[exim] Exim 4.82.1 Security Release

Top Page

Reply to this message
Author: Todd Lyons
Date:  
To: Exim Dev, Exim Users, Exim Announce
Subject: [exim] Exim 4.82.1 Security Release
Exim release 4.82.1 is now available from the primary ftp site:
* ftp://ftp.exim.org/pub/exim/exim4/exim-4.82.1.tar.gz
* ftp://ftp.exim.org/pub/exim/exim4/exim-4.82.1.tar.bz2
_________________________________________________________________

This is a SECURITY release, addressing a CRITICAL remote code execution
flaw in Exim version 4.82 (only) when built with DMARC support (an
experimental feature, not on by default). This release is identical to
4.82 except for the small change needed to plug the security hole. The
next release of Exim will, eventually, be 4.83, which will include the
many improvements we've made since 4.82, but which will require the
normal release candidate baking process before release.

You are not vulnerable unless you built Exim with EXPERIMENTAL_DMARC.

This issue is known by the CVE ID of CVE-2014-2957, was reported
directly to the Exim development team by a company which uses Exim for
its mail server. An Exim developer constructed a small patch which
altered the way the contents of the From header is parsed by converting
it to use safer and better internal functions. It was applied and
tested on a production server for correctness. We were notified of the
vulnerability Friday night, created a patch on Saturday, applied and
tested it on Sunday, notified OS packagers on Monday/Tuesday, and are
releasing on the next available work day, which is Wednesday.

This is why we have made the smallest feasible changes to prevent
exploit: we want this chagne to be as safe as possible to expedite into
production (if the packages were built with DMARC).

_________________________________________________________________

The primary ftp server is in Cambridge, England. There is a list of
mirrors in:
* http://www.exim.org/mirmon/ftp_mirrors.html

The master ftp server is ftp.exim.org, which is also accessible at
http://ftp.exim.org.

The distribution files are signed with Todd Lyons' PGP key
0xC4F4F94804D29EBA (uid tlyons@??? with a strong relationship to
prior release engineer Phil Pennock's PGP key 0x403043153903637F). This
key should be available from all modern PGP keyservers. Please use your
own discretion in assessing what trust paths you might have to this uid;
the "Release verification" section of the Release Policy might be of
assistance:

* http://wiki.exim.org/EximReleasePolicy

The detached ASCII signature files are in the same directory as the
tarbundles. The SHA256 hashes for the distribution files are at the end
of this email.

The distribution contains an ASCII copy of the 4.82.1 manual and
other documents. Other formats of the documentation are also
available:-
* ftp://ftp.exim.org/pub/exim/exim4/exim-html-4.82.1.tar.gz
* ftp://ftp.exim.org/pub/exim/exim4/exim-pdf-4.82.1.tar.gz
* ftp://ftp.exim.org/pub/exim/exim4/exim-postscript-4.82.1.tar.gz

The .bz2 versions of these tarbundles are also available.

The only change is this bugfix, thus no ChangeLog-4.82.1 file.
There are no new features, thus no NewStuff-4.82.1 file.

_________________________________________________________________

Release Checksums

SHA256:
51798cead70b9ca03df88afb63f7a0cabedee8ef82c02bd18d67591c08b14500 exim-4.82.1.tar.bz2
f06f34ab599cd84be605b3a00e0fac81f93d9be46d5b9466ac9b38ac5e12dc4c exim-4.82.1.tar.bz2.asc
b8935b31b842cfd77afb345390c07d7b8524a7083fa1963ca7577a66d83d8df0 exim-4.82.1.tar.gz
60487f824f5c8601c21d0ffd70ab56b3d9bc6c62daa801feddee7a49fb8a857d exim-4.82.1.tar.gz.asc
81d0237cff64b259d47c758d5c82da93bd2e7b8ce048974d53d90e597eee122e exim-html-4.82.1.tar.bz2
6f684c90f817a8c41454272310f1a949026a0998c27739493a3c0bdc9346a552 exim-html-4.82.1.tar.bz2.asc
b03f2ca40407b16bd287956baee1fb2b215f8bb79e696d50adedc9148331d289 exim-html-4.82.1.tar.gz
57fb26b6870af5681c789c93437278d8601c14b7cd5255cbd466ab0382ea1387 exim-html-4.82.1.tar.gz.asc
2e3705504f22633a14d417ffcb72c6beddc2f142e38ff4f01394b83ae583ff42 exim-pdf-4.82.1.tar.bz2
2c64767ece949306bfa2432d67d1cc9127b9e318147ee01aba912fc2122493ef exim-pdf-4.82.1.tar.bz2.asc
d209d3db1a80a38e1737ba6cd2e155d2a7c93c0db78aafde86025137001ebcf7 exim-pdf-4.82.1.tar.gz
423fd129818af8f60493b233a1dea5c34890e807ed59e772e0d6e0143148fc5b exim-pdf-4.82.1.tar.gz.asc
f9c69153b1da3ef854c73ac98ec5bcef842438c5630819bc2287dec869bd039d exim-postscript-4.82.1.tar.bz2
c8182006eb59d7a909340f0e7eb4611da3c604ef28a98f5b6ceb676b3c6da9a1 exim-postscript-4.82.1.tar.bz2.asc
1d3c1f1c4bdb66c89b82d3925578f4ab29c87f2af4e3e1c1096366bafdfad000 exim-postscript-4.82.1.tar.gz
067a55860b3da017c6d9f23e8df944e9aca2d73f1de65f44b1557f4878f64cb1 exim-postscript-4.82.1.tar.gz.asc


- -- Todd Lyons, pp The Exim Maintainers.