Bug 1274822 - Why there is still exim 4.72 in epel 6?
Why there is still exim 4.72 in epel 6?
Status: CLOSED ERRATA
Product: Fedora EPEL
Classification: Fedora
Component: exim (Show other bugs)
el6
Unspecified Unspecified
unspecified Severity medium
: ---
: ---
Assigned To: Jaroslav Škarvada
Fedora Extras Quality Assurance
:
: 1306345 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-23 11:13 EDT by Eugen
Modified: 2017-02-10 13:25 EST (History)
5 users (show)

See Also:
Fixed In Version: exim-4.72-8.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-02-29 16:25:55 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
ocisp87: needinfo+


Attachments (Terms of Use)

  None (edit)
Description Eugen 2015-10-23 11:13:23 EDT
Description of problem:

What about upgrade exim package to a new version? There is 4.84 in epel7. Can you tell why there is version 4.72 so far?
And I haven't seen updates since Oct 2014.

Version-Release number of selected component (if applicable):
4.72 7.el6



Additional info:
What about adding "openssl_options" option?
I just want to disable SSLv3 but I can't do it in tls_require_ciphers.



Thank you.
Comment 1 Jaroslav Škarvada 2015-10-29 11:07:12 EDT
(In reply to Eugen from comment #0)
> Description of problem:
> 
> What about upgrade exim package to a new version? There is 4.84 in epel7.
> Can you tell why there is version 4.72 so far?
> And I haven't seen updates since Oct 2014.

Please note there is EPEL Package maintenance and update policy [1]. Rebases should be avoided in EPEL if not absolutely necessary, it's stable enterprise environment. AFAIK we fixed all security related bugs.

> What about adding "openssl_options" option?

This could be backported.

[1] https://fedoraproject.org/wiki/EPEL/GuidelinesAndPolicies
Comment 2 Marco Borla 2016-02-10 10:14:32 EST
Hi, I AM having the same issue reported by @Eugen.
I AM on CentOs 6.7 and the last avaiable Exim is 4.72 who is old and vulnerable to SSL 3 and POODLE attack.

I just want to disable SSLv3 but I can't do it in tls_require_ciphers, I have tried but email stop to work.

I AM also in contact with Webuzo and Softculous team for solve this security Issue and we are tring to get in touch with the right person here for find a solution to this security issue.

Exim 4.72 is very old, also asking to Exim support give us the same reply: Exim 4.72 is very old and should be updated.

In my website where I have installed a security scanner I can see there are SSL 3 and POODLE attack issue due to Exim 4.72

I really need a fix for this, Webuzo tema are also working to be able to update Exim in CentOs.

Please update me as soon as possibile.
Comment 3 Jaroslav Škarvada 2016-02-10 11:14:52 EST
*** Bug 1306345 has been marked as a duplicate of this bug. ***
Comment 4 Marco Borla 2016-02-10 11:42:23 EST
The severity, and priority of this BUG should be very hight.
This topic is opened from 2015-10-23

Now until this issue is not resolved I (and not only I) have a Security Issue on my server.

This cause also I cannot have the security seal showed to the website visitor because as there are vulnerabilities on Exim on my server the scanner found IT and cannot give me a good security level as this is not low security issue but is Medium / Hight.

So I will keep eyes on this topic.
Is about one month I am working for try a solution and after asked to Webuzo support I arrived to the CentOs forum and now I have reach here RedHat and hope the solution will be near and I can solve the security issue so I can have back Security Seal on my website a VPS who cost a lot.

Email are very important.
Also anyone can see my Exim version when I send email so is not good things think is an old version and Support SSL 3 without the possibility to disable IT.

Thank you for your help Jaroslav.
I trust in you, please not forget this topic BUG. Hope a solution can come soon as every day now there is this issue active on my server, email etc and Webuzo Team of the control panel can't help me also me cannot do nothing for solve this issue.

I tried a lot of things and researched on Gogle but all configuration in exim not solve the security issue. I can solve by have email not working but this is not a good solution as I need use email.

