Re: [exim] Exim 4.94.2 - security update released
The updated Exim pages from the EPEL project for RHEL 7 & 8 (and related distributions e.g. CentOS) as well as Fedora 34 are now in the process of being pushed to the stable repositories and should be there in the next few hours or so: https://bodhi.fedoraproject.org/updates/?packages=exim That said, anyone reading this ought to update as soon as possible, without waiting for them to reach the stable repositories. Tim -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
Am 06.05.21 um 14:54 schrieb Konstantin Boyandin via Exim-users: (yes, no problem building Exim package(s) for EPEL, once I understand the exact way to to that) fedpkg clone --anonymous exim cd exim git checkout epel8 # tweak exim.spec fedpkg mockbuild Felix -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
Am 06.05.21 um 14:54 schrieb Konstantin Boyandin via Exim-users: On 04.05.2021 20:40, Heiko Schlittermann via Exim-users wrote: We have prepared a security release, tagged as "exim-4.94.2". This release contains all changes on the exim-4.94+fixes branch plus security fixes. I wonder whether current Exim maintainer at EPEL reads this list. The last known EPEL Exim version is 4.94 #2, built on March 25, 2021. It wasn't difficult to build Exim from sources and replace insecure EPEL version, but it's not exactly my understanding of fun. (yes, no problem building Exim package(s) for EPEL, once I understand the exact way to to that) Go to Fedora koji and download your files manually. I have seen EL7 already on tuesday, but they are kept in the testfarm until they reach a good karma. Best regards, Marius -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
On 06.05.2021 21:36, Tim Jackson via Exim-users wrote: > On 06/05/2021 14:54, Konstantin Boyandin via Exim-users wrote: > >> The last known EPEL Exim version is 4.94 #2, built on March 25, 2021. It >> wasn't difficult to build Exim from sources and replace insecure EPEL >> version, but it's not exactly my understanding of fun. > ... > > It is currently in the testing repository, meaning an update can be done > with "yum --enablerepo=epel-testing" . > > I've nudged the EPEL maintainer to suggest that it should be pushed > immediately to stable, given the severity. Thanks a lot for nudging - meanwhile I'll run the tests on sandbox installations, to raise the corresponding karma (if tests pass). -- Sincerely, Konstantin Boyandin -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
On 06/05/2021 14:54, Konstantin Boyandin via Exim-users wrote: The last known EPEL Exim version is 4.94 #2, built on March 25, 2021. It wasn't difficult to build Exim from sources and replace insecure EPEL version, but it's not exactly my understanding of fun. An update was available for EPEL 7 & 8 (as well as Fedora) on Tuesday: EL8: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-beed69126f EL7: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-dad1996f63 It is currently in the testing repository, meaning an update can be done with "yum --enablerepo=epel-testing" . I've nudged the EPEL maintainer to suggest that it should be pushed immediately to stable, given the severity. Tim -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
On 06/05/2021 14:54, Konstantin Boyandin via Exim-users wrote: > I wonder whether current Exim maintainer at EPEL reads this list. It is already in epel-testing. Greetings, Wolfgang -- Wolfgang Breyha | https://www.blafasel.at/ Vienna University Computer Center | Austria -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
Am 06.05.21 um 14:54 schrieb Konstantin Boyandin via Exim-users:
The last known EPEL Exim version is 4.94 #2, built on March 25, 2021. It
wasn't difficult to build Exim from sources and replace insecure EPEL
version, but it's not exactly my understanding of fun.
Exim updates are in epel-testing:
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-dad1996f63
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-beed69126f
The pages above contain information on how to apply the update to your system.
If you leave positive feedback ("karma") the update will reach all users
faster (stable channel).
Felix
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
Am 06.05.21 um 15:35 schrieb Heiko Schlittermann via Exim-users: (I got reports that Fedora's packages where stuck on some test server. (?)) Updates are not "stuck" but in a testing repo. This is meant to check that we only push actually working software to users. I'm not sure why the Fedora/EPEL maintainer chose to use testing also for that security release. As it is right now the updates will go to stable once there is enough positive feedback by users: https://bodhi.fedoraproject.org/updates/?packages=exim Fedora 33 already has this in stable as we had enough positive feedback. Felix -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
Hi Konstantin,
Konstantin Boyandin via Exim-users (Do 06 Mai 2021
14:54:37 CEST):
> On 04.05.2021 20:40, Heiko Schlittermann via Exim-users wrote:
> > We have prepared a security release, tagged as "exim-4.94.2".
