Bug 1306345 - Exim 4.72 Security Issue POODLE and SSL 3 Vulnerable. Old version of years 2011 need to be updated.
Summary: Exim 4.72 Security Issue POODLE and SSL 3 Vulnerable. Old version of years 20...
Keywords:
Status: CLOSED DUPLICATE of bug 1274822
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: exim
Version: el6
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
Assignee: Jaroslav Škarvada
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-02-10 15:44 UTC by Marco Borla
Modified: 2016-02-11 09:28 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-02-10 16:14:52 UTC
ocisp87: needinfo+


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
CentOS 1274822 None None None 2016-02-10 15:44:20 UTC

Description Marco Borla 2016-02-10 15:44:20 UTC
Description of problem:
As topic are also present here:
https://bugzilla.redhat.com/show_bug.cgi?id=1274822

I want create this topic for alert of Security Issue on Exim 4.72 who is the last avaiable into CentOs 6.7

The version provide is VULNERABLE to POODLE and SSL 3 and SSL 3 can't be disabled.

disable SSLv3 is no possibile also with the use of in tls_require_ciphers because when SSL 3 is excluded emails stop to work.

Version-Release number of selected component (if applicable):
Exim 4.72

How reproducible:

Umh ... with Exim 4.72 if I do SSH test
openssl s_client -connect mail.domain.ext:465 -ssl3
I can see SSL 3 is supported and so a security scanner that I use for make my VPS monitored and secure alert me of Deprecated SSL Protocol Support so SSL 3 and POODLE vulnerability.

If I try to disable SSL 3 with tls_require_ciphers emails stop to work. Security issue is resolved but email are not working well.

Also Exim 4.72 is very old and can have other security issue and should be ASAP updated.

Actual results:

SSL 3 is supported and can't be disabled. This is a security Issue, one of the security issue of Exim 4.72 maybe there are other BUGS and security Issue on Exim 4.72 who also I have read on Google.

Expected results:

SSL 3 not supported so no vulnerability on POODLE attack.

Additional info:

Actualy with yum from CentOs the last Exim avaiable is Exim 4.72 who is VULNERABLE.

This should be updated ASAP.

Comment 1 Marco Borla 2016-02-10 15:54:41 UTC
My VPS Server are monitored by Beyond Security scanner who can see this security issue on my VPS.

The security Issue is solved if I disable SSL 3 on Exim
https://lists.exim.org/lurker/message/20141017.093614.e5c38176.en.html

but IF I do that email stop to work.

This string:

openssl_options = +no_sslv2 +no_sslv3

putted in exim.conf cause an error so not supported and if I put on exim.conf:

tls_require_ciphers = NORMAL:!VERS-SSL3.0

the security issue is solved but email not work anymore from Thunderbird and maybe other software and no chipter suite are supported also If I add on tls_require_ciphers TLSv1.2:ALL, etc.

So is very important a new relases of Exim will be done in CentOs and fixed ASAp this security issue.
I continue to receive Security alert from the external scanner on my server.

Also Webuzo (http://webuzo.com/) Team of Softaculous VPS panel manager who works on CentOs are unable to help me to fix this issue because depends on CentOs and RPM's

Is opened a topic on CentOs about this security Issue but CentOs can't help with that and suggested to ask and report the issue here.

 https://www.centos.org/forums/viewtopic.php?f=17&t=56357

Hope you can take this bug seriously and find, relase a solution ASAP.
Thanks

Comment 2 Jaroslav Škarvada 2016-02-10 16:14:52 UTC
Correct way is to backport 'openssl_options' feature. I will take a look. Also feel free to provide patches. Regarding the CentOS tracker: Issue 1274822 not found (I think you meant EPEL-6 bug 1274822). Closing as dupe of bug 1274822.

*** This bug has been marked as a duplicate of bug 1274822 ***

Comment 3 Marco Borla 2016-02-10 16:24:37 UTC
Yes, the bug 1274822 seems not really give importance to Security Issue, there are strong security Issue on Exim 4.72 and seems this bug 1274822 is opened from a lot of time.

Here is not only discussion about how disalbe SSL 3 but I have found POODLE vulnerability also no possibilities to deactivate SSL 3.

On the web also founded other BUG who can affect Exim 4.72 for example a quick search on Google can show IT https://goo.gl/FBZlgU

Really hope to see this security issue soon solved. I will follow UP this two BUG also if this one was now closed by you.

