Bug 1274822
| Summary: | Why there is still exim 4.72 in epel 6? | ||
|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | Eugen <gman86> |
| Component: | exim | Assignee: | Jaroslav Škarvada <jskarvad> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | el6 | CC: | dwmw2, jskarvad, nenad, nobody+392447, tremble |
| Target Milestone: | --- | Flags: | nobody+392447:
needinfo+
|
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | exim-4.72-8.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-02-29 21:25:55 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Eugen
2015-10-23 15:13:23 UTC
(In reply to Eugen from comment #0) > Description of problem: > > What about upgrade exim package to a new version? There is 4.84 in epel7. > Can you tell why there is version 4.72 so far? > And I haven't seen updates since Oct 2014. Please note there is EPEL Package maintenance and update policy [1]. Rebases should be avoided in EPEL if not absolutely necessary, it's stable enterprise environment. AFAIK we fixed all security related bugs. > What about adding "openssl_options" option? This could be backported. [1] https://fedoraproject.org/wiki/EPEL/GuidelinesAndPolicies Hi, I AM having the same issue reported by @Eugen. I AM on CentOs 6.7 and the last avaiable Exim is 4.72 who is old and vulnerable to SSL 3 and POODLE attack. I just want to disable SSLv3 but I can't do it in tls_require_ciphers, I have tried but email stop to work. I AM also in contact with Webuzo and Softculous team for solve this security Issue and we are tring to get in touch with the right person here for find a solution to this security issue. Exim 4.72 is very old, also asking to Exim support give us the same reply: Exim 4.72 is very old and should be updated. In my website where I have installed a security scanner I can see there are SSL 3 and POODLE attack issue due to Exim 4.72 I really need a fix for this, Webuzo tema are also working to be able to update Exim in CentOs. Please update me as soon as possibile. *** Bug 1306345 has been marked as a duplicate of this bug. *** The severity, and priority of this BUG should be very hight. This topic is opened from 2015-10-23 Now until this issue is not resolved I (and not only I) have a Security Issue on my server. This cause also I cannot have the security seal showed to the website visitor because as there are vulnerabilities on Exim on my server the scanner found IT and cannot give me a good security level as this is not low security issue but is Medium / Hight. So I will keep eyes on this topic. Is about one month I am working for try a solution and after asked to Webuzo support I arrived to the CentOs forum and now I have reach here RedHat and hope the solution will be near and I can solve the security issue so I can have back Security Seal on my website a VPS who cost a lot. Email are very important. Also anyone can see my Exim version when I send email so is not good things think is an old version and Support SSL 3 without the possibility to disable IT. Thank you for your help Jaroslav. I trust in you, please not forget this topic BUG. Hope a solution can come soon as every day now there is this issue active on my server, email etc and Webuzo Team of the control panel can't help me also me cannot do nothing for solve this issue. I tried a lot of things and researched on Gogle but all configuration in exim not solve the security issue. I can solve by have email not working but this is not a good solution as I need use email. Thanks again! This is the issue identified from an external scan due to Exim 4.72 SSL 3 support. Deprecated SSL Protocol Usage Port: urd (465/tcp) Summary: The remote service accepts connections encrypted using SSLv2 and/or SSLv3, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. Recommended Solution: Consult the application's documentation to disable SSL 2.0 and SSL 3.0, and use TLS 1.0 or newer. More information: http://www.schneier.com/paper-ssl.pdf Hope this can help you. Need to disable SSL 3 without disable all Cipter.. because by disabiling SSL 3 seems also TLS stop to work. Hope a patch can be relased in some week. This is a medium issue for me and I Am loosing safe server seal as well know my server have vulnerability. Thank you. Today I have again receved security email advice from the scanner who are alerting me of this issue, I know and continue to hope can be solved. exim-4.72-8.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-8e8ac9dfda Update with backported openssl_options is in updates testing. Feel free to test and don't forget to give it positive karma if it works for you. exim-4.72-8.