> >
> > This release contains all changes on the exim-4.94+fixes branch plus
> > security fixes.
>
> I wonder whether current Exim maintainer at EPEL reads this list.
The initial heads-up notification was sent to oss-security@openwall, ,
distros@vs.openwall and exim-maintainers. It contained a schedule.
The announcement of the limited access to the security repo was sent to
distros@… on Apr 27th, the announcement of the public release was sent
to oss-security@…, and exim-users, and, with some delay to
exim-announce.
I'm not exactly sure how to notify the individual distros in a more reliable
way.
(I got reports that Fedora's packages where stuck on some test server.
(?))
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
On 04.05.2021 20:40, Heiko Schlittermann via Exim-users wrote: > We have prepared a security release, tagged as "exim-4.94.2". > > This release contains all changes on the exim-4.94+fixes branch plus > security fixes. I wonder whether current Exim maintainer at EPEL reads this list. The last known EPEL Exim version is 4.94 #2, built on March 25, 2021. It wasn't difficult to build Exim from sources and replace insecure EPEL version, but it's not exactly my understanding of fun. (yes, no problem building Exim package(s) for EPEL, once I understand the exact way to to that) -- Sincerely, Konstantin Boyandin -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
Cyborg via Exim-users (Mi 05 Mai 2021 16:56:44 CEST):
> Am 04.05.21 um 15:40 schrieb Heiko Schlittermann via Exim-users:
> > The details about the vulnerabilities*will* be published in the near
> > future (onhttp://exim.org/static/doc/security/), but not today. This
> > should give you the chance to update your systems.
> Time has run up:
> https://www.qualys.com/2021/05/04/21nails/21nails.txt
It is linked on https://exim.org already since about yesterday.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
Am 04.05.21 um 15:40 schrieb Heiko Schlittermann via Exim-users: The details about the vulnerabilities*will* be published in the near future (onhttp://exim.org/static/doc/security/), but not today. This should give you the chance to update your systems. Time has run up: https://www.qualys.com/2021/05/04/21nails/21nails.txt best regards, Marius -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released (DANE fix)
The DANE fix: - ob->tls_sni = sx->first_addr->domain; /* force SNI */ + ob->tls_sni = sx->conn_args.host->name; /* force SNI */ replaces the recipient domain with the MX hostname. When the MX host is a CNAME, is that necessarily the same as the TLSA base domain? How does Exim handle MX hosts that are CNAMEs? Are fully expanded (secure at every step, with fallback to the original name) CNAMEs used for TLSA lookups (per RFC7672?)? -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
Kai Bojens via Exim-users (Di 04 Mai 2021 17:28:41 CEST):
> Am 04.05.21 um 15:40 schrieb Heiko Schlittermann via Exim-users:
> „These vulnerabilities were reported by Qualys via secur...@exim.org back in
> October 2020.”
>
> Please don't take this the wrong way - but I have to ask: is the Exim
> project in a viable state? Seven Months for bugs like this are a very long
> time.
Yes.
And you're invited to contribute and join the project.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
Am 04.05.21 um 15:40 schrieb Heiko Schlittermann via Exim-users: Local vulnerabilities - CVE-2020-28007: Link attack in Exim's log directory - CVE-2020-28008: Assorted attacks in Exim's spool directory - CVE-2020-28014: Arbitrary PID file creation - CVE-2020-28011: Heap buffer overflow in queue_run() - CVE-2020-28010: Heap out-of-bounds write in main() - CVE-2020-28013: Heap buffer overflow in parse_fix_phrase() - CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase() - CVE-2020-28015: New-line injection into spool header file (local) - CVE-2020-28012: Missing close-on-exec flag for privileged pipe - CVE-2020-28009: Integer overflow in get_stdinput() Remote vulnerabilities - CVE-2020-28017: Integer overflow in receive_add_recipient() - CVE-2020-28020: Integer overflow in receive_msg() - CVE-2020-28023: Out-of-bounds read in smtp_setup_msg() - CVE-2020-28021: New-line injection into spool header file (remote) - CVE-2020-28022: Heap out-of-bounds read and write in extract_option() - CVE-2020-28026: Line truncation and injection in spool_read_header() - CVE-2020-28019: Failure to reset function pointer after BDAT error - CVE-2020-28024: Heap buffer underflow in smtp_ungetc() - CVE-2020-28018: Use-after-free in tls-openssl.c - CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash() „These vulnerabilities were reported by Qualys via secur...@exim.org back in October 2020.” Please don't take this the wrong way - but I have to ask: is the Exim project in a viable state? Seven Months for bugs like this are a very long time. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
On Tue, May 4, 2021 at 4:52 PM Heiko Schlittermann via Exim-users <
exim-users@exim.org> wrote:
> Dear Exim-Users
>
> Abstract
>
>
> Several exploitable vulnerabilities in Exim were reported to us and are
> fixed.