Thanks again!
Comment 5 Marco Borla 2016-02-11 15:38:19 EST
This is the issue identified from an external scan due to Exim 4.72 SSL 3 support.

Deprecated SSL Protocol Usage

Port: 	urd (465/tcp)

Summary:
The remote service accepts connections encrypted using SSLv2 and/or SSLv3, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.

Recommended Solution:
Consult the application's documentation to disable SSL 2.0 and SSL 3.0, and use TLS 1.0 or newer. 

More information: 	
http://www.schneier.com/paper-ssl.pdf

Hope this can help you. Need to disable SSL 3 without disable all Cipter.. because by disabiling SSL 3 seems also TLS stop to work.

Hope a patch can be relased in some week. This is a medium issue for me and I Am loosing safe server seal as well know my server have vulnerability.

Thank you.
Today I have again receved security email advice from the scanner who are alerting me of this issue, I know and continue to hope can be solved.
Comment 6 Fedora Update System 2016-02-12 06:21:02 EST
exim-4.72-8.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-8e8ac9dfda
Comment 7 Jaroslav Škarvada 2016-02-12 06:23:02 EST
Update with backported openssl_options is in updates testing. Feel free to test and don't forget to give it positive karma if it works for you.
Comment 8 Fedora Update System 2016-02-14 22:48:16 EST
exim-4.72-8.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-8e8ac9dfda
Comment 9 Marco Borla 2016-02-22 08:07:15 EST
Hi,
when the update will be stable will be also pushed on CentOs?

Right now seems to be in Fedora, when will be stable will be pushed also on CentOS?

Thanks
Comment 10 Jaroslav Škarvada 2016-02-22 08:45:25 EST
(In reply to Marco Borla from comment #9)
> Hi,
> when the update will be stable will be also pushed on CentOs?
> 
> Right now seems to be in Fedora, when will be stable will be pushed also on
> CentOS?
> 
> Thanks

Sorry, I know nothing about CentOS, but I think there is no CentOS EPEL repo. I bet you use Fedora EPEL repo directly.

IIRC there is 14 days interval for the package to stay in the updates-testing. It can be pushed to updates repo earlier if the package gives enough karma (IIRC +3) from the testers. Feel free to test and give it positive karma (IIRC):

# yum --enablerepo=epel-testing update exim
Comment 11 Marco Borla 2016-02-22 09:00:28 EST
I have asked help on CentOS forum ( https://www.centos.org/forums/viewtopic.php?f=17&t=56357 ) and I see CentOS forum Moderator says to open bug here in Fedora.

Seems also in the topic there are exim version relased by you. I don't know if once this will be stable will be possibile to update exim also in CentOS.

I AM on CentOS where exim are old 4.72 and vulnerable to POODLE.
Comment 12 Jaroslav Škarvada 2016-02-22 09:15:48 EST
(In reply to Marco Borla from comment #11)
> I have asked help on CentOS forum (
> https://www.centos.org/forums/viewtopic.php?f=17&t=56357 ) and I see CentOS
> forum Moderator says to open bug here in Fedora.
> 
> Seems also in the topic there are exim version relased by you. I don't know
> if once this will be stable will be possibile to update exim also in CentOS.
> 
> I AM on CentOS where exim are old 4.72 and vulnerable to POODLE.

Please check your repositories in /etc/yum.repos.d/ if there is something like epel.repo with content:
https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=$basearch

it means you are using EPEL and the information from the comment 10 applies.

If not, then really sorry, this is Fedora/RHEL/EPEL bugzilla, I cannot help with CentOS.
Comment 13 Marco Borla 2016-02-23 05:58:36 EST
Thanks.
Maybe I will be able to update when the version will be stable from the EPEL repositories on CentOS. Thank you for your message.

I will see once the Exim will be stable, I need to hear people of my VPS panel because Exim is integrated in that. They also are waiting the stable version, maybe 7 days and will be ready. Sorry if I Am unable to test the Exim patched.

