New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Exim Security Vuln
Awmusic12635
Member, Host Rep
in General
Just got this email:
EXIM Urgent Action Required A remote code execution vulnerability has been reported in Exim, with immediate public disclosure (we were given no private notice). A tentative patch exists but has not yet been confirmed. With immediate effect, please apply this workaround: if you are running Exim 4.88 or newer (4.89 is current, 4.90 is upcoming) then in the main section of your Exim configuration, set: chunking_advertise_hosts = That's an empty value, nothing on the right of the equals. This disables advertising the ESMTP CHUNKING extension, making the BDAT verb unavailable and avoids letting an attacker apply the logic. This should be a complete workaround. Impact of applying the workaround is that mail senders have to stick to the traditional DATA verb instead of using BDAT. We've requested CVEs. More news will be forthcoming as we get this worked out. https://lists.gt.net/exim/announce/108962 Ongoing Discussion via WHT: http://www.webhostingtalk.com/showthread.php?t=1684234 Our mailing address is: RACK911 Labs 1110 Palms Airport Drive Suite 110 Las Vegas, NV 89119
Comments
I am so glad that I never drank the exim Kool-Aid. Only slightly more than giving up the sendmail LSD. However, the qmail heroin trackmarks will always remain.
Qmail makes me moist.
Sadly, the home page still says... "We fixed CVE-2016-9963 right now, you are urged to upgrade to 4.88 or to 4.87.1, available from the known download sites."
apt-get remove exim4\* worked for me.
yea apt-get remove exim4-base to make sure, its gone.
Same for postfix, as long the mailserver is not needed for inbound, I would make sure it does listen just on 127.0.0.1 and nothing else.