Bug#343085: exim4: Exim SMTP_AUTH hangs since today...
Florian Weimer
fw at deneb.enyo.de
Mon Jan 30 15:58:06 UTC 2006
* Sven Hartge:
> Florian Weimer wrote:
>> * Florian Weimer:
>
>>> It's the generation of the special server-side key used to support
>>> "RSA export" clients which use 40-bit symmetric session keys.
>
>> Turns out the patch was broken. This one should be better. The
>> comments above still apply.
>
> Will this patch be included in the next point release of Sarge
Not sure about that. There are different means to to tackle this
problem. We could just remove
rm -f /var/spool/exim4/gnutls-params
from the daily cron job. Or we add proper locking so that only one
Exim process actually recomputes the params file when it is missing,
significantly reducing the impact of this problem. Or the preferred
option: do not remove that file, but regenerate it and replace it with
the new version, so that Exim never has to regenerate it.
In any case, we need people whose Exim installations suffer from this
problem to test a patch before we roll it out.
> or better yet released via a security update, since it is trivial to
> DoS Exim4 from Sarge with some single SSL/TLS connections?
AFAICS, it is not possible to trigger this bug reliably (I had to
delete the params file manually to prove it). It certainly results in
a loss of service, but it's a security vulnerability, and therefore
does not qualify as a security bug.
More information about the Pkg-exim4-maintainers
mailing list