As written on [1], <=exim-4.75 has a security hole that can be used by a remote attacker to execute arbitrary code. A patch is available that applies fine to the currently-stable 4.74 in portage. [1]: https://lists.exim.org/lurker/message/20110506.112357.e99a8db1.en.html Reproducible: Didn't try Steps to Reproduce: No exploit in the wild yet, so I simply believe the devs that the hole is real.
Patch: http://git.exim.org/exim.git/commitdiff_plain/337e3505b0e6cd4309db6bf6062b33fa56e06cf8 Please provide an updated ebuild.
I've added 4.75-r1, please stable this version. It's been scheduled for stabling, and monday 4.76 will be released (which includes the secfix).
*** Bug 366389 has been marked as a duplicate of this bug. ***
Arches, please test and mark stable: =mail-mta/exim-4.75-r1 Target KEYWORDS="alpha amd64 hppa ia64 ppc ppc64 sparc x86"
amd64 ok
x86 stable
amd64 done ( sorry for the spam )
Where is the point in stabling mail-mta/exim-4.75-r1? Today exim-4.76-rc1 is released which contains the fixes for these holes. >> https://lists.exim.org/lurker/message/20110509.091632.daed0206.en.html Can someone please add this to the treee so we can stable this version? Thanks..
4.76 contains more stuff next to the security fix. Since we know 4.75 runs solid, and -r1 only has the backport of the fix added, that one is candidate for stabling. 4.76 will be candidate for stabling in minimally 30 days from the moment it has been added to the tree.
Stable for HPPA.
On 2011-05-09 at 05:16 -0400, Phil Pennock wrote: > This is a SECURITY release: Exim versions 4.70 up to and including 4.75 > contained a security hole (format string attack) permitting remote > execution of arbitrary code as the Exim run-time user. This is > CVE-2011-1764. There is also another, lesser security issue. Both lie > in the DKIM code and mitigation techniques are described below. Further analysis revealed that the second security was more severe than I realised at the time that I wrote the announcement. The second security issue has been assigned CVE-2011-1407 and is also a remote code execution flaw. For clarity: both issues were introduced with 4.70. This means stabling 4.75-r1 is IMO close pointless. I'll try to fix the 4.76 bugs tonight, such that the security team can decide to stable it, if they wish to.
(In reply to comment #11) > This means stabling 4.75-r1 is IMO close pointless. I'll try to fix the 4.76 > bugs tonight, such that the security team can decide to stable it, if they wish > to. Ok, thank you for the update. I see 4.76 is in the tree now. Is that ready for stabilization?
yes it is, thanks
(In reply to comment #13) > yes it is, thanks Great, thanks. Arches, please test and mark stable: =mail-mta/exim-4.76 Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
works as precedent
amd64 done. Thanks Agostino
x86 stable. Thanks
ppc/ppc64 stable
alpha/ia64/sparc stable
Thanks everyone. Added to existing GLSA request.
CVE-2011-1407 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1407): The DKIM implementation in Exim 4.7x before 4.76 permits matching for DKIM identities to apply to lookup items, instead of only strings, which allows remote attackers to execute arbitrary code or access a filesystem via a crafted identity.
CVE-2011-1764 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1764): Format string vulnerability in the dkim_exim_verify_finish function in src/dkim.c in Exim before 4.76 might allow remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via format string specifiers in data used in DKIM logging, as demonstrated by an identity field containing a % (percent) character.
This issue was resolved and addressed in GLSA 201401-32 at http://security.gentoo.org/glsa/glsa-201401-32.xml by GLSA coordinator Mikle Kolyada (Zlogene).
