Bug#676563: closed by Andreas Metzler <ametzler at debian.org> (Bug#676563: fixed in exim4 4.80-3)

Kevin Mitchell kevmitch at math.sfu.ca
Sat Jun 9 19:25:25 UTC 2012 

Thanks! Works great. I've also informed the admin of pobox.sfu.ca of the
vulnerability.

On Fri 12.06.08 11:36, Debian Bug Tracking System wrote:
>This is an automatic notification regarding your Bug report
>which was filed against the src:exim4 package:
>
>#676563: exim4: new minimumum Diffie-Hellman length breaks sending, not configurable
>
>It has been closed by Andreas Metzler <ametzler at debian.org>.
>
>Their explanation is attached below along with your original report.
>If this explanation is unsatisfactory and you have not received a
>better one in a separate message then please contact Andreas Metzler <ametzler at debian.org> by
>replying to this email.
>
>

>Date: Fri, 08 Jun 2012 11:32:57 +0000
>From: Andreas Metzler <ametzler at debian.org>
>To: 676563-close at bugs.debian.org
>Subject: Bug#676563: fixed in exim4 4.80-3
>
>Source: exim4
>Source-Version: 4.80-3
>
>We believe that the bug you reported is fixed in the latest version of
>exim4, which is due to be installed in the Debian FTP archive:
>
>exim4-base_4.80-3_i386.deb
>  to main/e/exim4/exim4-base_4.80-3_i386.deb
>exim4-config_4.80-3_all.deb
>  to main/e/exim4/exim4-config_4.80-3_all.deb
>exim4-daemon-heavy-dbg_4.80-3_i386.deb
>  to main/e/exim4/exim4-daemon-heavy-dbg_4.80-3_i386.deb
>exim4-daemon-heavy_4.80-3_i386.deb
>  to main/e/exim4/exim4-daemon-heavy_4.80-3_i386.deb
>exim4-daemon-light-dbg_4.80-3_i386.deb
>  to main/e/exim4/exim4-daemon-light-dbg_4.80-3_i386.deb
>exim4-daemon-light_4.80-3_i386.deb
>  to main/e/exim4/exim4-daemon-light_4.80-3_i386.deb
>exim4-dbg_4.80-3_i386.deb
>  to main/e/exim4/exim4-dbg_4.80-3_i386.deb
>exim4-dev_4.80-3_i386.deb
>  to main/e/exim4/exim4-dev_4.80-3_i386.deb
>exim4_4.80-3.debian.tar.gz
>  to main/e/exim4/exim4_4.80-3.debian.tar.gz
>exim4_4.80-3.dsc
>  to main/e/exim4/exim4_4.80-3.dsc
>exim4_4.80-3_all.deb
>  to main/e/exim4/exim4_4.80-3_all.deb
>eximon4_4.80-3_i386.deb
>  to main/e/exim4/eximon4_4.80-3_i386.deb
>
>
>
>A summary of the changes between this version and the previous one is
>attached.
>
>Thank you for reporting the bug, which will now be closed.  If you
>have further comments please address them to 676563 at bugs.debian.org,
>and the maintainer will reopen the bug report if appropriate.
>
>Debian distribution maintenance software
>pp.
>Andreas Metzler <ametzler at debian.org> (supplier of updated exim4 package)
>
>(This message was generated automatically at their request; if you
>believe that there is a problem with it please contact the archive
>administrators by mailing ftpmaster at debian.org)
>
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: RIPEMD160
>
>Format: 1.8
>Date: Fri, 08 Jun 2012 12:37:05 +0200
>Source: exim4
>Binary: exim4-base exim4-config exim4-daemon-light exim4 exim4-daemon-heavy exim4-daemon-custom eximon4 exim4-dbg exim4-daemon-light-dbg exim4-daemon-heavy-dbg exim4-daemon-custom-dbg exim4-dev
>Architecture: source i386 all
>Version: 4.80-3
>Distribution: unstable
>Urgency: low
>Maintainer: Exim4 Maintainers <pkg-exim4-maintainers at lists.alioth.debian.org>
>Changed-By: Andreas Metzler <ametzler at debian.org>
>Description:
> exim4      - metapackage to ease Exim MTA (v4) installation
> exim4-base - support files for all Exim MTA (v4) packages
> exim4-config - configuration for the Exim MTA (v4)
> exim4-daemon-custom - custom Exim MTA (v4) daemon with locally set features
> exim4-daemon-custom-dbg - debugging symbols for the Exim MTA (v4) packages
> exim4-daemon-heavy - Exim MTA (v4) daemon with extended features, including exiscan-ac
> exim4-daemon-heavy-dbg - debugging symbols for the Exim MTA "heavy" daemon
> exim4-daemon-light - lightweight Exim MTA (v4) daemon
> exim4-daemon-light-dbg - debugging symbols for the Exim MTA "light" daemon
> exim4-dbg  - debugging symbols for the Exim MTA (utilities)
> exim4-dev  - header files for the Exim MTA (v4) packages
> eximon4    - monitor application for the Exim MTA (v4) (X11 interface)