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-8e8ac9dfda Hi, when the update will be stable will be also pushed on CentOs? Right now seems to be in Fedora, when will be stable will be pushed also on CentOS? Thanks (In reply to Marco Borla from comment #9) > Hi, > when the update will be stable will be also pushed on CentOs? > > Right now seems to be in Fedora, when will be stable will be pushed also on > CentOS? > > Thanks Sorry, I know nothing about CentOS, but I think there is no CentOS EPEL repo. I bet you use Fedora EPEL repo directly. IIRC there is 14 days interval for the package to stay in the updates-testing. It can be pushed to updates repo earlier if the package gives enough karma (IIRC +3) from the testers. Feel free to test and give it positive karma (IIRC): # yum --enablerepo=epel-testing update exim I have asked help on CentOS forum ( https://www.centos.org/forums/viewtopic.php?f=17&t=56357 ) and I see CentOS forum Moderator says to open bug here in Fedora. Seems also in the topic there are exim version relased by you. I don't know if once this will be stable will be possibile to update exim also in CentOS. I AM on CentOS where exim are old 4.72 and vulnerable to POODLE. (In reply to Marco Borla from comment #11) > I have asked help on CentOS forum ( > https://www.centos.org/forums/viewtopic.php?f=17&t=56357 ) and I see CentOS > forum Moderator says to open bug here in Fedora. > > Seems also in the topic there are exim version relased by you. I don't know > if once this will be stable will be possibile to update exim also in CentOS. > > I AM on CentOS where exim are old 4.72 and vulnerable to POODLE. Please check your repositories in /etc/yum.repos.d/ if there is something like epel.repo with content: https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=$basearch it means you are using EPEL and the information from the comment 10 applies. If not, then really sorry, this is Fedora/RHEL/EPEL bugzilla, I cannot help with CentOS. Thanks. Maybe I will be able to update when the version will be stable from the EPEL repositories on CentOS. Thank you for your message. I will see once the Exim will be stable, I need to hear people of my VPS panel because Exim is integrated in that. They also are waiting the stable version, maybe 7 days and will be ready. Sorry if I Am unable to test the Exim patched. Thanks again for your help, I will monitor here. (In reply to Marco Borla from comment #13) > Thanks. > Maybe I will be able to update when the version will be stable from the EPEL > repositories on CentOS. Thank you for your message. > > I will see once the Exim will be stable, I need to hear people of my VPS > panel because Exim is integrated in that. They also are waiting the stable > version, maybe 7 days and will be ready. Sorry if I Am unable to test the > Exim patched. > > Thanks again for your help, I will monitor here. NP, hope it will works for you. The EPEL update tracker is here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-8e8ac9dfda It's currently in testing for 8 days. Without karma it needs to be in testing at least for 14 days. exim-4.72-8.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. Jaroslav Škarvada thank you for have released this. Today Webuzo (webuzo.com) has relased this version who solve two very dangerous vulnerability. POODLE and the new DROWN vulnerability. So many thanks because without that I will be also today vulnerable to Poodle and DROWN attack. I tested my server and was vulnerable to DROWN who is considered very High vulnerability. With this Exim now this two security issue are resolved. THANKS! your fix very important! Unfortunately we will have to rebase exim in EPEL-6. The fix for the latest discovered CVE-2016-1531 isn't straightforward to backport and 4.72 is no longer supported by upstream. These are valid arguments for rebase, so I am rebasing to the EPEL-7 version, i.e. exim-4.84.2. Thanks. I solved I now have exim 4.84.2 and I see a new version is testing in this days. A question please, I AM looking since a long time for Hide Exim version on my outgoing email. How I can do that? I want hide Exim version in outgoing header. Also I want add abuse email address header. Can you please help me on this two things? I searched in the internet but nothing works inside exim.conf (In reply to Marco Borla from comment #18) > Thanks. I solved I now have exim 4.84.2 and I see a new version is testing > in this days. > > A question please, I AM looking since a long time for Hide Exim version on > my outgoing email. How I can do that? > I want hide Exim version in outgoing header. > Regarding SMTP banner shown to clients, add the following to the main section of exim.conf: smtp_banner = $primary_hostname ESMTP Exim $tod_full Regarding the version in the mail header (which is usually harmless in comparison to the smtp_banner which could make you easy target for scanners) add the following to the main section of exim.conf: received_header_text = Received: \ ${if def:sender_rcvhost {from $sender_rcvhost\n\t}\ {${if def:sender_ident \ {from ${quote_local_part:$sender_ident} }}\ ${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}\ by $primary_hostname \ ${if def:received_protocol {with $received_protocol}} \ ${if def:tls_cipher {($tls_cipher)\n\t}}\ (Exim)\n\t\ ${if def:sender_address \ {(envelope-from <$sender_address>)\n\t}}\ id $message_exim_id\ ${if def:received_for {\n\tfor $received_for}} > Also I want add abuse email address header. I am not sure what you mean. > Can you please help me on this two things? I searched in the internet but > nothing works inside exim.conf Please note this is bugzilla, not support forum, nor support tool. Ask support questions on our support channels (http://www.redhat.com/support) or on the exim mailing list. I am going to ignore further support request. Thanks, I looked on the internet and tried to add this but Exim in Webuzo panel stop to work. Maybe I cannot use this. SOLVED thanks |