Folks, During the RC process for Exim 4.75, we were notified of a possible issue in Exim, as part of a general "much software has this problem" alert, by CERT. The issue relates to STARTTLS and command injection, as described by Wietse Venema at:
http://article.gmane.org/gmane.mail.postfix.user/218905 As soon as we were made aware of the possible issue we investigated, and confirmed that Exim is *NOT* vulnerable. Exim uses two different buffers for I/O for the two different security contexts, pre-TLS and within-TLS. The pre-TLS I/O buffer is never used after TLS is established, as the function pointers used to perform I/O are swapped out for the TLS variants. This applies for both OpenSSL and GnuTLS variants of TLS support within Exim. In addition, even if Exim did not use separate buffers, the default configuration enforces protocol synchronisation which would also catch this. We will probably add some diagnostics and belt-and-braces sanitisation to a future release, to report when someone might be trying such an attack. -Phil
pgpKWRIFE7gWO.pgp
Description: PGP signature
-- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