>Closes: 676563
>Changes:
> exim4 (4.80-3) unstable; urgency=low
> .
>   * Pull 75_openssl_sni.diff from upstream. - Segfault caused by NULL
>     dereference if Exim is built using OpenSSL, tls_sni is used and a
>     forced expansion failure is configured.
>   * Pull 76_tls_dh_min_bits.diff (and the corresponding doc change
>     77_docsfortls_dh_min_bits.diff) from upstream. Adds a new SMTP transport
>     option tls_dh_min_bits for setting the minimal size of DH parameters.
>   * Add macro TLS_DH_MIN_BITS for setting the tls_dh_min_bits smtp transport
>     option. Closes: #676563
>   * [lintian] Stop shipping empty directory /usr/share/exim4 in exim4-base.
>Checksums-Sha1:
> cd476f39515945e770302da0cf577ed26328de4a 2162 exim4_4.80-3.dsc
> 7962d5a61628e6daa9aa0e06ec33459a41e4625f 575324 exim4_4.80-3.debian.tar.gz
> 7a1c131f503b2b571cd8616a816443cfa96e2c36 1030882 exim4-base_4.80-3_i386.deb
> 356082518e84db02d3a7ccb2abd5707766604c12 208536 eximon4_4.80-3_i386.deb
> a2ff6d14391d0f7bf99ffcaf758356389c53766b 627570 exim4-daemon-light_4.80-3_i386.deb
> aa2a98b064ed4d8e5b238233df26728d670b46da 684468 exim4-daemon-heavy_4.80-3_i386.deb
> ec4e30642a07be0d601584c7f6f78902593973d8 1132168 exim4-daemon-light-dbg_4.80-3_i386.deb
> 1476f1125a2d56bb0be7a7e9b58c69c87cef0481 1264600 exim4-daemon-heavy-dbg_4.80-3_i386.deb
> 9e3154913dbb1d84b62e4e3fa8f7d3e4c6c5d405 421386 exim4-dbg_4.80-3_i386.deb
> 7f627f2935b6cd8b9bc048cc69821a9cdc71d696 173238 exim4-dev_4.80-3_i386.deb
> 5647f81452c62edbd06dd51718898cff01143f04 477194 exim4-config_4.80-3_all.deb
> cde8fae563ec663e5b2337fdb8cee2dc6bd61025 7794 exim4_4.80-3_all.deb
>Checksums-Sha256:
> a820240181af11ae63299c7703ad98642e0e98ed57a431fdab533171ef57cd4b 2162 exim4_4.80-3.dsc
> 1ff66e5b1c9112959246b4ba538afc9f7d778db77884175a61e2320cfb9f89f9 575324 exim4_4.80-3.debian.tar.gz
> 04f77680514c1e11084d4ea23cae746ccf3cbbd82970751864d0f5acdae6e600 1030882 exim4-base_4.80-3_i386.deb
> 324364cf0125ab4f14355ecbb22e98611fdd3703f19690020577156b6e04af66 208536 eximon4_4.80-3_i386.deb
> 7d767871dd0303a71c7fd682957faaa6917eff12f573d8494eded4d779910453 627570 exim4-daemon-light_4.80-3_i386.deb
> ef2ad8039f7779edc2e1e62cd5a373ccc2558e64c050fe3d7805bebab6df9426 684468 exim4-daemon-heavy_4.80-3_i386.deb
> d8dc6051d65259d8f71a622dc32a65f6e33eb3175738174f94e8b4343dd94d0e 1132168 exim4-daemon-light-dbg_4.80-3_i386.deb
> a7e00c15f6fd00ea6e03037eb256ac3d8f6161d29a092195717e7f46a50ed27e 1264600 exim4-daemon-heavy-dbg_4.80-3_i386.deb
> 8f19dde75c475c0f012fc750f26151b6ca4e2925694b2074dd6946d3626247af 421386 exim4-dbg_4.80-3_i386.deb
> d7b7ab85b46e8bd5482d96452002c4a9f6098fbddaec6af771f39cdaaff13daf 173238 exim4-dev_4.80-3_i386.deb
> 1628d8094708e0df74c951ad59fc26e1134f2cc83493d57420bb503cc92c75f0 477194 exim4-config_4.80-3_all.deb
> dd7af8e3cfae085fbc15626bc28d4d01119ee8cb122b178c3bd9e3df5ee85791 7794 exim4_4.80-3_all.deb
>Files:
> 146cab2f5d191ff99cf6b667edaeedb4 2162 mail standard exim4_4.80-3.dsc
> 5ff04e0a35a9aa0987aef48a51667d0c 575324 mail standard exim4_4.80-3.debian.tar.gz
> cdc9b77c56a4e5c3897732af3e7ae175 1030882 mail standard exim4-base_4.80-3_i386.deb
> 8f9b92f0dfc29012d929b224ae8366b5 208536 mail optional eximon4_4.80-3_i386.deb
> 9af16d45844b782b9e0cfd055618f36f 627570 mail standard exim4-daemon-light_4.80-3_i386.deb
> 06b59edce6a37ae63220688bf5b5dc2c 684468 mail optional exim4-daemon-heavy_4.80-3_i386.deb
> 23af474f201128dea52e3811d4e71cce 1132168 debug extra exim4-daemon-light-dbg_4.80-3_i386.deb
> 3c7128431bef54d35f24c23afc3ffbc5 1264600 debug extra exim4-daemon-heavy-dbg_4.80-3_i386.deb
> ea51831747afeea21b5f33411520b069 421386 debug extra exim4-dbg_4.80-3_i386.deb
> 7655f8d53055d27abfce4550d463fceb 173238 mail extra exim4-dev_4.80-3_i386.deb
> 12da37438d59d2c64debf03e4a0f1006 477194 mail standard exim4-config_4.80-3_all.deb
> 55d3964fb6c3370c4dbb39f35f9cedf9 7794 mail standard exim4_4.80-3_all.deb
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.12 (GNU/Linux)
>
>iEYEAREDAAYFAk/R33cACgkQHTOcZYuNdmM0qgCfd4SFTUQ/Hjqkjszmbkb7/AiL
>d0EAoKkaA5ylvbkXgCie66ibT0KIzNac
>=FcnL
>-----END PGP SIGNATURE-----
>
>