>
> We have prepared a security release, tagged as "exim-4.94.2".
>
> This release contains all changes on the exim-4.94+fixes branch plus
> security fixes.
>
> You should update your Exim instances as soon as possible. (See below
> for short upgrade notes.)
>
I have installed this version and I am getting a strange error which was
not appearing with v4.94:
2021-05-04 16:45:39 1ldwIb-000LOY-LA H=maily102.outbound.eversrv.com
[154.0.15.102] I=[46.165.223.102]:25
X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no F=<
bounce_5k3w1xx3vfd9mww6_dly8zilxgzejudot_b3ccc2b800ca38d4...@fnbmailer-mail.com>
temporarily rejected after DATA: failed to expand ACL string "${lookup
sqlite,file=/var/spool/exim/db/greylist.db {SELECT host from resenders
WHERE helo='${quote_sqlite:$sender_helo_name}' AND
host='$sender_host_address';} {1}}": absolute file name expected for
"sqlite" lookup
GREYDB=/var/spool/exim/db/greylist.db
greylist_mail:
accept condition = ${if eq{$acl_m_greylistreasons}{} {1}}
accept hosts = :
accept authenticated = *
accept
hosts = +IPwhitelist
accept
sender_domains = facebook.com : twitter.com : facebookmail.com :
linkedin.com
accept
hosts = +backup_mx_hosts
accept condition = ${lookup sqlite,file=GREYDB {SELECT host from
resenders \
WHERE
helo='${quote_sqlite:$sender_helo_name}' \
AND host='$sender_host_address';} {1}}
warn set acl_m_greyident =
${hash{20}{62}{$sender_address$recipients$h_message-id:}}
warn set acl_m_greyexpiry = ${lookup sqlite,file=GREYDB {SELECT expire
FROM greylist \
WHERE
id='${quote_sqlite:$acl_m_greyident}';}{$value}}
warn condition = ${if eq {$acl_m_greyexpiry}{} {1}}
set acl_m_dontcare = ${lookup sqlite,file=GREYDB {INSERT INTO
greylist \
VALUES ( '$acl_m_greyident', \
'${eval10:$tod_epoch+300}',
\
'$sender_host_address', \
'${quote_sqlite:$sender_helo_name}' );}}
defer condition = ${if eq {$acl_m_greyexpiry}{} {1}}
condition = ${lookup sqlite,file=GREYDB {SELECT expire FROM
greylist \
WHERE
id='${quote_sqlite:$acl_m_greyident}';} {1}}
message = Mail is suspicious. Please retry later.
log_message = Greylisted <$h_message-id:> from <$sender_address>
for offences: ${sg {$acl_m_greylistreasons}{\n}{,}}
warn condition = ${if eq {$acl_m_greyexpiry}{} {1}}
log_message = Greylist insertion failed. Bypassing greylist.
accept condition = ${if eq {$acl_m_greyexpiry}{} {1}}
defer condition = ${if > {$acl_m_greyexpiry}{$tod_epoch}}
message = Mail is suspicious. Please retry later.
warn set acl_m_orighost = ${lookup sqlite,file=GREYDB {SELECT host FROM
greylist \
WHERE
id='${quote_sqlite:$acl_m_greyident}';}{$value}}
set acl_m_orighelo = ${lookup sqlite,file=GREYDB {SELECT helo FROM
greylist \
WHERE
id='${quote_sqlite:$acl_m_greyident}';}{$value}}
set acl_m_dontcare = ${lookup sqlite,file=GREYDB {INSERT INTO
resenders \
VALUES ( '$acl_m_orighost', \
'${quote_sqlite:$acl_m_orighelo}',
\
'$tod_epoch' ); }}
logwrite = Added host $acl_m_orighost with HELO '$acl_m_orighelo' to
known resenders
accept
--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Exim 4.94.2 - security update released
Dear Exim-Users
Abstract
Several exploitable vulnerabilities in Exim were reported to us and are
fixed.
