[exim] remote access vulnerability in version 4.92-8+deb10u3

Góra strony
Delete this message
Reply to this message
Autor: Haines Brown
Data:  
Dla: exim-users
Temat: [exim] remote access vulnerability in version 4.92-8+deb10u3
Of late (perhaps since October?) I've received random messages like
this:

> Date: Fri, 29 Nov 2019 21:30:34 -0500
> From: Mail Delivery System <Mailer-Daemon@???>
> To: postmaster@???
> Subject: Message frozen
>
> Message 1iasWk-0004Ya-NP has been frozen (delivery error message).
> The sender is <>.
>
>  The following address(es) have yet to be delivered:
>    dng-bounces@???: SMTP error from remote mail server
>  after pipelined
>  MAIL FROM:<> SIZE=5753: 554 5.7.1 Empty Sender Address is
>  prohibited through this server


This apparently is a remote exploit vulnerability that was fixed early
in June for all exim versions since 4.87. Exim 4.92 was said not to
be vulnerable:

https://www.exim.org/static/doc/security/CVE-2019-10149.txt

However, I'm runing Version: 4.92-8+deb10u3 . It appears this
vulnerability now exists for Exim4 4.92 under Devuan.

My impression is this exploit is not harmless, and so I'd like to know
if there is a way to block it. Since it depends on emacs4
configuration, this might be possible.

Haines Brown