Bug 1306345

My VPS Server are monitored by Beyond Security scanner who can see this security issue on my VPS.

The security Issue is solved if I disable SSL 3 on Exim
https://lists.exim.org/lurker/message/20141017.093614.e5c38176.en.html

but IF I do that email stop to work.

This string:

openssl_options = +no_sslv2 +no_sslv3

putted in exim.conf cause an error so not supported and if I put on exim.conf:

tls_require_ciphers = NORMAL:!VERS-SSL3.0

the security issue is solved but email not work anymore from Thunderbird and maybe other software and no chipter suite are supported also If I add on tls_require_ciphers TLSv1.2:ALL, etc.

So is very important a new relases of Exim will be done in CentOs and fixed ASAp this security issue.
I continue to receive Security alert from the external scanner on my server.

Also Webuzo (http://webuzo.com/) Team of Softaculous VPS panel manager who works on CentOs are unable to help me to fix this issue because depends on CentOs and RPM's

Is opened a topic on CentOs about this security Issue but CentOs can't help with that and suggested to ask and report the issue here.

 https://www.centos.org/forums/viewtopic.php?f=17&t=56357

Hope you can take this bug seriously and find, relase a solution ASAP.
Thanks

Correct way is to backport 'openssl_options' feature. I will take a look. Also feel free to provide patches. Regarding the CentOS tracker: Issue 1274822 not found (I think you meant EPEL-6 bug 1274822). Closing as dupe of bug 1274822.

*** This bug has been marked as a duplicate of bug 1274822 ***

Yes, the bug 1274822 seems not really give importance to Security Issue, there are strong security Issue on Exim 4.72 and seems this bug 1274822 is opened from a lot of time.

Here is not only discussion about how disalbe SSL 3 but I have found POODLE vulnerability also no possibilities to deactivate SSL 3.

On the web also founded other BUG who can affect Exim 4.72 for example a quick search on Google can show IT https://goo.gl/FBZlgU

Really hope to see this security issue soon solved. I will follow UP this two BUG also if this one was now closed by you.

I AM worried about see in all this month and also past years Exim 4.72 continue to be the last edition avaiable with SSL 3 enabled.

Security Issue.

Exim 4.72 was relased on 2011 now we are on 2016 and Latest Version: is 4.86

Please check EPEL policy for updates/rebases. We backport all important security fixes, e.g.:

* Wed Jul 23 2014 Jaroslav Škarvada <jskarvad> - 4.72-6
- Only expand integers for integer math once
  Resolves: CVE-2014-2972
  
* Sun Oct 28 2012 Jaroslav Škarvada <jskarvad> - 4.72-4
- The wrongly named CVE-2011-1407 patch was renamed to CVE-2011-1764
- Added fix for CVE-2011-1407
  Resolves: CVE-2011-1407

* Thu Oct 25 2012 Jaroslav Škarvada <jskarvad> - 4.72-3
- Backported fix for CVE-2012-5671
  Resolves: CVE-2012-5671

* Wed May 18 2011 Mark Chappell <tremble.uk> 4.72-2
- Backport various security fixes
- (CVE-2011-1407 CVE-2011-0017 CVE-2010-4345)
...

If you know about other unfixed CVEs, please let me know. It should be watched by our Security response team.

Hi Jaroslav,
sorry BUT I AM not a Developer, I AM not a expert of the web of RedHat or CentoOs... just have interest for the web, the security and some times I Am good on finding problem and issue BUT not able to fix with the code.

Actually I have found the Exim 4.72 Security Issue but my Server has CentOs 6.7 and Exim is installed and managed by Webuzo ( Webuzo.com ) of the famous softaculous team ( https://www.softaculous.com/ )

The reply or information tecnical about Exim should be fowarded to Developers so I Am asking to Webuzo to join this bug and get in touch with you as soon as possibile.

I can just only see on my SSH VPS Exim is 4.72 I don't know if have patch or not but also suppose on the 2014 was before the discovering of the SSL 3 vulnerabilities.

So hope you can verify the SSL 3 vulnerabilities. 
I can just only know SSL 3 still supported by my Exim, Webuzo Team told me they install the last version avaiable from yum RPM's so I think the solution should relased by you... 

So for now thank you, I will follow this topic also I will hear update from Webuzo Team.

I think this is not a small problem and not only my personal problem but a biggest issue.

I Am happy to hear someone is taking care and think will be resolved, I really hope.
Have a good day for now and sorry if I cannot help more.. if you need help by me I can try to do a command SSH on my server for check version .. but I need step by step guide so is better maybe I can get Webuzo Developers team in contact with you as they also are working and aware of this Exim issue.

I also can't understand why still be an old version of Exim never updated in all thoose years. Is strange.

Marco, no problem. In RHEL-6 exim package is in EPEL repository. EPEL stands for Extra Packages for Enterprise Linux, we try to follow enterprise standards there and packages in EPEL are rebased very occasionally not to break things (even some bugs may be relied upon by enterprise users). But the packages are still patched to fix important security issues. So don't worry, it is not pure upstream 4.72 version there - the EPEL version contains many fixes from later exim versions. Important is full NVR, i.e. exim-4.72-7. You can check in the package changelog which security issues has been already fixed. Please let me know if we missed anything important. Regarding the POODLE, I am looking on it and hopefully will introduce the EPEL-6 patch soon. I will continue to track this issue in bug 1274822.

If you need newer SW versions, consider upgrading to RHEL-7.

Hi,
thank you. Actually my server seems have issue on upgrade to CentOs as also my VPS panel not support 7 for now.

So maybe now the most important things is make Exim secure also in 6 EPEL. CentOs 6.7 is not very old and 7 is just the new CentOs but may take some times for be fully supported.

Thank yu, I will look into bug 1274822