חדשות, עדכונים, מדריכים ועזרים | עדכוני תוכנות ואפליקציות - (26.10.12) - גרסה חדשה: Exim release 4.80.1

(26.10.12) - גרסה חדשה: Exim release 4.80.1

עדכוני תוכנות ואפליקציות

חדשות, עדכונים, מדריכים ועזרים


להורדה:
https://lists.exim.org/lurker/message/20121026.080330.74b9147b.en.html

מה חדש:

This is a SECURITY release, addressing a CRITICAL remote code execution flaw in versions of Exim between 4.70 and 4.80 inclusive, when built with DKIM support (the default). This release is identical to 4.80 except for the small changes needed to plug the security hole. The next release of Exim will, eventually, be 4.82, which will include the many improvements we've made since 4.80, but which will require the normal release candidate baking process before release. 

You are not vulnerable if you built Exim with DISABLE_DKIM or if you put this at the start of an ACL plumbed into acl_smtp_connect or acl_smtp_rcpt: 

warn control = dkim_disable_verify 

I apologise for the impact of releasing this on a Friday. I do not consider there to be an acceptable alternative. This issue, which is known by the CVE ID of CVE-2012-5671, was found during internal code review of an area of the Exim codebase relevant to another issue, DKIM signing and verification, which has been the subject of US-CERT VU#268267 and Common Weakness identifiers CWE-347 and CWE-326. As such, I expect that this area of code in various MTAs will be studied by many security conscious people around about now, so there is a significant risk that someone unfriendly has also discovered this, concurrently to our finding it. We discovered the issue on Wednesday, gave Thursday for the OS packagers to get emergency packages prepared, and are releasing on the next available work day. 

This is why we have made the smallest feasible changes to prevent exploit: we want this change to be as safe as possible to expedite into production. This security vulnerability can be exploited by anyone who can send email from a domain for which they control the DNS. The class of attack is known as a "heap-based buffer overflow"; your OS might be built with protections to mitigate against these attacks. 

To avoid confusion between "4.80.1" and "4.81", we will skip the "4.81" version number and the next release will be "4.82".