Thanks again for your help, I will monitor here.
Comment 14 Jaroslav Škarvada 2016-02-23 06:02:59 EST
(In reply to Marco Borla from comment #13)
> Thanks.
> Maybe I will be able to update when the version will be stable from the EPEL
> repositories on CentOS. Thank you for your message.
> 
> I will see once the Exim will be stable, I need to hear people of my VPS
> panel because Exim is integrated in that. They also are waiting the stable
> version, maybe 7 days and will be ready. Sorry if I Am unable to test the
> Exim patched.
> 
> Thanks again for your help, I will monitor here.

NP, hope it will works for you. The EPEL update tracker is here:
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-8e8ac9dfda

It's currently in testing for 8 days. Without karma it needs to be in testing at least for 14 days.
Comment 15 Fedora Update System 2016-02-29 16:25:53 EST
exim-4.72-8.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 16 Marco Borla 2016-03-08 08:31:42 EST
Jaroslav Škarvada thank you for have released this.
Today Webuzo (webuzo.com) has relased this version who solve two very dangerous vulnerability.

POODLE and the new DROWN vulnerability.

So many thanks because without that I will be also today vulnerable to Poodle and DROWN attack.

I tested my server and was vulnerable to DROWN who is considered very High vulnerability.
With this Exim now this two security issue are resolved.

THANKS! your fix very important!
Comment 17 Jaroslav Škarvada 2016-03-10 10:24:51 EST
Unfortunately we will have to rebase exim in EPEL-6. The fix for the latest discovered CVE-2016-1531 isn't straightforward to backport and 4.72 is no longer supported by upstream. These are valid arguments for rebase, so I am rebasing to the EPEL-7 version, i.e. exim-4.84.2.
Comment 18 Marco Borla 2017-01-31 18:04:53 EST
Thanks. I solved I now have exim 4.84.2 and I see a new version is testing in this days.

A question please, I AM looking since a long time for Hide Exim version on my outgoing email. How I can do that?
I want hide Exim version in outgoing header.

Also I want add abuse email address header.
Can you please help me on this two things? I searched in the internet but nothing works inside exim.conf
Comment 19 Jaroslav Škarvada 2017-02-09 11:44:08 EST
(In reply to Marco Borla from comment #18)
> Thanks. I solved I now have exim 4.84.2 and I see a new version is testing
> in this days.
> 
> A question please, I AM looking since a long time for Hide Exim version on
> my outgoing email. How I can do that?
> I want hide Exim version in outgoing header.
> 
Regarding SMTP banner shown to clients, add the following to the main section of exim.conf:

smtp_banner = $primary_hostname ESMTP Exim $tod_full

Regarding the version in the mail header (which is usually harmless in comparison to the smtp_banner which could make you easy target for scanners) add the following to the main section of exim.conf:
received_header_text = Received: \
${if def:sender_rcvhost {from $sender_rcvhost\n\t}\
{${if def:sender_ident \
{from ${quote_local_part:$sender_ident} }}\
${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}\
by $primary_hostname \
${if def:received_protocol {with $received_protocol}} \
${if def:tls_cipher {($tls_cipher)\n\t}}\
(Exim)\n\t\
${if def:sender_address \
{(envelope-from <$sender_address>)\n\t}}\
id $message_exim_id\
${if def:received_for {\n\tfor $received_for}}


> Also I want add abuse email address header.
I am not sure what you mean.

> Can you please help me on this two things? I searched in the internet but
> nothing works inside exim.conf

Please note this is bugzilla, not support forum, nor support tool. Ask support questions on our support channels (http://www.redhat.com/support) or on the exim mailing list. I am going to ignore further support request.
Comment 20 Marco Borla 2017-02-09 12:27:42 EST
Thanks, I looked on the internet and tried to add this but Exim in Webuzo panel stop to work. Maybe I cannot use this.
Comment 21 Marco Borla 2017-02-10 13:25:19 EST
SOLVED thanks

Note You need to log in before you can comment on or make changes to this bug.