Re: [exim] Exim 4.94.2 - security update released
The updated Exim pages from the EPEL project for RHEL 7 & 8 (and related distributions e.g. CentOS) as well as Fedora 34 are now in the process of being pushed to the stable repositories and should be there in the next few hours or so: https://bodhi.fedoraproject.org/updates/?packages=exim That said, anyone reading this ought to update as soon as possible, without waiting for them to reach the stable repositories. Tim -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
Am 06.05.21 um 14:54 schrieb Konstantin Boyandin via Exim-users: (yes, no problem building Exim package(s) for EPEL, once I understand the exact way to to that) fedpkg clone --anonymous exim cd exim git checkout epel8 # tweak exim.spec fedpkg mockbuild Felix -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
Am 06.05.21 um 14:54 schrieb Konstantin Boyandin via Exim-users: On 04.05.2021 20:40, Heiko Schlittermann via Exim-users wrote: We have prepared a security release, tagged as "exim-4.94.2". This release contains all changes on the exim-4.94+fixes branch plus security fixes. I wonder whether current Exim maintainer at EPEL reads this list. The last known EPEL Exim version is 4.94 #2, built on March 25, 2021. It wasn't difficult to build Exim from sources and replace insecure EPEL version, but it's not exactly my understanding of fun. (yes, no problem building Exim package(s) for EPEL, once I understand the exact way to to that) Go to Fedora koji and download your files manually. I have seen EL7 already on tuesday, but they are kept in the testfarm until they reach a good karma. Best regards, Marius -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
On 06.05.2021 21:36, Tim Jackson via Exim-users wrote: > On 06/05/2021 14:54, Konstantin Boyandin via Exim-users wrote: > >> The last known EPEL Exim version is 4.94 #2, built on March 25, 2021. It >> wasn't difficult to build Exim from sources and replace insecure EPEL >> version, but it's not exactly my understanding of fun. > ... > > It is currently in the testing repository, meaning an update can be done > with "yum --enablerepo=epel-testing" . > > I've nudged the EPEL maintainer to suggest that it should be pushed > immediately to stable, given the severity. Thanks a lot for nudging - meanwhile I'll run the tests on sandbox installations, to raise the corresponding karma (if tests pass). -- Sincerely, Konstantin Boyandin -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
On 06/05/2021 14:54, Konstantin Boyandin via Exim-users wrote: The last known EPEL Exim version is 4.94 #2, built on March 25, 2021. It wasn't difficult to build Exim from sources and replace insecure EPEL version, but it's not exactly my understanding of fun. An update was available for EPEL 7 & 8 (as well as Fedora) on Tuesday: EL8: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-beed69126f EL7: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-dad1996f63 It is currently in the testing repository, meaning an update can be done with "yum --enablerepo=epel-testing" . I've nudged the EPEL maintainer to suggest that it should be pushed immediately to stable, given the severity. Tim -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
On 06/05/2021 14:54, Konstantin Boyandin via Exim-users wrote: > I wonder whether current Exim maintainer at EPEL reads this list. It is already in epel-testing. Greetings, Wolfgang -- Wolfgang Breyha | https://www.blafasel.at/ Vienna University Computer Center | Austria -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
Am 06.05.21 um 14:54 schrieb Konstantin Boyandin via Exim-users:
The last known EPEL Exim version is 4.94 #2, built on March 25, 2021. It
wasn't difficult to build Exim from sources and replace insecure EPEL
version, but it's not exactly my understanding of fun.
Exim updates are in epel-testing:
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-dad1996f63
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-beed69126f
The pages above contain information on how to apply the update to your system.
If you leave positive feedback ("karma") the update will reach all users
faster (stable channel).
Felix
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
Am 06.05.21 um 15:35 schrieb Heiko Schlittermann via Exim-users: (I got reports that Fedora's packages where stuck on some test server. (?)) Updates are not "stuck" but in a testing repo. This is meant to check that we only push actually working software to users. I'm not sure why the Fedora/EPEL maintainer chose to use testing also for that security release. As it is right now the updates will go to stable once there is enough positive feedback by users: https://bodhi.fedoraproject.org/updates/?packages=exim Fedora 33 already has this in stable as we had enough positive feedback. Felix -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
Hi Konstantin,
Konstantin Boyandin via Exim-users (Do 06 Mai 2021
14:54:37 CEST):
> On 04.05.2021 20:40, Heiko Schlittermann via Exim-users wrote:
> > We have prepared a security release, tagged as "exim-4.94.2".
> >
> > This release contains all changes on the exim-4.94+fixes branch plus
> > security fixes.
>
> I wonder whether current Exim maintainer at EPEL reads this list.
The initial heads-up notification was sent to oss-security@openwall, ,
distros@vs.openwall and exim-maintainers. It contained a schedule.
The announcement of the limited access to the security repo was sent to
distros@… on Apr 27th, the announcement of the public release was sent
to oss-security@…, and exim-users, and, with some delay to
exim-announce.
I'm not exactly sure how to notify the individual distros in a more reliable
way.
(I got reports that Fedora's packages where stuck on some test server.
(?))
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
On 04.05.2021 20:40, Heiko Schlittermann via Exim-users wrote: > We have prepared a security release, tagged as "exim-4.94.2". > > This release contains all changes on the exim-4.94+fixes branch plus > security fixes. I wonder whether current Exim maintainer at EPEL reads this list. The last known EPEL Exim version is 4.94 #2, built on March 25, 2021. It wasn't difficult to build Exim from sources and replace insecure EPEL version, but it's not exactly my understanding of fun. (yes, no problem building Exim package(s) for EPEL, once I understand the exact way to to that) -- Sincerely, Konstantin Boyandin -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
Cyborg via Exim-users (Mi 05 Mai 2021 16:56:44 CEST):
> Am 04.05.21 um 15:40 schrieb Heiko Schlittermann via Exim-users:
> > The details about the vulnerabilities*will* be published in the near
> > future (onhttp://exim.org/static/doc/security/), but not today. This
> > should give you the chance to update your systems.
> Time has run up:
> https://www.qualys.com/2021/05/04/21nails/21nails.txt
It is linked on https://exim.org already since about yesterday.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
Am 04.05.21 um 15:40 schrieb Heiko Schlittermann via Exim-users: The details about the vulnerabilities*will* be published in the near future (onhttp://exim.org/static/doc/security/), but not today. This should give you the chance to update your systems. Time has run up: https://www.qualys.com/2021/05/04/21nails/21nails.txt best regards, Marius -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released (DANE fix)
The DANE fix: - ob->tls_sni = sx->first_addr->domain; /* force SNI */ + ob->tls_sni = sx->conn_args.host->name; /* force SNI */ replaces the recipient domain with the MX hostname. When the MX host is a CNAME, is that necessarily the same as the TLSA base domain? How does Exim handle MX hosts that are CNAMEs? Are fully expanded (secure at every step, with fallback to the original name) CNAMEs used for TLSA lookups (per RFC7672?)? -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
Kai Bojens via Exim-users (Di 04 Mai 2021 17:28:41 CEST):
> Am 04.05.21 um 15:40 schrieb Heiko Schlittermann via Exim-users:
> „These vulnerabilities were reported by Qualys via secur...@exim.org back in
> October 2020.”
>
> Please don't take this the wrong way - but I have to ask: is the Exim
> project in a viable state? Seven Months for bugs like this are a very long
> time.
Yes.
And you're invited to contribute and join the project.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
Am 04.05.21 um 15:40 schrieb Heiko Schlittermann via Exim-users: Local vulnerabilities - CVE-2020-28007: Link attack in Exim's log directory - CVE-2020-28008: Assorted attacks in Exim's spool directory - CVE-2020-28014: Arbitrary PID file creation - CVE-2020-28011: Heap buffer overflow in queue_run() - CVE-2020-28010: Heap out-of-bounds write in main() - CVE-2020-28013: Heap buffer overflow in parse_fix_phrase() - CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase() - CVE-2020-28015: New-line injection into spool header file (local) - CVE-2020-28012: Missing close-on-exec flag for privileged pipe - CVE-2020-28009: Integer overflow in get_stdinput() Remote vulnerabilities - CVE-2020-28017: Integer overflow in receive_add_recipient() - CVE-2020-28020: Integer overflow in receive_msg() - CVE-2020-28023: Out-of-bounds read in smtp_setup_msg() - CVE-2020-28021: New-line injection into spool header file (remote) - CVE-2020-28022: Heap out-of-bounds read and write in extract_option() - CVE-2020-28026: Line truncation and injection in spool_read_header() - CVE-2020-28019: Failure to reset function pointer after BDAT error - CVE-2020-28024: Heap buffer underflow in smtp_ungetc() - CVE-2020-28018: Use-after-free in tls-openssl.c - CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash() „These vulnerabilities were reported by Qualys via secur...@exim.org back in October 2020.” Please don't take this the wrong way - but I have to ask: is the Exim project in a viable state? Seven Months for bugs like this are a very long time. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
On Tue, May 4, 2021 at 4:52 PM Heiko Schlittermann via Exim-users <
exim-users@exim.org> wrote:
> Dear Exim-Users
>
> Abstract
>
>
> Several exploitable vulnerabilities in Exim were reported to us and are
> fixed.
