Bug#882648: exim4: remote code execution in chunking

Andreas Metzler ametzler at bebt.de
Sat Nov 25 10:34:56 UTC 2017


On 2017-11-25 Dominic Hargreaves <dom at earth.li> wrote:
> Package: exim4
> Version: 4.89-9
> Severity: grave
> Tags: security
> Justification: remote code execution

> ----- Forwarded message from Phil Pennock <pdp at exim.org> -----
[...]
> With immediate effect, please apply this workaround: if you are running
> Exim 4.88 or newer (4.89 is current, 4.90 is upcoming) then in the main
> section of your Exim configuration, set:

>   chunking_advertise_hosts =
[...]
> ----- End forwarded message -----

Hello,

please note that Debian/stable is patched to set 
 chunking_advertise_hosts =
by default. Therefore stable users should not be affected unless they
have locally set chunking_advertise_hosts to a nonempty value.

Also there seem to be two separate issues
https://bugs.exim.org/show_bug.cgi?id=2199
and
https://bugs.exim.org/show_bug.cgi?id=2201

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'



More information about the Pkg-exim4-maintainers mailing list