Andreas Metzler pointed to a set of patches which are included in the upcoming release of Exim4. I would like to see this issue resolved for trusty and newer releases.
Is someone from the Server Team, or Security Team, backporting this set of patches? If so, will we see a backport for trusty? Perhaps this issue could be discussed at the next Security Team meeting Monday or Server Team meeting Tuesday? Thanks, Chuck ----- Forwarded message from Andreas Metzler <[email protected]> ----- Date: Sun, 21 Jun 2015 05:33:47 -0000 From: Andreas Metzler <[email protected]> To: [email protected] Subject: [Bug 1384232] Re: Certificate hostname verification fix This seems to be enabled by default in 4.86RC. http://git.exim.org/exim.git/commit/01a4a5c5cbaa40ca618d3e233991ce183b551477 -- You received this bug notification because you are subscribed to exim4 in Ubuntu. Matching subscriptions: Chuck Peters https://bugs.launchpad.net/bugs/1384232 Title: Certificate hostname verification fix Status in exim4 package in Ubuntu: Confirmed Bug description: We did a automatic static analysis on exim4 packages in Ubuntu and found that EXIM will not verify the hostname of a SMTP server against its certificate. This will possibly result in man-in-the-middle attack. We reported this bug directly to exim.org in May 2014 and they fixed this problem in their latest release. So plz fix this issue in Ubuntu. Bug: http://bugs.exim.org/show_bug.cgi?id=1479 Fix: http://git.exim.org/exim.git/commit/e51c7be22dfccad376659a1a46cee93c9979bbf7 ----- End forwarded message ----- -- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
