Posted by pdp on 10:35 today ( 13 minutes ago ) Folks, During internal code review on Wednesday, I uncovered a remote code execution hole in Exim, affecting releases 4.70 to 4.80, in the DKIM handling. This can be triggered by anyone who can send you email from a domain for which they control the DNS, and gets them the Exim run-time user. Thanks to a certain Wired article, I decided this area of the codebase (of many MTAs) would be likely to be reviewed by more than just me, so it would be sheer hubris to hope that this remained undiscovered by blackhats. So Exim 4.80.1 has been cut, which has no new features, none of the other changes, and is "4.80 plus security fix"; the patch and notification were available to vendors from late Wednesday, and I sucked it up and accepted that I would be deeply unpopular with a Friday release, after the vendors had Thursday to prep. At 8am UTC, I released Exim 4.80.1. The patch should apply cleanly to any affected version of Exim, so your vendor should have a clean patch for you. For those who build/maintain their own Exim releases, but have not kept up-to-date on Exim and are not ready to move to 4.80/4.80.1, you will wish to study: http://git.exim.org/exim.git/commit/4263f395efd136dece52d765dfcff3c96f17506e Regards, -Phil
would be nice if you release the patched package today.
*** This bug has been marked as a duplicate of bug 869953 ***
Updated packages are already built and submitted as updates: https://admin.fedoraproject.org/updates/exim *** This bug has been marked as a duplicate of bug 870347 ***