Re: [SECURITY] [DSA 2566-1] exim4 security update
This is pretty serious and could easily cause some server hacks. Can we upgrade mail servers for just this issue more or less immediately? Please let me know what the status of the mailscanner server is. Rory On 26/10/12, Nico Golde (n...@debian.org) wrote: - Debian Security Advisory DSA-2566-1 secur...@debian.org http://www.debian.org/security/Nico Golde October 25, 2012 http://www.debian.org/security/faq - Package: exim4 Vulnerability : heap-based buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2012-5671 It was discovered that Exim, a mail transport agent, is not properly handling the decoding of DNS records for DKIM. Specifically, crafted records can yield to a heap-based buffer overflow. An attacker can exploit this flaw to execute arbitrary code. For the stable distribution (squeeze), this problem has been fixed in version 4.72-6+squeeze3. For the testing distribution (wheezy), this problem has been fixed in version 4.80-5.1. For the unstable distribution (sid), this problem has been fixed in version 4.80-5.1. We recommend that you upgrade your exim4 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -- To UNSUBSCRIBE, email to debian-security-announce-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121026101520.ga31...@ngolde.de -- Rory Campbell-Lange r...@campbell-lange.net Campbell-Lange Workshop www.campbell-lange.net 0207 6311 555 3 Tottenham Street London W1T 2AF Registered in England No. 04551928 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121026103652.gb6...@campbell-lange.net
Re: [SECURITY] [DSA 2566-1] exim4 security update
I've just updated the clw server. On 26/10/12, Rory Campbell-Lange (r...@campbell-lange.net) wrote: This is pretty serious and could easily cause some server hacks. Can we upgrade mail servers for just this issue more or less immediately? Please let me know what the status of the mailscanner server is. Rory On 26/10/12, Nico Golde (n...@debian.org) wrote: - Debian Security Advisory DSA-2566-1 secur...@debian.org http://www.debian.org/security/Nico Golde October 25, 2012 http://www.debian.org/security/faq - Package: exim4 Vulnerability : heap-based buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2012-5671 It was discovered that Exim, a mail transport agent, is not properly handling the decoding of DNS records for DKIM. Specifically, crafted records can yield to a heap-based buffer overflow. An attacker can exploit this flaw to execute arbitrary code. For the stable distribution (squeeze), this problem has been fixed in version 4.72-6+squeeze3. For the testing distribution (wheezy), this problem has been fixed in version 4.80-5.1. For the unstable distribution (sid), this problem has been fixed in version 4.80-5.1. We recommend that you upgrade your exim4 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -- To UNSUBSCRIBE, email to debian-security-announce-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121026101520.ga31...@ngolde.de -- Rory Campbell-Lange r...@campbell-lange.net Campbell-Lange Workshop www.campbell-lange.net 0207 6311 555 3 Tottenham Street London W1T 2AF Registered in England No. 04551928 -- Rory Campbell-Lange r...@campbell-lange.net Campbell-Lange Workshop www.campbell-lange.net 0207 6311 555 3 Tottenham Street London W1T 2AF Registered in England No. 04551928 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121026103904.gc6...@campbell-lange.net
Re: [SECURITY] [DSA 2566-1] exim4 security update
On Fri, 26 Oct 2012, Nico Golde wrote: For the testing distribution (wheezy), this problem has been fixed in version 4.80-5.1. For the unstable distribution (sid), this problem has been fixed in version 4.80-5.1. They don't seem to be available anywhere I look, particularily not in the http://security.debian.org/ package repository or in the standard debian package repository neither for unstable nor for wheezy. http://incoming.debian.org/ has the versions indicated above, however the packages are not signed. What's the way forward from here? Will you rerun the incoming queue and build packages for security.debian.org or should users (blindly?) install the packages from incoming? I've set DISABLE_DKIM_VERIFY='true' to mitigate the bug in update-exim4.conf.conf but I'm not sure that's the way that flag is intended to be used since update-exim4.conf is complaining that it doesn't know anything about that configuration item. *t -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/alpine.DEB.2.02.1210261637360.3289@localhost
Re: [SECURITY] [DSA 2566-1] exim4 security update
Tomas Pospisek tpo_...@sourcepole.ch (26/10/2012): They don't seem to be available anywhere I look, particularily not in the http://security.debian.org/ package repository or in the standard debian package repository neither for unstable nor for wheezy. http://incoming.debian.org/ has the versions indicated above, however the packages are not signed. What's the way forward from here? Will you rerun the incoming queue and build packages for security.debian.org or should users (blindly?) install the packages from incoming? http://packages.qa.debian.org/e/exim4/news/20121026T084842Z.html says the package was accepted a few hours ago. https://buildd.debian.org/status/package.php?p=exim4suite=sid says packages were built a few hours ago. Please allow some time for packages to move from incoming to the mirrors, and upgrade at this point. Mraw, KiBi. signature.asc Description: Digital signature