>Date: Thu, 07 Jun 2012 12:51:51 -0700
>From: Kevin Mitchell <kevmitch at math.sfu.ca>
>To: Debian Bug Tracking System <submit at bugs.debian.org>
>Subject: exim4: new minimumum Diffie-Hellman length breaks sending, not
> configurable
>X-Mailer: reportbug 6.4
>
>Source: exim4
>Version: 4.80-2
>Severity: important
>
>This breaks relaying to my smarthost which requires secure
>authentication, but apparently doesn't have the new required DH size of
>2048.
>
>from /var/log/exim4/mainlog:
>
>2012-06-07 11:57:56 1Schu8-0005cQ-SD <= kevmitch at math.sfu.ca U=kevmitch P=local S=472 id=20120607185756.GA21542 at math.sfu.ca
>2012-06-07 11:58:02 1Schu8-0005cQ-SD TLS error on connection to pobox.sfu.ca [142.58.101.28] (gnutls_handshake): The Diffie-Hellman prime sent by the server is not acceptable (not long enough).
>
>Maybe a key shorter than 2048 is "insecure", but most people (myself
>included) are not in a position to "fix" their smarthost. This wouldn't
>be so bad as a default, except that as far as I can tell, there is no
>way to configure it short of recompiling without 66_enlarge-dh-parameters-size.dpatch.
>
>I would recommend either dropping the patch or adding a runtime configuation option.
>
>Kevin
>
>
>
>-- System Information:
>Debian Release: wheezy/sid
>  APT prefers unstable
>  APT policy: (600, 'unstable'), (500, 'testing'), (400, 'stable'), (300, 'experimental')
>Architecture: amd64 (x86_64)
>
>Kernel: Linux 3.4.1.01 (SMP w/4 CPU cores)
>Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
>Shell: /bin/sh linked to /bin/dash
>
>

More information about the Pkg-exim4-maintainers mailing list