Re: [exim] [oss-security] Exim CVE-2019-16928 RCE using a heap-based buffer overflow
Hello there, After you've rev-iewed all these documents, we can -easily talk abou-t the following steps: https://gachthefree.ga/loci/eiantmev199333608 https://onedrive.live.com/download?cid=U4CQ9MH4G9SZ79GE=U4CQ9MH4G 9SZ79GE%27854=4okpM9ufCr8w-sV ** Exim 4.92.3 released (security release) ** CVE ID: CVE-2019-16928 Date: 2019-09-27 (CVE assigned) Version(s): from 4.92 up to and including 4.92.2 Reporter: QAX-A-TEAM Reference: bugs.exim.org/show_bug.cgi?id=2449 Issue: Heap-based buffer overflow in string_vformat, remote code execution seems to be possible Conditions to be vulnerable === All versions from (and including) 4.92 up to (and including) 4.92.2 are vulnerable. Details === There is a heap-based buffer overflow in string_vformat (string.c). The currently known exploit uses a extraordinary long EHLO string to crash the Exim process that is receiving the message. While at this mode of operation Exim already dropped its privileges, other paths to reach the vulnerable code may exist. Mitigation == There is - beside updating the server - no known mitigation. Fix === Download and build the fixed version 4.92.3 Tarballs: ftp.exim.org/pub/exim/exim4/ Git: github.com/Exim/exim.git (mirror) git://git.exim.org/exim.git - tag exim-4.92.3 - branch exim-4.92.3+fixes The tagged commit is the officially released version. The +fixes branch isn't officially maintained, but contains the security fix *and* useful fixes. The tarballs, the Git tag, and the Git commits are signed with my GPG key (same as I used to sign this mail.) If you can't install the above versions, ask your package maintainer for a version containing the backported fix. On request and depending on our resources we will support you in backporting the fix. (Please note, the Exim project officially doesn't support versions prior the current stable version.) Timeline = - 2019-09-27 Report as Bug 2499 - 2019-09-28 Announcement to exim-maintainers, oss-security - 2019-09-28 Release 4.92.3, Release-Announcements to exim-{announce,users,maintainers}, oss-security -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] The No Certificate Warning and the Right Way to Stop it
Andrew C Aitchison via Exim-users writes: > I think you control that with your answer to the >dpkg-reconfigure exim4-config > question "General type of mail configuration:" >Which are you using ? >mail sent by smarthost; received via SMTP or fetchmail As for listeneing: Package configuration Please enter a semicolon-separated list of IP addresses. The Exim SMTP listener daemon will listen on all IP addresses listed here. An empty value will cause Exim to listen for connections on all available network interfaces. If this system only receives mail directly from local services (and not from other hosts), it is suggested to prohibit external connections to the local Exim daemon. Such services include e-mail programs (MUAs) which talk to localhost only as well as fetchmail. External connections are impossible when 127.0.0.1 is entered here, as this will disable listening on public network interfaces. IP-addresses to listen on for incoming SMTP connections: 127.0.0.1 That has been the setup since 2015 when I began using the ISP's mailer. Martin -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] The No Certificate Warning and the Right Way to Stop it
On Mon, 16 May 2022, Martin McCormick via Exim-users wrote: Jeremy Harris via Exim-users writes: What is the output of "exim4 -bP tls_certificate tls_privatekey" ? This is a followup to that question. As I previously reported, neither of those variables are set even though I went through the motions of making those files. Since exim4 is not a mail server, If your exim is not running as a mail server, do you want it to listen on any of the SMTP ports at all ? If not, turning off listening is your solution, since the No Certificate Warning only appears if you listen for SMTP with TLS. itself, we may have some mechanized confusion at work. The cert message appears because the loopback instance of exim4 runs on localhost's address of 127.0.0.1 which is fine as it goes but here's what I notice. exim -bP tls_advertise_hosts tls_advertise_hosts = * This is always true no matter what I do to any of the settings so far. I went as far as going to /etc/exim4/conf.d/main and modifying the line in /etc/exim4/conf.d/main/03_exim4-config_tlsoptions from tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS to tls_advertise_hosts = followed by a dpkg-reconfigure exim4-config. No need to check much because the cert nag pops up meaning the new instance of exim4 is up and running. Trying split and non-split configuration has the same results with exim -bP tls_advertise_hosts tls_advertise_hosts = * which never changes. If this was a fully-internet connected host as far as mail goes, I would be much more worried about the lack of a certificate but I think that if one runs that type of host, there may be another module one must install via debian's apt-get and or aptitude installation methods. I think you control that with your answer to the dpkg-reconfigure exim4-config question "General type of mail configuration:" For those not on Debian or Ubuntu, the options are: internet site; mail is sent and received directly using ... mail sent by smarthost; received via SMTP or fetchmail mail sent by smarthost; no local mail local delivery only; not on a network no configuration at this time Which are you using ? -- Andrew C. Aitchison Kendal, UK and...@aitchison.me.uk -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] The No Certificate Warning and the Right Way to Stop it
Jeremy Harris via Exim-users writes: > What is the output of "exim4 -bP tls_certificate tls_privatekey" ? This is a followup to that question. As I previously reported, neither of those variables are set even though I went through the motions of making those files. Since exim4 is not a mail server, itself, we may have some mechanized confusion at work. The cert message appears because the loopback instance of exim4 runs on localhost's address of 127.0.0.1 which is fine as it goes but here's what I notice. exim -bP tls_advertise_hosts tls_advertise_hosts = * This is always true no matter what I do to any of the settings so far. I went as far as going to /etc/exim4/conf.d/main and modifying the line in /etc/exim4/conf.d/main/03_exim4-config_tlsoptions from tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS to tls_advertise_hosts = followed by a dpkg-reconfigure exim4-config. No need to check much because the cert nag pops up meaning the new instance of exim4 is up and running. Trying split and non-split configuration has the same results with exim -bP tls_advertise_hosts tls_advertise_hosts = * which never changes. If this was a fully-internet connected host as far as mail goes, I would be much more worried about the lack of a certificate but I think that if one runs that type of host, there may be another module one must install via debian's apt-get and or aptitude installation methods. Martin -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.96-RC1 released
On 16/05/2022 07:50, David Restall via Exim-users wrote: The next Release Candidate for 4.96, RC1, is not available from Where is it available from then ? :-) Yeah, yeah. Spotted ten minutes too late... -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.96-RC1 released
On Mon, May 16, 2022 at 9:55 AM David Restall via Exim-users < exim-users@exim.org> wrote: > > > The next Release Candidate for 4.96, RC1, is not available from > > Where is it available from then ? :-) > s/not/now/g :-) -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.96-RC1 released
> The next Release Candidate for 4.96, RC1, is not available from Where is it available from then ? :-) D lists/exim/users/2022-05-16.tx exim-users ++ | Dave Restall, Computer Anorak, Geek, Cyclist, Radio Amateur G4FCU, Bodger | | Mob +44 (0) 7973 831245 Skype: dave.restall Radio: G4FCU | | email : d...@restall.net - Anti-SocialMediaist - Web : Not Ready Yet :-( | +- QOTD -+ | "MacDonald has the gift on compressing the largest amount of words into| | the smallest amount of thoughts." | | -- Winston Churchill | ++ -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/