On 2011-01-19 at 13:50 +0100, Pascal Bourdais wrote: > # exim -bV > Exim version 4.68 #8 built 03-Sep-2009 09:01:10
There are known issues with that version. There have been security notices from major vendors urging people to upgrade. If you are not using a vendor's packages, but installing Exim yourself, then you should subscribe to: http://lists.exim.org/mailman/listinfo/exim-announce Then you would have read both: http://www.gossamer-threads.com/lists/exim/announce/89583 http://www.gossamer-threads.com/lists/exim/announce/89810 In short: there is a buffer overflow vulnerability in versions before 4.70, which was released in November 2009. This was discovered[*] in December 2010, when 4.72 was current. 4.73 has since been released, which additionally fixes the privilege escalation problem used in the attacks to get from the Exim run-time user to the "root" account. -Phil [*] Where "discovered" means "revealed to be a problem to the Exim maintainers, after a report of a compromise", so the underground exploit community had known of this beforehand; probably by reading the changelog which for 4.70 explicitly noted that a buffer overflow issue had been fixed. -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
