"There is a heap-based buffer overflow in string_vformat (string.c).
The currently known exploit uses a extraordinary long EHLO string to
crash the Exim process that is receiving the message. While at this
mode of operation Exim already dropped its privileges, other paths to
reach the vulnerable code may exist."
switch build configuration from a modified static copy of a file from
exim distribution in files/ to copying and patching the actual file from
the distribution, this was badly out of sync with upstream. done by me
based on Renaud's partial update.
"Using a handcrafted message, remote code execution seems to be possible"
thanks to whichever of the distributions that was under embargo and
released early, as this means that the fix was made available sooner
than it would have otherwise been.
and CVE-2017-16944, and other fixes.
Alternative workaround for these two CVEs: disable the SMTP CHUNKING extension
by adding "chunking_advertise_hosts =" to the main configuration section (empty
right-hand-side).
JH/27 Fix a possible security hole, wherein a process operating with the Exim
UID can gain a root shell. Credit to http://www.halfdog.net/ for
discovery and writeup. Ubuntu bug 1580454; no bug raised against Exim
itself :(
JH/34 SECURITY: Use proper copy of DATA command in error message.
Could leak key material. Remotely explaoitable. CVE-2016-9963.
whoever decided to have an embargo period ending on 25 December: this was
not a particularly good idea
"Any user who can start an instance of Exim (and this is normally *any* user)
can gain root privileges. If you do not use 'perl_startup' you *should* be
safe." CVE-2016-1531
While this resolves CVE-2010-4344 and CVE-2010-4345, the first was
actually fixed in exim 4.70 and the latter is a no-issue on OpenBSD
due to it always being built with ALT_CONFIG_ROOT_ONLY.
with input from Andreas Voegele
ok sthen@, jasper@
- tweak MESSAGE/DESCR
- drop no_x11 flavour in favour of an -eximon subpackage and a
pseudo-flavour to disable it
- use iconv by default rather than as a flavour
- drop no_exiscan flavour
from bernd@, Bjorn Ketelaars and myself; ok fkr@ bernd@
This fixes lots of bugs and at least the security issues noticed in
CAN-2005-0021 and CAN-2005-0022.
based on a diff from "Andrey N. Oktyabrski" <ano at antora.ru>
This is a major update and configuration files are not compatible.
A conversion script is included and installed in
${PREFIX}/share/examples/exim4/convert4r4
New co-maintainer and much of the inital work done by Ilya Voronin.
A decision was made to include the semi-official exiscan patch in
the default installation, as most admins appear to use this. It is
hoped that is will become part of the core exim4 code "soon".
This port now creates an _exim user and group if they don't already
exist.
Work and testing by Ilya Voronin, Richard Welty, Axel Rau and others
who I can't now find in my mailbox. Apologies if I left you out.
Version 3.34
------------
1. Exim was failing to diagnose a lone \ at the end of an expansion string as
an error (basically a typo in the code).
2. If logging was only to syslog, and Exim was trying to panic-die, it crashed
instead of dying cleanly.
3. If an address was routed using a DNS lookup that found no MX records, but
one or more A records, and fallback hosts were specified on the transport, the
fallback hosts were ignored.
4. $message_body_size was set incorrectly (to zero) during filter testing.
5. Ensure the configuration file is closed before running the -bi command.
6. Reap all complete processes within the loop for accepting -bs or -bS
messages, because it seems that not all OS do this automatically when SIGCHLD
is set to SIG_IGN.
7. Reset SIGHUP to SIG_IGN before restarting a daemon, in case another SIGHUP
arrives very quickly and kills the newly started Exim before it has a chance to
get going.
8. After "452 space shortage", was not unsetting the sender address. Could lead
to strange effects when the client was pipelining.
9. There was no check that getpeername() was giving a socket address when
called on stdin passed from a previous delivery.
10. If a local part beginning with a pipe symbol was directed to a pipe
transport, the transport got confused as to which command it should run.
This could be a security exposure if unchecked local parts are directed
or routed to pipe transports.