We have prepared a security release, tagged as "exim-4.94.2".
This release contains all changes on the exim-4.94+fixes branch plus
security fixes.
You should update your Exim instances as soon as possible. (See below
for short upgrade notes.)
Distro users
Several distros will provide updated packages: Just do the update.
If the update contains a version change from <4.94 to 4.94.2, you may
want to read the upgrade notes below.
Self-built Exim
---
Fetch the exim-4.94.2 from the known repositories, build and install
the fixed version. If you need to upgrade from versions <4.94 to 4.94.2,
you may want to read the upgrade notes below.
Schedule
2021-05-04 13:30 UTC: Publish the release on the public
repos/website/etc
Repositories
The sources are available:
tarballs: https://ftp.exim.org/pub/exim/exim4/
(the mirrors will follow with some delay)
source: https://git.exim.org/exim.git
tag: exim-4.94.2
branch: exim-4.94.2+fixes
The +fixes branch contains fixes for an issue, that we experienced
occasionally with outgoing SMTP (using DANE, TLS SNI and an unusual
certificate setup on the remote server. See
https://lists.exim.org/lurker/message/20210503.163324.f7021753.en.html)
In case you're running exim-4.92.3 currently and you do not see any
option in updating this to 4.94.2, you *can* try using the branch
exim-4.92.3+fixes. This branch contains the minimal set of backported
security patches, but isn't officially supported by the Exim project
and didn't get the same testing as the official release.
Details
---
The current Exim versions (and likely older versions too) suffer from
several exploitable vulnerabilities. These vulnerabilities were reported
by Qualys via secur...@exim.org back in October 2020.
Due to several internal reasons it took more time than usual for the Exim
development team to work on these reported issues in a timely manner.
We explicitly thank Qualys for reporting *and* for providing patches for
most of the reported vulnerabilities.
The details about the vulnerabilities *will* be published in the near
future (on http://exim.org/static/doc/security/), but not today. This
should give you the chance to update your systems.
Another source of information *will* be on the reporter's site:
https://www.qualys.com/2021/05/04/21nails/21nails.txt
For further reference a list of related CVEs:
Local vulnerabilities
- CVE-2020-28007: Link attack in Exim's log directory
- CVE-2020-28008: Assorted attacks in Exim's spool directory
- CVE-2020-28014: Arbitrary PID file creation
- CVE-2020-28011: Heap buffer overflow in queue_run()
- CVE-2020-28010: Heap out-of-bounds write in main()
- CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()
- CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()
- CVE-2020-28015: New-line injection into spool header file (local)
- CVE-2020-28012: Missing close-on-exec flag for privileged pipe
- CVE-2020-28009: Integer overflow in get_stdinput()
Remote vulnerabilities
- CVE-2020-28017: Integer overflow in receive_add_recipient()
- CVE-2020-28020: Integer overflow in receive_msg()
- CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()
- CVE-2020-28021: New-line injection into spool header file (remote)
- CVE-2020-28022: Heap out-of-bounds read and write in extract_option()
- CVE-2020-28026: Line truncation and injection in spool_read_header()
- CVE-2020-28019: Failure to reset function pointer after BDAT error
- CVE-2020-28024: Heap buffer underflow in smtp_ungetc()
- CVE-2020-28018: Use-after-free in tls-openssl.c
- CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()
Upgrade notes
-
In case you need to upgrade from a version <4.94, you may encounter
issues with *tainted data*. This is a security measure which we
introduced with 4.94.
Your configuration needs to be reworked.
Alternatively you can use the exim-4.94.2+taintwarn branch. This branch
tracks exim-4.94.2+fixes and adds a new main config option (the option
is deprecated already today and will be ignored in a future release of
Exim): "allow_insecure_tainted_data". This option allows you to turn the
taint errors into warnings. (Debian is set to include this "taintwarn"
patch in its Exim 4.94.2 release).
Thank you for using Exim.
Thanks to Qualys for reporting the issues.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP
