrote:
> > On 10/26/2012 09:35 AM, Phil Pennock wrote:
> > > [...] a remote code
> > > execution hole in Exim, affecting releases 4.70 to 4.80, in the DKIM
> > > handling. This can be triggered by anyone who can send you email from a
> > > domain for which they control the DNS, and gets them the Exim run-time
> > > user.
> >
> > Should this be added to https://github.com/Exim/exim/wiki/EximSecurity ?
>
> Er, yes. Done.
>
> Also, updated https://github.com/Exim/exim/wiki/EximRelease so that this
> doesn't get skipped in future.
>
> Thanks,
> -Phil
>
>