Re: [exim] Exim 4.94.2 - security update released
The updated Exim pages from the EPEL project for RHEL 7 & 8 (and related distributions e.g. CentOS) as well as Fedora 34 are now in the process of being pushed to the stable repositories and should be there in the next few hours or so: https://bodhi.fedoraproject.org/updates/?packages=exim That said, anyone reading this ought to update as soon as possible, without waiting for them to reach the stable repositories. Tim -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
Am 06.05.21 um 14:54 schrieb Konstantin Boyandin via Exim-users: (yes, no problem building Exim package(s) for EPEL, once I understand the exact way to to that) fedpkg clone --anonymous exim cd exim git checkout epel8 # tweak exim.spec fedpkg mockbuild Felix -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
Am 06.05.21 um 14:54 schrieb Konstantin Boyandin via Exim-users: On 04.05.2021 20:40, Heiko Schlittermann via Exim-users wrote: We have prepared a security release, tagged as "exim-4.94.2". This release contains all changes on the exim-4.94+fixes branch plus security fixes. I wonder whether current Exim maintainer at EPEL reads this list. The last known EPEL Exim version is 4.94 #2, built on March 25, 2021. It wasn't difficult to build Exim from sources and replace insecure EPEL version, but it's not exactly my understanding of fun. (yes, no problem building Exim package(s) for EPEL, once I understand the exact way to to that) Go to Fedora koji and download your files manually. I have seen EL7 already on tuesday, but they are kept in the testfarm until they reach a good karma. Best regards, Marius -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
On 06.05.2021 21:36, Tim Jackson via Exim-users wrote: > On 06/05/2021 14:54, Konstantin Boyandin via Exim-users wrote: > >> The last known EPEL Exim version is 4.94 #2, built on March 25, 2021. It >> wasn't difficult to build Exim from sources and replace insecure EPEL >> version, but it's not exactly my understanding of fun. > ... > > It is currently in the testing repository, meaning an update can be done > with "yum --enablerepo=epel-testing" . > > I've nudged the EPEL maintainer to suggest that it should be pushed > immediately to stable, given the severity. Thanks a lot for nudging - meanwhile I'll run the tests on sandbox installations, to raise the corresponding karma (if tests pass). -- Sincerely, Konstantin Boyandin -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
On 06/05/2021 14:54, Konstantin Boyandin via Exim-users wrote: The last known EPEL Exim version is 4.94 #2, built on March 25, 2021. It wasn't difficult to build Exim from sources and replace insecure EPEL version, but it's not exactly my understanding of fun. An update was available for EPEL 7 & 8 (as well as Fedora) on Tuesday: EL8: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-beed69126f EL7: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-dad1996f63 It is currently in the testing repository, meaning an update can be done with "yum --enablerepo=epel-testing" . I've nudged the EPEL maintainer to suggest that it should be pushed immediately to stable, given the severity. Tim -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
On 06/05/2021 14:54, Konstantin Boyandin via Exim-users wrote: > I wonder whether current Exim maintainer at EPEL reads this list. It is already in epel-testing. Greetings, Wolfgang -- Wolfgang Breyha | https://www.blafasel.at/ Vienna University Computer Center | Austria -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
Am 06.05.21 um 14:54 schrieb Konstantin Boyandin via Exim-users: The last known EPEL Exim version is 4.94 #2, built on March 25, 2021. It wasn't difficult to build Exim from sources and replace insecure EPEL version, but it's not exactly my understanding of fun. Exim updates are in epel-testing: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-dad1996f63 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-beed69126f The pages above contain information on how to apply the update to your system. If you leave positive feedback ("karma") the update will reach all users faster (stable channel). Felix -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
