Re: [SECURITY] [DSA 2566-1] exim4 security update
Tomas Pospisek (26/10/2012): > They don't seem to be available anywhere I look, particularily not > in the http://security.debian.org/ package repository or in the > standard debian package repository neither for unstable nor for > wheezy. > > http://incoming.debian.org/ has the versions indicated above, > however the packages are not signed. > > What's the way forward from here? Will you rerun the incoming queue > and build packages for security.debian.org or should users > (blindly?) install the packages from incoming? http://packages.qa.debian.org/e/exim4/news/20121026T084842Z.html says the package was accepted a few hours ago. https://buildd.debian.org/status/package.php?p=exim4&suite=sid says packages were built a few hours ago. Please allow some time for packages to move from incoming to the mirrors, and upgrade at this point. Mraw, KiBi. signature.asc Description: Digital signature
Re: [SECURITY] [DSA 2566-1] exim4 security update
On Fri, 26 Oct 2012, Nico Golde wrote: For the testing distribution (wheezy), this problem has been fixed in version 4.80-5.1. For the unstable distribution (sid), this problem has been fixed in version 4.80-5.1. They don't seem to be available anywhere I look, particularily not in the http://security.debian.org/ package repository or in the standard debian package repository neither for unstable nor for wheezy. http://incoming.debian.org/ has the versions indicated above, however the packages are not signed. What's the way forward from here? Will you rerun the incoming queue and build packages for security.debian.org or should users (blindly?) install the packages from incoming? I've set "DISABLE_DKIM_VERIFY='true'" to mitigate the bug in update-exim4.conf.conf but I'm not sure that's the way that flag is intended to be used since update-exim4.conf is complaining that it doesn't know anything about that configuration item. *t -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/alpine.DEB.2.02.1210261637360.3289@localhost
Re: [SECURITY] [DSA 2566-1] exim4 security update
I've just updated the clw server. On 26/10/12, Rory Campbell-Lange (r...@campbell-lange.net) wrote: > This is pretty serious and could easily cause some server hacks. > > Can we upgrade mail servers for just this issue more or less > immediately? Please let me know what the status of the mailscanner > server is. > > Rory > > On 26/10/12, Nico Golde (n...@debian.org) wrote: > > - > > Debian Security Advisory DSA-2566-1 secur...@debian.org > > http://www.debian.org/security/Nico Golde > > October 25, 2012 http://www.debian.org/security/faq > > - > > > > Package: exim4 > > Vulnerability : heap-based buffer overflow > > Problem type : remote > > Debian-specific: no > > CVE ID : CVE-2012-5671 > > > > It was discovered that Exim, a mail transport agent, is not properly > > handling the decoding of DNS records for DKIM. Specifically, crafted > > records can yield to a heap-based buffer overflow. An attacker can > > exploit this flaw to execute arbitrary code. > > > > For the stable distribution (squeeze), this problem has been fixed in > > version 4.72-6+squeeze3. > > > > For the testing distribution (wheezy), this problem has been fixed in > > version 4.80-5.1. > > > > For the unstable distribution (sid), this problem has been fixed in > > version 4.80-5.1. > > > > > > We recommend that you upgrade your exim4 packages. > > > > Further information about Debian Security Advisories, how to apply > > these updates to your system and frequently asked questions can be > > found at: http://www.debian.org/security/ > > > > Mailing list: debian-security-annou...@lists.debian.org > > > > > > > > -- > > To UNSUBSCRIBE, email to debian-security-announce-requ...@lists.debian.org > > with a subject of "unsubscribe". Trouble? Contact > > listmas...@lists.debian.org > > Archive: http://lists.debian.org/20121026101520.ga31...@ngolde.de > > > > -- > Rory Campbell-Lange > r...@campbell-lange.net > > Campbell-Lange Workshop > www.campbell-lange.net > 0207 6311 555 > 3 Tottenham Street London W1T 2AF > Registered in England No. 04551928 -- Rory Campbell-Lange r...@campbell-lange.net Campbell-Lange Workshop www.campbell-lange.net 0207 6311 555 3 Tottenham Street London W1T 2AF Registered in England No. 04551928 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121026103904.gc6...@campbell-lange.net
Re: [SECURITY] [DSA 2566-1] exim4 security update
This is pretty serious and could easily cause some server hacks. Can we upgrade mail servers for just this issue more or less immediately? Please let me know what the status of the mailscanner server is. Rory On 26/10/12, Nico Golde (n...@debian.org) wrote: > - > Debian Security Advisory DSA-2566-1 secur...@debian.org > http://www.debian.org/security/Nico Golde > October 25, 2012 http://www.debian.org/security/faq > - > > Package: exim4 > Vulnerability : heap-based buffer overflow > Problem type : remote > Debian-specific: no > CVE ID : CVE-2012-5671 > > It was discovered that Exim, a mail transport agent, is not properly > handling the decoding of DNS records for DKIM. Specifically, crafted > records can yield to a heap-based buffer overflow. An attacker can > exploit this flaw to execute arbitrary code. > > For the stable distribution (squeeze), this problem has been fixed in > version 4.72-6+squeeze3. > > For the testing distribution (wheezy), this problem has been fixed in > version 4.80-5.1. > > For the unstable distribution (sid), this problem has been fixed in > version 4.80-5.1. > > > We recommend that you upgrade your exim4 packages. > > Further information about Debian Security Advisories, how to apply > these updates to your system and frequently asked questions can be > found at: http://www.debian.org/security/ > > Mailing list: debian-security-annou...@lists.debian.org > > > > -- > To UNSUBSCRIBE, email to debian-security-announce-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/20121026101520.ga31...@ngolde.de > -- Rory Campbell-Lange r...@campbell-lange.net Campbell-Lange Workshop www.campbell-lange.net 0207 6311 555 3 Tottenham Street London W1T 2AF Registered in England No. 04551928 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121026103652.gb6...@campbell-lange.net