Exim 4.80.1 Security Release

P

propcgamer

Verified User
Joined
Dec 27, 2005
Messages
148
This is a SECURITY release, addressing a CRITICAL remote code execution
flaw in versions of Exim between 4.70 and 4.80 inclusive, when built
with DKIM support (the default). This release is identical to 4.80
except for the small changes needed to plug the security hole. The next
release of Exim will, eventually, be 4.82, which will include the many
improvements we've made since 4.80, but which will require the normal
release candidate baking process before release.

You are not vulnerable if you built Exim with DISABLE_DKIM or if you
put this at the start of an ACL plumbed into acl_smtp_connect or
acl_smtp_rcpt:

warn control = dkim_disable_verify

I apologise for the impact of releasing this on a Friday. I do not
consider there to be an acceptable alternative. This issue, which is
known by the CVE ID of CVE-2012-5671, was found during internal code
review of an area of the Exim codebase relevant to another issue, DKIM
signing and verification, which has been the subject of US-CERT
VU#268267 and Common Weakness identifiers CWE-347 and CWE-326. As such,
I expect that this area of code in various MTAs will be studied by many
security conscious people around about now, so there is a significant
risk that someone unfriendly has also discovered this, concurrently to
our finding it. We discovered the issue on Wednesday, gave Thursday for
the OS packagers to get emergency packages prepared, and are releasing
on the next available work day.

This is why we have made the smallest feasible changes to prevent
exploit: we want this change to be as safe as possible to expedite into
production. This security vulnerability can be exploited by anyone who
can send email from a domain for which they control the DNS. The class
of attack is known as a "heap-based buffer overflow"; your OS might be
built with protections to mitigate against these attacks.

To avoid confusion between "4.80.1" and "4.81", we will skip the "4.81"
version number and the next release will be "4.82".
Click to expand...

Hopefully this will be available through custombuild soon!
 
Hello,

4.80.1 added to files1.directadmin.com.
Please allow up to 24 hours for file server rsync propogation. (else set downloadserver=files1.directadmin.com)

I'll create a src.rpm for anyone that want it.

John
 
in CB 2.0 it works fine
in CB 1.2 when i try to update it still show the 4.80 as latest version
suggest anything
 
in CB 1.2 when i try to update it still show the 4.80 as latest version
Click to expand...
related to Petertjuh360 response, our files servers are all rsynced once per day, so it's possible your build script is set to use one that has not yet updated.
Check:
Code: 
grep downloadserver options.conf
and then check the versions.txt on the server that is shown, eg:
http://files6.directadmin.com/services/custombuild/versions.txt

John
 
I have a very old FreeBSD 6.1 system with exim 4.77 which is due to retire soon.
On this system, I can't custombuild exim because of errors. Is there a way to check if my system is vulnerable?
 
bdj said:
I have a very old FreeBSD 6.1 system with exim 4.77 which is due to retire soon.
On this system, I can't custombuild exim because of errors. Is there a way to check if my system is vulnerable?
Click to expand...

I have a ServerSafe license for you, contact me if you want to buy it.
The best way is to update Exim.

Which errors do you get?
 
This old server will retire in 3 months so I only need a sort therm solution.

error is
Code: 
gcc exim_dbmbuild.c
In file included from exim_dbmbuild.c:31:
exim.h:381: error: syntax error before "os_get_dns_resolver_res"
exim.h:381: warning: data definition has no type or storage class
*** Error code 1
 
bdj said:
This old server will retire in 3 months so I only need a sort therm solution.

error is
Code: 
gcc exim_dbmbuild.c
In file included from exim_dbmbuild.c:31:
exim.h:381: error: syntax error before "os_get_dns_resolver_res"
exim.h:381: warning: data definition has no type or storage class
*** Error code 1
Click to expand...

I think your OS, or other services are out of date.
What is the output of "yum list updates"?
 
Sure my OS is out of date, thats why I can't update. I was hoping for some kind of thing you could add to a config or some.

YUM is not working on FreeBSD.
 
I got problems with exim update from 4.80 to 4.80.1 - after
./build clean
./build update
./build exim
Click to expand...

I got error:
Building configuration file config.h

*** BIN_DIRECTORY has not been defined in any of the Makefiles in the
"Local" directory. Please review your build-time configuration.

make[1]: *** [config.h] Error 1
make[1]: Leaving directory `/usr/local/directadmin/custombuild/exim-4.80.1/build-Linux-x86_64'
make: *** [all] Error 2

*** The make has failed, would you like to try to make again? (y,n): n
Click to expand...
 
Last edited:
OK, I solved it - I found that server files11.directadmin.com is not working properly. I changed it
./build set_fastest
./build exim
Click to expand...
and updated exim successfully!
 
I am having issues compiling this version of exim:
Code: 
expand.c: In function 'eval_op_mult':
expand.c:3196: error: 'LLONG_MIN' undeclared (first use in this function)
expand.c:3196: error: (Each undeclared identifier is reported only once
expand.c:3196: error: for each function it appears in.)
expand.c:3200: error: 'LLONG_MAX' undeclared (first use in this function)
expand.c: In function 'expand_string_integer':
expand.c:6178: error: 'LLONG_MAX' undeclared (first use in this function)
expand.c:6178: error: 'LLONG_MIN' undeclared (first use in this function)

I have tried to export CC=gcc -std=gnu99 and that did not work either - any other ideas >

thanks
Nz
 
You must log in or register to reply here.
Back
Top