Exim RCE vulnerability [CVE-2023-42115]
- Thread starter tomputer
- Start date
- Joined
- Aug 30, 2021
- Messages
- 1,244
The situation is still not entirely great, because previously DA used exim
Right now DA uses exim 4.96.1 which is initial exim 4.96 release + security fixes just for these RCE bugs. So upgrading from
Official exim position is that only these latest fixes are important to have a version bump from 4.96 to 4.96.1.
Ideally we should be getting final exim 4.97 soon enough, it will contain everything.
In the mean time we will release a new exim build
4.96-58-g4e9ed49f8. It was a build of exim that is in between version 4.96 and version 4.97 (version 4.97 is not yet finished). The number 58 meant release is 58 commits ahead of initial exim 4.96 release.Right now DA uses exim 4.96.1 which is initial exim 4.96 release + security fixes just for these RCE bugs. So upgrading from
4.96-58-g4e9ed49f8 to 4.96.1 means losing 58 commits of exim development towards exim 4.97 but gaining extra 5 commits that fixes the security issue.Official exim position is that only these latest fixes are important to have a version bump from 4.96 to 4.96.1.
Ideally we should be getting final exim 4.97 soon enough, it will contain everything.
In the mean time we will release a new exim build
4.96.1-7-g79877b70e it will be the 4.96.1 release plus some fixes from the 4.97 development. The fixes are not picked by us - it is taken from upstream exim git branch exim-4.96.1+fixes.Joriz
Verified User
Fedora and epel are indeed releasing packages of libspf2.
If you use one of these functions using libspf2 in your exim.conf you are probably vulnerable:
Solution is to update libspf2.
SpamAssassin might use an other SPF implementation. I can't find any mention of libspf2 in the SpamAssassin source code.
If you use one of these functions using libspf2 in your exim.conf you are probably vulnerable:
Code:
spf_guess
spf_header_comment
spf_received
spf_result
spf_result_guessed
spf_smtp_comment
spf_smtp_comment_templateSolution is to update libspf2.
SpamAssassin might use an other SPF implementation. I can't find any mention of libspf2 in the SpamAssassin source code.
Tristan
Verified User
- Joined
- Aug 30, 2021
- Messages
- 1,244
Yes, update with new exim version is available for Debian 9 as well.
Last edited:
Tristan
Verified User
Great, how exactly though? Just a:
Code:
./build update
./build exim- Joined
- Aug 30, 2021
- Messages
- 1,244
Yes. Commands you wrote would work. You just need to:
- Update DA to the latest version with
/usr/local/directadmin/directadmin updateor./build updateor via GUI - Rebuild exim with
./build eximor GUI
versions.txt file to 4.96.1.Same effect could be achieved just by customizing exim version and setting it to
4.96.1 with a lineexim:4.96.1: in file /usr/local/directadmin/custombuild/custom_versions.txt.
stefantriep
Verified User
- Joined
- Aug 30, 2021
- Messages
- 1,244
Ohh I finally understand the problem. CB did not support
The support for RHEL 6 in CB was dropped before it was considered EOL by DirectAdmin and even before it got merged to DirectAdmin.
I am sorry to inform this exim update will not be available on RHEL/CentOS 6 systems ?. The update on RHEL 6 systems is essentially noop, it bumps the entry in versions.txt but CB can not buid exim for this distro.
Same goes for Debian 8. The update should work on Debian 9.
RHEL/CentOS 6 even before the release hot-fix. You would have receive the same error even if you would not have updated. We do not have any functional CentOS 6 system, so rely only on your reports here.The support for RHEL 6 in CB was dropped before it was considered EOL by DirectAdmin and even before it got merged to DirectAdmin.
I am sorry to inform this exim update will not be available on RHEL/CentOS 6 systems ?. The update on RHEL 6 systems is essentially noop, it bumps the entry in versions.txt but CB can not buid exim for this distro.
Same goes for Debian 8. The update should work on Debian 9.
Last edited:
- Joined
- Aug 30, 2021
- Messages
- 1,244
The only way forward that we could offer is to try grabbing very old version of CB and use it at your own risk. Here is last known custombuild version that used to work on RHEL 6 / Debian 8 systems - https://files.directadmin.com/services/build.ancient it could work with latest exim release, but it could also mess-up your systems just as likely. Use at your own risk.
stefantriep
Verified User
Dauser2007
Verified User
- Joined
- Dec 5, 2007
- Messages
- 168
4.96.1 have not fix the remote issue
Just updated with 4.96.1-7-g79877b70e, will see what happening
Just updated with 4.96.1-7-g79877b70e, will see what happening
- Joined
- Aug 30, 2021
- Messages
- 1,244
@Dauser2007 if you know of any extra issues with exim you should inform exim maintainers about it. Official exim position is that 4.96.1 fixes the security issues 
. You can reach them out via [email protected] mailing list.
. You can reach them out via [email protected] mailing list.Dauser2007
Verified User
- Joined
- Dec 5, 2007
- Messages
- 168
Just checked my DA mail queue list and there are still remote queue emails, maybe downgrading the exim version would be a good option now?
- Joined
- Aug 30, 2021
- Messages
- 1,244
Ohhh, by remote I immediately assumed you are referring the remote code execution vulnerabilities that are the main topic of this thread.
If it is some other issue with exim, would be great to report in our ticketing system or in a separate forum thread.
If it is some other issue with exim, would be great to report in our ticketing system or in a separate forum thread.
Dauser2007
Verified User
- Joined
- Dec 5, 2007
- Messages
- 168
hi fln.,
Which version do you recommend downgrading? Checking here https://files.directadmin.com/services/custombuild/ it seems only 4.96.1 on DA server now
br.,