Exim Exploit

[vandal]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 635-1 [email protected]
http://www.debian.org/security/ Martin Schulze
January 12th, 2005 http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : exim
Vulnerability : buffer overflow
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-0021
Debian Bug : 289046

Philip Hazel announced a buffer overflow in the host_aton function in exim, the default mail-tranport-agent in Debian, which can lead to the execution of arbitrary code via an illegal IPv6 address.

For the stable distribution (woody) this problem has been fixed in version 3.35-1woody4.

For the unstable distribution (sid) this problem has been fixed in version 3.36-13 of exim and 4.34-10 of exim4.

We recommend that you upgrade your exim and exim4 packages.


Upgrade Instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update
will update the internal database apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody4.dsc
Size/MD5 checksum: 661 d97ecab579bd3dbaa3e9be00b8b16d85
http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody4.diff.gz
Size/MD5 checksum: 80195 a02abeefa9d1145ae623ad661aab5f5a
http://security.debian.org/pool/updates/main/e/exim/exim_3.35.orig.tar.gz
Size/MD5 checksum: 1271057 42d362e40a21bd7ffc298f92c8bd986a

Alpha architecture:

http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody4_alpha.deb
Size/MD5 checksum: 872796 a46f5dc95d777366cb492eb57ec8dd9f
http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody4_alpha.deb
Size/MD5 checksum: 52318 bf93e35aec9f401d8413015c50f5cbae

ARM architecture:

http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody4_arm.deb
Size/MD5 checksum: 785980 5ced90e4c4ecd1ca6a60980634b309e8
http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody4_arm.deb
Size/MD5 checksum: 43514 07b7324395ff66f68db354c6b4589db7

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody4_i386.deb
Size/MD5 checksum: 759270 9001a456b0a34f4bf5de88d901c70a97
http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody4_i386.deb
Size/MD5 checksum: 39210 78e5eecee7101a355ddabec9d0f07b98

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody4_ia64.deb
Size/MD5 checksum: 972852 43f4fc30483d8ad5c42e031fd64a9e8d
http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody4_ia64.deb
Size/MD5 checksum: 65166 cdc921d9be2ec60b5f0ed95a5b976732

HP Precision architecture:

http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody4_hppa.deb
Size/MD5 checksum: 815358 c506baffb4404f32762468fbc494551c
http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody4_hppa.deb
Size/MD5 checksum: 48294 d90efe5be79e966e07a7cbe8e9013939

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody4_m68k.deb
Size/MD5 checksum: 737856 aefe6b63ebd03e9fe449afe22e752547
http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody4_m68k.deb
Size/MD5 checksum: 37752 e0d2b938e50c3b408928b8150459ad2b

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody4_mips.deb
Size/MD5 checksum: 824458 0c1db679287a6de37f2c320f335c650c
http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody4_mips.deb
Size/MD5 checksum: 48882 1670c36409482a8a870becf826f7ae68

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody4_mipsel.deb
Size/MD5 checksum: 824846 88564f1d1b0c1781587d5db1bccdde77
http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody4_mipsel.deb
Size/MD5 checksum: 48778 6a7002c766a84dd81eed39d23f8709d5

PowerPC architecture:

http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody4_powerpc.deb
Size/MD5 checksum: 794244 abfa2009cd6417101d120a5980641012
http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody4_powerpc.deb
Size/MD5 checksum: 44794 ea626fcb485a423fb56e61a1c4ae67e9

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody4_s390.deb
Size/MD5 checksum: 780026 bc9a3b5488cd7ee72c290f86f601beec
http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody4_s390.deb
Size/MD5 checksum: 43930 f50688c682bcaeabfbd47c9e46a06143

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody4_sparc.deb
Size/MD5 checksum: 785298 1841407d21f544cf2645e373a6caad15
http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody4_sparc.deb
Size/MD5 checksum: 42444 632b5aadc5c930c7c3e956fef10d5ffe


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [email protected]
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFB5NYXW5ql+IAeqTIRAhiwAJ9bFB2nUTdRloOJR7lrXZb3RVGVyACgqvrq
gHFdp1F5IhQm3QmAv+sJrto=
=OqTo
-----END PGP SIGNATURE-----

 

[vandal]

here is another one

here is a similar advisory for what i think is the same problem. how can we get our rpm's upgraded? it appears they just released a patch of somekind.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200501-23
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: Exim: Two buffer overflows
Date: January 12, 2005
Bugs: #76893
ID: 200501-23

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Buffer overflow vulnerabilities, which could lead to arbitrary code execution, have been found in the handling of IPv6 addresses as well as in the SPA authentication mechanism in Exim.

Background
==========

Exim is an highly configurable message transfer agent (MTA) developed at the University of Cambridge.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 mail-mta/exim < 4.43-r2 >= 4.43-r2

Description
===========

Buffer overflows have been found in the host_aton() function
(CAN-2005-0021) as well as in the spa_base64_to_bits() function (CAN-2005-0022), which is part of the SPA authentication code.

Impact
======

A local attacker could trigger the buffer overflow in host_aton() by supplying an illegal IPv6 address with more than 8 components, using a command line option. The second vulnerability could be remotely exploited during SPA authentication, if it is enabled on the server.
Both buffer overflows can potentially lead to the execution of arbitrary code.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Exim users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=mail-mta/exim-4.43-r2"

References
==========

[ 1 ] Exim Announcement
http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html
[ 2 ] CAN-2005-0021
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0021
[ 3 ] CAN-2005-0022
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0022

Availability
============

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200501-23.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [email protected] or alternatively, you may file a bug at http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s).

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

 

[TMC]

Is it necessary to upgrade Exim In DA at all?

• Is it actually necessary for 'us' to do anything about any Exim version upgrades, or will DA take care of it automatically?

 

[vandal]

we have to, the da script just updates apache, php and a few other things.

however they provide the rpm (if you are on redhat)

 

[TMC]

• Sorry to go slightly off-topic, but we've found more than one conflicting post about what DA does and does not update, and when, and how.
  

  posted by Mark (DirectAdmin Sales Administrator) 12-23-2004 10:55 PM
  DirectAdmin keeps itself updated, and also automatically updates software like Exim and ProftpD. Because updating PHP and Apache requires taking them down for a recompile, we provide a simple script that you must run as root (in SSH).
  
  We don't touch perl at all so that would be your responsibility to upgrade. DirectAdmin does NOT integrate with your OS, so you still need some way of keeping your operating system current (e.g. up2date or apt-get).

  (Re: http://www.directadmin.com/forum/showthread.php?&threadid=6242)

 

[Chrysalis]

I think this is the same as what I posted last week, what you are seeing now is announcements from gentoo etc. as they all make their new rpm's and yes I think John could do with compiling a new exim patched up.