CVSROOT: /cvs
Module name: ports
Changes by: [email protected] 2017/11/25 06:04:53
Modified files:
mail/exim : Makefile
Added files:
mail/exim/patches: patch-src_receive_c
Log message:
Add patch for Exim remote code execution in 4.88+.
https://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html
https://bugs.exim.org/show_bug.cgi?id=2199
There is also another issue which is at least a DoS,
https://bugs.exim.org/show_bug.cgi?id=2201 that is *not* patched yet.
The workaround below would help both cases.
>From upstream:
"With immediate effect, please apply this workaround: if you are running
Exim 4.88 or newer (4.89 is current, 4.90 is upcoming) then in the main
section of your Exim configuration, set:
chunking_advertise_hosts =
That's an empty value, nothing on the right of the equals. This
disables advertising the ESMTP CHUNKING extension, making the BDAT verb
unavailable and avoids letting an attacker apply the logic. "
