Bug#882648: exim4: remote code execution in chunking
Andreas Metzler
ametzler at bebt.de
Sat Nov 25 10:34:56 UTC 2017
On 2017-11-25 Dominic Hargreaves <dom at earth.li> wrote:
> Package: exim4
> Version: 4.89-9
> Severity: grave
> Tags: security
> Justification: remote code execution
> ----- Forwarded message from Phil Pennock <pdp at exim.org> -----
[...]
> With immediate effect, please apply this workaround: if you are running
> Exim 4.88 or newer (4.89 is current, 4.90 is upcoming) then in the main
> section of your Exim configuration, set:
> chunking_advertise_hosts =
[...]
> ----- End forwarded message -----
Hello,
please note that Debian/stable is patched to set
chunking_advertise_hosts =
by default. Therefore stable users should not be affected unless they
have locally set chunking_advertise_hosts to a nonempty value.
Also there seem to be two separate issues
https://bugs.exim.org/show_bug.cgi?id=2199
and
https://bugs.exim.org/show_bug.cgi?id=2201
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the Pkg-exim4-maintainers
mailing list