>
> We have prepared a security release, tagged as "exim-4.94.2".
>
> This release contains all changes on the exim-4.94+fixes branch plus
> security fixes.
>
> You should update your Exim instances as soon as possible. (See below
> for short upgrade notes.)
>
I have installed this version and I am getting a strange error which was
not appearing with v4.94:
2021-05-04 16:45:39 1ldwIb-000LOY-LA H=maily102.outbound.eversrv.com
[154.0.15.102] I=[46.165.223.102]:25
X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no F=<
bounce_5k3w1xx3vfd9mww6_dly8zilxgzejudot_b3ccc2b800ca38d4...@fnbmailer-mail.com>
temporarily rejected after DATA: failed to expand ACL string "${lookup
sqlite,file=/var/spool/exim/db/greylist.db {SELECT host from resenders
WHERE helo='${quote_sqlite:$sender_helo_name}' AND
host='$sender_host_address';} {1}}": absolute file name expected for
"sqlite" lookup
GREYDB=/var/spool/exim/db/greylist.db
greylist_mail:
accept condition = ${if eq{$acl_m_greylistreasons}{} {1}}
accept hosts = :
accept authenticated = *
accept
hosts = +IPwhitelist
accept
sender_domains = facebook.com : twitter.com : facebookmail.com :
linkedin.com
accept
hosts = +backup_mx_hosts
accept condition = ${lookup sqlite,file=GREYDB {SELECT host from
resenders \
WHERE
helo='${quote_sqlite:$sender_helo_name}' \
AND host='$sender_host_address';} {1}}
warn set acl_m_greyident =
${hash{20}{62}{$sender_address$recipients$h_message-id:}}
warn set acl_m_greyexpiry = ${lookup sqlite,file=GREYDB {SELECT expire
FROM greylist \
WHERE
id='${quote_sqlite:$acl_m_greyident}';}{$value}}
warn condition = ${if eq {$acl_m_greyexpiry}{} {1}}
set acl_m_dontcare = ${lookup sqlite,file=GREYDB {INSERT INTO
greylist \
VALUES ( '$acl_m_greyident', \
'${eval10:$tod_epoch+300}',
\
'$sender_host_address', \
'${quote_sqlite:$sender_helo_name}' );}}
defer condition = ${if eq {$acl_m_greyexpiry}{} {1}}
condition = ${lookup sqlite,file=GREYDB {SELECT expire FROM
greylist \
WHERE
id='${quote_sqlite:$acl_m_greyident}';} {1}}
message = Mail is suspicious. Please retry later.
log_message = Greylisted <$h_message-id:> from <$sender_address>
for offences: ${sg {$acl_m_greylistreasons}{\n}{,}}
warn condition = ${if eq {$acl_m_greyexpiry}{} {1}}
log_message = Greylist insertion failed. Bypassing greylist.
accept condition = ${if eq {$acl_m_greyexpiry}{} {1}}
defer condition = ${if > {$acl_m_greyexpiry}{$tod_epoch}}
message = Mail is suspicious. Please retry later.
warn set acl_m_orighost = ${lookup sqlite,file=GREYDB {SELECT host FROM
greylist \
WHERE
id='${quote_sqlite:$acl_m_greyident}';}{$value}}
set acl_m_orighelo = ${lookup sqlite,file=GREYDB {SELECT helo FROM
greylist \
WHERE
id='${quote_sqlite:$acl_m_greyident}';}{$value}}
set acl_m_dontcare = ${lookup sqlite,file=GREYDB {INSERT INTO
resenders \
VALUES ( '$acl_m_orighost', \
'${quote_sqlite:$acl_m_orighelo}',
\
'$tod_epoch' ); }}
logwrite = Added host $acl_m_orighost with HELO '$acl_m_orighelo' to
known resenders
accept
--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
