Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Exim Security Vuln
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Exim Security Vuln

Awmusic12635Awmusic12635 Member, Host Rep

Just got this email:

EXIM
Urgent Action Required
A remote code execution vulnerability has been reported in Exim, with 
immediate public disclosure (we were given no private notice). 
A tentative patch exists but has not yet been confirmed. 

With immediate effect, please apply this workaround: if you are running 
Exim 4.88 or newer (4.89 is current, 4.90 is upcoming) then in the main 
section of your Exim configuration, set: 

chunking_advertise_hosts = 

That's an empty value, nothing on the right of the equals. This 
disables advertising the ESMTP CHUNKING extension, making the BDAT verb 
unavailable and avoids letting an attacker apply the logic. 

This should be a complete workaround. Impact of applying the workaround 
is that mail senders have to stick to the traditional DATA verb instead 
of using BDAT. 

We've requested CVEs. More news will be forthcoming as we get this 
worked out.

https://lists.gt.net/exim/announce/108962

Ongoing Discussion via WHT:

http://www.webhostingtalk.com/showthread.php?t=1684234

Our mailing address is:
RACK911 Labs
1110 Palms Airport Drive
Suite 110
Las Vegas, NV 89119
Thanked by 3FrankZ Hybrid szarka

Comments

  • WSSWSS Member
    edited November 2017

    I am so glad that I never drank the exim Kool-Aid. Only slightly more than giving up the sendmail LSD. However, the qmail heroin trackmarks will always remain.

  • mmuyskensmmuyskens Member, Host Rep

    Qmail makes me moist.

  • szarkaszarka Member
    edited November 2017

    Sadly, the home page still says... "We fixed CVE-2016-9963 right now, you are urged to upgrade to 4.88 or to 4.87.1, available from the known download sites."

  • williewillie Member
    edited November 2017

    apt-get remove exim4\* worked for me.

    Thanked by 1WSS
  • NeoonNeoon Community Contributor, Veteran
    edited November 2017

    yea apt-get remove exim4-base to make sure, its gone.

    Same for postfix, as long the mailserver is not needed for inbound, I would make sure it does listen just on 127.0.0.1 and nothing else.

Sign In or Register to comment.