Am 06.05.21 um 15:35 schrieb Heiko Schlittermann via Exim-users: (I got reports that Fedora's packages where stuck on some test server. (?)) Updates are not "stuck" but in a testing repo. This is meant to check that we only push actually working software to users. I'm not sure why the Fedora/EPEL maintainer chose to use testing also for that security release. As it is right now the updates will go to stable once there is enough positive feedback by users: https://bodhi.fedoraproject.org/updates/?packages=exim Fedora 33 already has this in stable as we had enough positive feedback. Felix -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
Hi Konstantin, Konstantin Boyandin via Exim-users (Do 06 Mai 2021 14:54:37 CEST): > On 04.05.2021 20:40, Heiko Schlittermann via Exim-users wrote: > > We have prepared a security release, tagged as "exim-4.94.2". > > > > This release contains all changes on the exim-4.94+fixes branch plus > > security fixes. > > I wonder whether current Exim maintainer at EPEL reads this list. The initial heads-up notification was sent to oss-security@openwall, , distros@vs.openwall and exim-maintainers. It contained a schedule. The announcement of the limited access to the security repo was sent to distros@… on Apr 27th, the announcement of the public release was sent to oss-security@…, and exim-users, and, with some delay to exim-announce. I'm not exactly sure how to notify the individual distros in a more reliable way. (I got reports that Fedora's packages where stuck on some test server. (?)) Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --- key ID: F69376CE - signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
On 04.05.2021 20:40, Heiko Schlittermann via Exim-users wrote: > We have prepared a security release, tagged as "exim-4.94.2". > > This release contains all changes on the exim-4.94+fixes branch plus > security fixes. I wonder whether current Exim maintainer at EPEL reads this list. The last known EPEL Exim version is 4.94 #2, built on March 25, 2021. It wasn't difficult to build Exim from sources and replace insecure EPEL version, but it's not exactly my understanding of fun. (yes, no problem building Exim package(s) for EPEL, once I understand the exact way to to that) -- Sincerely, Konstantin Boyandin -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
Cyborg via Exim-users (Mi 05 Mai 2021 16:56:44 CEST): > Am 04.05.21 um 15:40 schrieb Heiko Schlittermann via Exim-users: > > The details about the vulnerabilities*will* be published in the near > > future (onhttp://exim.org/static/doc/security/), but not today. This > > should give you the chance to update your systems. > Time has run up: > https://www.qualys.com/2021/05/04/21nails/21nails.txt It is linked on https://exim.org already since about yesterday. Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --- key ID: F69376CE - signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
Am 04.05.21 um 15:40 schrieb Heiko Schlittermann via Exim-users: The details about the vulnerabilities*will* be published in the near future (onhttp://exim.org/static/doc/security/), but not today. This should give you the chance to update your systems. Time has run up: https://www.qualys.com/2021/05/04/21nails/21nails.txt best regards, Marius -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released (DANE fix)
The DANE fix: - ob->tls_sni = sx->first_addr->domain; /* force SNI */ + ob->tls_sni = sx->conn_args.host->name; /* force SNI */ replaces the recipient domain with the MX hostname. When the MX host is a CNAME, is that necessarily the same as the TLSA base domain? How does Exim handle MX hosts that are CNAMEs? Are fully expanded (secure at every step, with fallback to the original name) CNAMEs used for TLSA lookups (per RFC7672?)? -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
Kai Bojens via Exim-users (Di 04 Mai 2021 17:28:41 CEST): > Am 04.05.21 um 15:40 schrieb Heiko Schlittermann via Exim-users: > „These vulnerabilities were reported by Qualys via secur...@exim.org back in > October 2020.” > > Please don't take this the wrong way - but I have to ask: is the Exim > project in a viable state? Seven Months for bugs like this are a very long > time. Yes. And you're invited to contribute and join the project. Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --- key ID: F69376CE - signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