I AM worried about see in all this month and also past years Exim 4.72 continue to be the last edition avaiable with SSL 3 enabled.

Security Issue.

Exim 4.72 was relased on 2011 now we are on 2016 and Latest Version: is 4.86

Comment 4 Jaroslav Škarvada 2016-02-10 16:46:03 UTC
Please check EPEL policy for updates/rebases. We backport all important security fixes, e.g.:

* Wed Jul 23 2014 Jaroslav Škarvada <jskarvad@redhat.com> - 4.72-6
- Only expand integers for integer math once
  Resolves: CVE-2014-2972
  
* Sun Oct 28 2012 Jaroslav Škarvada <jskarvad@redhat.com> - 4.72-4
- The wrongly named CVE-2011-1407 patch was renamed to CVE-2011-1764
- Added fix for CVE-2011-1407
  Resolves: CVE-2011-1407

* Thu Oct 25 2012 Jaroslav Škarvada <jskarvad@redhat.com> - 4.72-3
- Backported fix for CVE-2012-5671
  Resolves: CVE-2012-5671

* Wed May 18 2011 Mark Chappell <tremble@tremble.org.uk> 4.72-2
- Backport various security fixes
- (CVE-2011-1407 CVE-2011-0017 CVE-2010-4345)
...

If you know about other unfixed CVEs, please let me know. It should be watched by our Security response team.

Comment 5 Marco Borla 2016-02-10 16:57:24 UTC
Hi Jaroslav,
sorry BUT I AM not a Developer, I AM not a expert of the web of RedHat or CentoOs... just have interest for the web, the security and some times I Am good on finding problem and issue BUT not able to fix with the code.

Actually I have found the Exim 4.72 Security Issue but my Server has CentOs 6.7 and Exim is installed and managed by Webuzo ( Webuzo.com ) of the famous softaculous team ( https://www.softaculous.com/ )

The reply or information tecnical about Exim should be fowarded to Developers so I Am asking to Webuzo to join this bug and get in touch with you as soon as possibile.

I can just only see on my SSH VPS Exim is 4.72 I don't know if have patch or not but also suppose on the 2014 was before the discovering of the SSL 3 vulnerabilities.

So hope you can verify the SSL 3 vulnerabilities. 
I can just only know SSL 3 still supported by my Exim, Webuzo Team told me they install the last version avaiable from yum RPM's so I think the solution should relased by you... 

So for now thank you, I will follow this topic also I will hear update from Webuzo Team.

I think this is not a small problem and not only my personal problem but a biggest issue.

I Am happy to hear someone is taking care and think will be resolved, I really hope.
Have a good day for now and sorry if I cannot help more.. if you need help by me I can try to do a command SSH on my server for check version .. but I need step by step guide so is better maybe I can get Webuzo Developers team in contact with you as they also are working and aware of this Exim issue.

I also can't understand why still be an old version of Exim never updated in all thoose years. Is strange.

Comment 6 Jaroslav Škarvada 2016-02-10 17:23:19 UTC
Marco, no problem. In RHEL-6 exim package is in EPEL repository. EPEL stands for Extra Packages for Enterprise Linux, we try to follow enterprise standards there and packages in EPEL are rebased very occasionally not to break things (even some bugs may be relied upon by enterprise users). But the packages are still patched to fix important security issues. So don't worry, it is not pure upstream 4.72 version there - the EPEL version contains many fixes from later exim versions. Important is full NVR, i.e. exim-4.72-7. You can check in the package changelog which security issues has been already fixed. Please let me know if we missed anything important. Regarding the POODLE, I am looking on it and hopefully will introduce the EPEL-6 patch soon. I will continue to track this issue in bug 1274822.

If you need newer SW versions, consider upgrading to RHEL-7.

Comment 7 Marco Borla 2016-02-11 09:28:43 UTC
Hi,
thank you. Actually my server seems have issue on upgrade to CentOs as also my VPS panel not support 7 for now.

So maybe now the most important things is make Exim secure also in 6 EPEL. CentOs 6.7 is not very old and 7 is just the new CentOs but may take some times for be fully supported.

Thank yu, I will look into bug 1274822


Note You need to log in before you can comment on or make changes to this bug.