Author: Phil Pennock

Date: 2012-10-26 08:03 UTC

To: exim-announce

Subject: [exim-announce] Exim 4.80.1 Security Release



Exim release 4.80.1 is now available from the primary ftp site:_________________________________________________________________This is a SECURITY release, addressing a CRITICAL remote code executionflaw in versions of Exim between 4.70 and 4.80 inclusive, when builtwith DKIM support (the default). This release is identical to 4.80except for the small changes needed to plug the security hole. The nextrelease of Exim will, eventually, be 4.82, which will include the manyimprovements we've made since 4.80, but which will require the normalrelease candidate baking process before release.You are not vulnerable if you built Exim with DISABLE_DKIM or if youput this at the start of an ACL plumbed into acl_smtp_connect oracl_smtp_rcpt:warn control = dkim_disable_verifyI apologise for the impact of releasing this on a Friday. I do notconsider there to be an acceptable alternative. This issue, which isknown by the CVE ID of CVE-2012-5671, was found during internal codereview of an area of the Exim codebase relevant to another issue, DKIMsigning and verification, which has been the subject of US-CERTVU#268267 and Common Weakness identifiers CWE-347 and CWE-326. As such,I expect that this area of code in various MTAs will be studied by manysecurity conscious people around about now, so there is a significantrisk that someone unfriendly has also discovered this, concurrently toour finding it. We discovered the issue on Wednesday, gave Thursday forthe OS packagers to get emergency packages prepared, and are releasingon the next available work day.This is why we have made the smallest feasible changes to preventexploit: we want this change to be as safe as possible to expedite intoproduction. This security vulnerability can be exploited by anyone whocan send email from a domain for which they control the DNS. The classof attack is known as a "heap-based buffer overflow"; your OS might bebuilt with protections to mitigate against these attacks.To avoid confusion between "4.80.1" and "4.81", we will skip the "4.81"version number and the next release will be "4.82".I'd like to thank my employer, Apcera Inc, for supporting my commitmentto the Exim community._________________________________________________________________The primary ftp server is in Cambridge, England. There is a list ofmirrors in:The master ftp server is ftp.exim.org The distribution files are signed with Phil Pennock's PGP key0x403043153903637F (uid pdp@???; signed by Nigel Metheringham's PGP key0x85AB833FDDC03262). This key should be available from all modern PGPkeyservers. Please use your own discretion in assessing what trust paths youmight have to this uid; the "Release verification" section of the ReleasePolicy might be of assistance:The detached ASCII signature files are in the same directory as thetarbundles. The SHA1 and SHA256 hashes for the distribution files are atthe end of this email. This shall likely be the last releaseannouncement to include SHA1 hashes.The distribution contains an ASCII copy of the 4.80.1 manual andother documents. Other formats of the documentation are alsoavailable:-The .bz2 versions of these tarbundles are also available.We know that the security details for verifying releases, in thedocumentation is out of date, and has been for the past few releases.This has been fixed for 4.82.The ChangeLog for this, and several previous releases, is includedin the distribution. Individual change log files are also availableon the ftp site, the current one being:-There are no new features, thus no NewStuff-4.80.1 file._________________________________________________________________Release ChecksumsSHA256:9565b10f06be224fd03adafae2e07e6fdbb479f8873e3894ddb13f98eeebe78f exim-4.80.1.tar.bz22cac05ce27a5d5b409ce5657957047233d36f9396d0203d240a5b7aed2a969de exim-4.80.1.tar.gz206ef4acc2641f10f3f23f8ee97cd1f7125486938ea1fc231ac2a1d5d6c9be09 exim-html-4.80.1.tar.bz20286d02f85e0a9a4a00d7bc74b6378c36181f5bb2500969039593d336cb142d7 exim-html-4.80.1.tar.gzd65cec38449432db60b090a82c688dd65d40c6b0c64953fbe4d3b765a2c74aee exim-pdf-4.80.1.tar.bz2c2ed7d6ecce24631ac0a92894af09e1cdc90b7ba61f03a91a34d40f7dd762a1f exim-pdf-4.80.1.tar.gz3c656be9196b94be96bcf1e775e7138bfcd49843acec0e0b16923f114ca26c2b exim-postscript-4.80.1.tar.bz21f0dc4daca46f59c7c52d90ff10cb635509be5f6f1bbb793ee05745e29fcbfa9 exim-postscript-4.80.1.tar.gzSHA1:714e40d440641050a1d9946cd937aad0d1a6b746 exim-4.80.1.tar.bz2eeb6d1e4c7c1dc0e4de55ba61316718e44d810b3 exim-4.80.1.tar.gzd23ec94c23228a1f540d8343c6c2c5f1833b0dd0 exim-html-4.80.1.tar.bz249b2f226f1355a11ba4d193a06a84f6a3dce3003 exim-html-4.80.1.tar.gze24304f9f087faf79e22b8ca8b3e27154c7e4cc9 exim-pdf-4.80.1.tar.bz286594290072917649f165270ad61399aaf0c9c72 exim-pdf-4.80.1.tar.gzffdc6a08093c4ec9f26bce24d3f16b5cf91f5454 exim-postscript-4.80.1.tar.bz2d9c5951b7b415e09146d594fda864725096f596d exim-postscript-4.80.1.tar.gz- -Phil Pennock, pp The Exim Maintainers.