[exim-announce] Critical Exim Security Vulnerability: disabl…
This message is part of the following thread:
the complete thread tree sorted by date
[exim-announce] Critical Exim Security Vulnerability: disable chunking
A remote code execution vulnerability has been reported in Exim, with
immediate public disclosure (we were given no private notice).
A tentative patch exists but has not yet been confirmed.
With immediate effect, please apply this workaround: if you are running
Exim 4.88 or newer (4.89 is current, 4.90 is upcoming) then in the main
section of your Exim configuration, set:
That's an empty value, nothing on the right of the equals. This
disables advertising the ESMTP CHUNKING extension, making the BDAT verb
unavailable and avoids letting an attacker apply the logic.
This should be a complete workaround. Impact of applying the workaround
is that mail senders have to stick to the traditional DATA verb instead
of using BDAT.
We've requested CVEs. More news will be forthcoming as we get this
This message was posted to the following mailing lists:
Mailing List Info
[exim-announce] Administrivia: exim.org DNS glitch, list unsubscribes
[exim] CVE-2017-16943, CVE-2017-16944
Tahini and Hummus Development Archives