Bug 870356 - Exim 4.70 - 4.80 : Remote Execution Exploit in DKIM module.
Exim 4.70 - 4.80 : Remote Execution Exploit in DKIM module.
Status: CLOSED DUPLICATE of bug 870347
Product: Fedora
Classification: Fedora
Component: exim (Show other bugs)
16
All All
unspecified Severity urgent
: ---
: ---
Assigned To: David Woodhouse
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-26 04:48 EDT by customercare
Modified: 2012-10-26 11:23 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-10-26 11:01:55 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description customercare 2012-10-26 04:48:52 EDT
Posted by pdp@exim.org on 10:35 today ( 13 minutes ago )

Folks,

During internal code review on Wednesday, I uncovered a remote code
execution hole in Exim, affecting releases 4.70 to 4.80, in the DKIM
handling.  This can be triggered by anyone who can send you email from a
domain for which they control the DNS, and gets them the Exim run-time
user.

Thanks to a certain Wired article, I decided this area of the codebase
(of many MTAs) would be likely to be reviewed by more than just me, so
it would be sheer hubris to hope that this remained undiscovered by
blackhats.

So Exim 4.80.1 has been cut, which has no new features, none of the
other changes, and is "4.80 plus security fix"; the patch and
notification were available to vendors from late Wednesday, and I sucked
it up and accepted that I would be deeply unpopular with a Friday
release, after the vendors had Thursday to prep.

At 8am UTC, I released Exim 4.80.1.  The patch should apply cleanly to
any affected version of Exim, so your vendor should have a clean patch
for you.

For those who build/maintain their own Exim releases, but have not kept
up-to-date on Exim and are not ready to move to 4.80/4.80.1, you will
wish to study:

  http://git.exim.org/exim.git/commit/4263f395efd136dece52d765dfcff3c96f17506e

Regards,
-Phil
Comment 1 customercare 2012-10-26 05:16:51 EDT
would be nice if you release the patched package today.
Comment 2 Vincent Danen 2012-10-26 11:01:55 EDT

*** This bug has been marked as a duplicate of bug 869953 ***
Comment 3 Tomas Hoger 2012-10-26 11:23:03 EDT
Updated packages are already built and submitted as updates:

https://admin.fedoraproject.org/updates/exim

*** This bug has been marked as a duplicate of bug 870347 ***

Note You need to log in before you can comment on or make changes to this bug.