Re: [exim] The most used Exim version is the vulnerable one

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Konstantin Boyandin
Datum:  
To: exim-users@exim.org
Betreff: Re: [exim] The most used Exim version is the vulnerable one
Hell Niels,

12.06.2019 0:58, Niels Dettenbach writes:
> Am Dienstag, 11. Juni 2019, 18:57:41 CEST schrieb Konstantin Boyandin via
> Exim-users:
>> If I am not mistaken, CentOS 6.10 EPEL didn't apply any patches,
>> original Exim 4.91 is still their last version.
>
> The "initial official" date for patch releases was "officially set" by

Exim
> project / security list onto the 11.06.2019 (today) - so possibly some

"less
> aware" (LTS) distributors will use that date ("in respect for the

project")
> for their release...


That would mean that those sysadmins relying on the distro's maintainers
response might have been surprised in a very unpleasant way.

> The distros i.e. i work with mainly (i.e. Gentoo, different BSDs etc.) are


> "on" 4.92 "since published". Debian seems announced/released patches too:
> https://security-tracker.debian.org/tracker/CVE-2019-10149


Kali and Ubuntu, AFAIK, too. Currently I mostly use the latter two.

> RedHat (Enterprise) seems "not affected":
> https://access.redhat.com/security/cve/cve-2019-10149
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10149
>
>> So either build manually, or switch to another MTA, or hope that
>> "allowed chars" trick will be good enough protection.
> or switch to a "proper distro"...ß)


Dreams, those dreams...

I maintain several CentOS 6-based servers. They will finally be replaced
by CentOS 7-based, but it's out of my control to upgrade the
distributions ASAP. Hence, I have to do manual upgrades and monitor
security advisories.

I wonder how many CentOS installations will be hit.

Sincerely,
Konstantin