Bug#882648: exim4: remote code execution in chunking
Dominic Hargreaves
dom at earth.li
Sat Nov 25 09:25:43 UTC 2017
Package: exim4
Version: 4.89-9
Severity: grave
Tags: security
Justification: remote code execution
Source: https://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html
----- Forwarded message from Phil Pennock <pdp at exim.org> -----
Date: Fri, 24 Nov 2017 22:48:42 -0500
From: Phil Pennock <pdp at exim.org>
To: exim-announce at exim.org
Subject: [exim-announce] Critical Exim Security Vulnerability: disable chunking
Reply-To: exim-announce-owner at exim.org
Folks,
A remote code execution vulnerability has been reported in Exim, with
immediate public disclosure (we were given no private notice).
A tentative patch exists but has not yet been confirmed.
With immediate effect, please apply this workaround: if you are running
Exim 4.88 or newer (4.89 is current, 4.90 is upcoming) then in the main
section of your Exim configuration, set:
chunking_advertise_hosts =
That's an empty value, nothing on the right of the equals. This
disables advertising the ESMTP CHUNKING extension, making the BDAT verb
unavailable and avoids letting an attacker apply the logic.
This should be a complete workaround. Impact of applying the workaround
is that mail senders have to stick to the traditional DATA verb instead
of using BDAT.
We've requested CVEs. More news will be forthcoming as we get this
worked out.
-Phil
--
## List details at https://lists.exim.org/mailman/listinfo/exim-announce Exim details at http://www.exim.org/ ##
----- End forwarded message -----
More information about the Pkg-exim4-maintainers
mailing list