Am 04.05.21 um 15:40 schrieb Heiko Schlittermann via Exim-users: Local vulnerabilities - CVE-2020-28007: Link attack in Exim's log directory - CVE-2020-28008: Assorted attacks in Exim's spool directory - CVE-2020-28014: Arbitrary PID file creation - CVE-2020-28011: Heap buffer overflow in queue_run() - CVE-2020-28010: Heap out-of-bounds write in main() - CVE-2020-28013: Heap buffer overflow in parse_fix_phrase() - CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase() - CVE-2020-28015: New-line injection into spool header file (local) - CVE-2020-28012: Missing close-on-exec flag for privileged pipe - CVE-2020-28009: Integer overflow in get_stdinput() Remote vulnerabilities - CVE-2020-28017: Integer overflow in receive_add_recipient() - CVE-2020-28020: Integer overflow in receive_msg() - CVE-2020-28023: Out-of-bounds read in smtp_setup_msg() - CVE-2020-28021: New-line injection into spool header file (remote) - CVE-2020-28022: Heap out-of-bounds read and write in extract_option() - CVE-2020-28026: Line truncation and injection in spool_read_header() - CVE-2020-28019: Failure to reset function pointer after BDAT error - CVE-2020-28024: Heap buffer underflow in smtp_ungetc() - CVE-2020-28018: Use-after-free in tls-openssl.c - CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash() „These vulnerabilities were reported by Qualys via secur...@exim.org back in October 2020.” Please don't take this the wrong way - but I have to ask: is the Exim project in a viable state? Seven Months for bugs like this are a very long time. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
On Tue, May 4, 2021 at 4:52 PM Heiko Schlittermann via Exim-users < exim-users@exim.org> wrote: > Dear Exim-Users > > Abstract > > > Several exploitable vulnerabilities in Exim were reported to us and are > fixed. > > We have prepared a security release, tagged as "exim-4.94.2". > > This release contains all changes on the exim-4.94+fixes branch plus > security fixes. > > You should update your Exim instances as soon as possible. (See below > for short upgrade notes.) > I have installed this version and I am getting a strange error which was not appearing with v4.94: 2021-05-04 16:45:39 1ldwIb-000LOY-LA H=maily102.outbound.eversrv.com [154.0.15.102] I=[46.165.223.102]:25 X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no F=< bounce_5k3w1xx3vfd9mww6_dly8zilxgzejudot_b3ccc2b800ca38d4...@fnbmailer-mail.com> temporarily rejected after DATA: failed to expand ACL string "${lookup sqlite,file=/var/spool/exim/db/greylist.db {SELECT host from resenders WHERE helo='${quote_sqlite:$sender_helo_name}' AND host='$sender_host_address';} {1}}": absolute file name expected for "sqlite" lookup GREYDB=/var/spool/exim/db/greylist.db greylist_mail: accept condition = ${if eq{$acl_m_greylistreasons}{} {1}} accept hosts = : accept authenticated = * accept hosts = +IPwhitelist accept sender_domains = facebook.com : twitter.com : facebookmail.com : linkedin.com accept hosts = +backup_mx_hosts accept condition = ${lookup sqlite,file=GREYDB {SELECT host from resenders \ WHERE helo='${quote_sqlite:$sender_helo_name}' \ AND host='$sender_host_address';} {1}} warn set acl_m_greyident = ${hash{20}{62}{$sender_address$recipients$h_message-id:}} warn set acl_m_greyexpiry = ${lookup sqlite,file=GREYDB {SELECT expire FROM greylist \ WHERE id='${quote_sqlite:$acl_m_greyident}';}{$value}} warn condition = ${if eq {$acl_m_greyexpiry}{} {1}} set acl_m_dontcare = ${lookup sqlite,file=GREYDB {INSERT INTO greylist \ VALUES ( '$acl_m_greyident', \ '${eval10:$tod_epoch+300}', \ '$sender_host_address', \ '${quote_sqlite:$sender_helo_name}' );}} defer condition = ${if eq {$acl_m_greyexpiry}{} {1}} condition = ${lookup sqlite,file=GREYDB {SELECT expire FROM greylist \ WHERE id='${quote_sqlite:$acl_m_greyident}';} {1}} message = Mail is suspicious. Please retry later. log_message = Greylisted <$h_message-id:> from <$sender_address> for offences: ${sg {$acl_m_greylistreasons}{\n}{,}} warn condition = ${if eq {$acl_m_greyexpiry}{} {1}} log_message = Greylist insertion failed. Bypassing greylist. accept condition = ${if eq {$acl_m_greyexpiry}{} {1}} defer condition = ${if > {$acl_m_greyexpiry}{$tod_epoch}} message = Mail is suspicious. Please retry later. warn set acl_m_orighost = ${lookup sqlite,file=GREYDB {SELECT host FROM greylist \ WHERE id='${quote_sqlite:$acl_m_greyident}';}{$value}} set acl_m_orighelo = ${lookup sqlite,file=GREYDB {SELECT helo FROM greylist \ WHERE id='${quote_sqlite:$acl_m_greyident}';}{$value}} set acl_m_dontcare = ${lookup sqlite,file=GREYDB {INSERT INTO resenders \ VALUES ( '$acl_m_orighost', \ '${quote_sqlite:$acl_m_orighelo}', \ '$tod_epoch' ); }} logwrite = Added host $acl_m_orighost with HELO '$acl_m_orighelo' to known resenders accept -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-) -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Exim 4.94.2 - security update released
