Besides waiting for an update, is there any other action we can take to protect our servers?
* 3 of them are related to SPA/NTLM, and EXTERNAL auth. If you do not use
SPA/NTLM, or EXTERNAL authentication, you're not affected.
These issues are fixed.
* One issue is related to data received from a proxy-protocol proxy. If
you do not use a proxy in front of Exim, you're not affected. If your
proxy is trustworthy, you're not affected. We're working on a fix.
* One is related to libspf2. If you do not use the `spf` lookup type
or the `spf` ACL condition, you are not affected.
* The last one is related to DNS lookups. If you use a trustworthy
resolver (which does validation of the data it receives), you're
not affected. We're working on a fix.
libspf2, but it could be that the issue will be fixed in the library not with exim update
betarelease channels) to be compatible with upcoming exim 4.97 (but 4.96 will be used by default). Latest version can be tested out by setting custom exim version to
4.97-RC1, any feedback would be appreciated.
4.97-RC1does not have the fixes for these issues. Once the fixes are released publicly (should be tomorrow) we will make new versions of exim
4.97with the fixes.
Well, keep in mind, Google's and Cloudflare's DNS do not respond properly to zen.spamhaus.org. I don't know what other RBLs they may not be responding to correctly.Thanks for update security information.
normally, I (We) use google dns (188.8.131.52) or cloudflare dns (184.108.40.206), It should fine for me.
Well, keep in mind, Google's and Cloudflare's DNS do not respond properly to zen.spamhaus.org. I don't know what other RBLs they may not be responding to correctly.
More details: https://exim.org/static/doc/security/CVE-2023-zdi.txtFixes should be available on Monday, Oct 2nd, 12:00 UTC: https://www.openwall.com/lists/oss-security/2023/10/02/3
- does not link against libspf2
libspf2. Default DA installation does link against this library, thanks for spotting my mistake @ccto. Security fixes should be available soon enough.
4.96.1is added to our mirrors and a new version of DA is released for all release channels with default exim version set to
da build exim. CB should report
Exim 4.96.1 Installed.line at the end of exim build.