Please consider the attached patch to solve the opendmarc issue.Given that opendmarc broke their API and the new one has no documentation, exim devs are currently checking what could be done, so this is not the official patch from exim devs. I have tested it and got no issues so far.
On 5/4/21 4:45 PM, Renaud Allard wrote:
Indeed, probably, sorry for the noise.But I also saw we have an issue with opendmarc 1.4+. They changed the API... I am currently trying to find a solution. I had tested with the older version only on the build machine.On 5/4/21 4:43 PM, Stuart Henderson wrote:btw there wasn't need for quite so many pings. On 2021/05/04 15:47, Renaud Allard wrote:Embargo has been removed, it's time to commit :) For further reference a list of related CVEs: Local vulnerabilities - CVE-2020-28007: Link attack in Exim's log directory - CVE-2020-28008: Assorted attacks in Exim's spool directory - CVE-2020-28014: Arbitrary PID file creation - CVE-2020-28011: Heap buffer overflow in queue_run() - CVE-2020-28010: Heap out-of-bounds write in main() - CVE-2020-28013: Heap buffer overflow in parse_fix_phrase() - CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase() - CVE-2020-28015: New-line injection into spool header file (local) - CVE-2020-28012: Missing close-on-exec flag for privileged pipe - CVE-2020-28009: Integer overflow in get_stdinput() Remote vulnerabilities - CVE-2020-28017: Integer overflow in receive_add_recipient() - CVE-2020-28020: Integer overflow in receive_msg() - CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()- CVE-2020-28021: New-line injection into spool header file (remote) - CVE-2020-28022: Heap out-of-bounds read and write in extract_option() - CVE-2020-28026: Line truncation and injection in spool_read_header() - CVE-2020-28019: Failure to reset function pointer after BDAT error- CVE-2020-28024: Heap buffer underflow in smtp_ungetc() - CVE-2020-28018: Use-after-free in tls-openssl.c- CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()On 5/4/21 8:20 AM, Renaud Allard wrote:ping: the disclosure will take place today (2021-05-04 13:30 UTC) On 5/2/21 10:49 AM, Renaud Allard wrote:Hi, There was a problem in exim 4.94.1, so there is now 4.94.2 which solves the issue. Embargo dates are the same. Best Regards On 28/04/2021 08:53, Renaud Allard wrote:Hello, Here is an diff to update exim to 4.94.1. This is a very important security update. Unfortunately, this update is embargoed so that "distro" package maintainers have the time to publish the packages. This means the source tar.gz is not available before 2021-05-04 13:30 UTC. I don't know how we could provide packages for -stable before the tar is published. I can build them for 6.8, but I can't sign them or build for 6.9 yet. It solves the following CVE: - CVE-2020-28007 - CVE-2020-28008 - CVE-2020-28009 - CVE-2020-28010 - CVE-2020-28011 - CVE-2020-28012 - CVE-2020-28013 - CVE-2020-28014 - CVE-2020-28015 - CVE-2020-28016 - CVE-2020-28017 - CVE-2020-28018 - CVE-2020-28019 - CVE-2020-28020 - CVE-2020-28021 - CVE-2020-28022 - CVE-2020-28023 - CVE-2020-28024 - CVE-2020-28025 - CVE-2020-28026 - CVE-2021-27216 Best Regards
Index: patches/patch-src_dmarc_c
===================================================================
RCS file: patches/patch-src_dmarc_c
diff -N patches/patch-src_dmarc_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_dmarc_c 4 May 2021 14:51:38 -0000
@@ -0,0 +1,14 @@
+$OpenBSD$
+
+Index: src/dmarc.c
+--- src/dmarc.c.orig
++++ src/dmarc.c
+@@ -446,7 +446,7 @@ if (!dmarc_abort && !sender_host_authenticated)
+ vs == PDKIM_VERIFY_INVALID ? DMARC_POLICY_DKIM_OUTCOME_TMPFAIL :
+ DMARC_POLICY_DKIM_OUTCOME_NONE;
+ libdm_status = opendmarc_policy_store_dkim(dmarc_pctx, US sig->domain,
+- dkim_result, US"");
++ sig->selector, dkim_result, US"");
+ DEBUG(D_receive)
+ debug_printf("DMARC adding DKIM sender domain = %s\n", sig->domain);
+ if (libdm_status != DMARC_PARSE_OKAY)
smime.p7s
Description: S/MIME Cryptographic Signature