Dear Exim-Users Abstract Several exploitable vulnerabilities in Exim were reported to us and are fixed. We have prepared a security release, tagged as "exim-4.94.2". This release contains all changes on the exim-4.94+fixes branch plus security fixes. You should update your Exim instances as soon as possible. (See below for short upgrade notes.) Distro users Several distros will provide updated packages: Just do the update. If the update contains a version change from <4.94 to 4.94.2, you may want to read the upgrade notes below. Self-built Exim --- Fetch the exim-4.94.2 from the known repositories, build and install the fixed version. If you need to upgrade from versions <4.94 to 4.94.2, you may want to read the upgrade notes below. Schedule 2021-05-04 13:30 UTC: Publish the release on the public repos/website/etc Repositories The sources are available: tarballs: https://ftp.exim.org/pub/exim/exim4/ (the mirrors will follow with some delay) source: https://git.exim.org/exim.git tag: exim-4.94.2 branch: exim-4.94.2+fixes The +fixes branch contains fixes for an issue, that we experienced occasionally with outgoing SMTP (using DANE, TLS SNI and an unusual certificate setup on the remote server. See https://lists.exim.org/lurker/message/20210503.163324.f7021753.en.html) In case you're running exim-4.92.3 currently and you do not see any option in updating this to 4.94.2, you *can* try using the branch exim-4.92.3+fixes. This branch contains the minimal set of backported security patches, but isn't officially supported by the Exim project and didn't get the same testing as the official release. Details --- The current Exim versions (and likely older versions too) suffer from several exploitable vulnerabilities. These vulnerabilities were reported by Qualys via secur...@exim.org back in October 2020. Due to several internal reasons it took more time than usual for the Exim development team to work on these reported issues in a timely manner. We explicitly thank Qualys for reporting *and* for providing patches for most of the reported vulnerabilities. The details about the vulnerabilities *will* be published in the near future (on http://exim.org/static/doc/security/), but not today. This should give you the chance to update your systems. Another source of information *will* be on the reporter's site: https://www.qualys.com/2021/05/04/21nails/21nails.txt For further reference a list of related CVEs: Local vulnerabilities - CVE-2020-28007: Link attack in Exim's log directory - CVE-2020-28008: Assorted attacks in Exim's spool directory - CVE-2020-28014: Arbitrary PID file creation - CVE-2020-28011: Heap buffer overflow in queue_run() - CVE-2020-28010: Heap out-of-bounds write in main() - CVE-2020-28013: Heap buffer overflow in parse_fix_phrase() - CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase() - CVE-2020-28015: New-line injection into spool header file (local) - CVE-2020-28012: Missing close-on-exec flag for privileged pipe - CVE-2020-28009: Integer overflow in get_stdinput() Remote vulnerabilities - CVE-2020-28017: Integer overflow in receive_add_recipient() - CVE-2020-28020: Integer overflow in receive_msg() - CVE-2020-28023: Out-of-bounds read in smtp_setup_msg() - CVE-2020-28021: New-line injection into spool header file (remote) - CVE-2020-28022: Heap out-of-bounds read and write in extract_option() - CVE-2020-28026: Line truncation and injection in spool_read_header() - CVE-2020-28019: Failure to reset function pointer after BDAT error - CVE-2020-28024: Heap buffer underflow in smtp_ungetc() - CVE-2020-28018: Use-after-free in tls-openssl.c - CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash() Upgrade notes - In case you need to upgrade from a version <4.94, you may encounter issues with *tainted data*. This is a security measure which we introduced with 4.94. Your configuration needs to be reworked. Alternatively you can use the exim-4.94.2+taintwarn branch. This branch tracks exim-4.94.2+fixes and adds a new main config option (the option is deprecated already today and will be ignored in a future release of Exim): "allow_insecure_tainted_data". This option allows you to turn the taint errors into warnings. (Debian is set to include this "taintwarn" patch in its Exim 4.94.2 release). Thank you for using Exim. Thanks to Qualys for reporting the issues. Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --- key ID: F69376CE - signature.asc Description: PGP