Date: Wed, 28 May 2014 10:57:21 -0400 From: Phil Pennock <oss-security-phil@...dhuis.org> To: OSS Security <oss-security@...ts.openwall.com> Subject: Fwd: [exim-announce] Exim 4.82.1 Security Release -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Short version: Exim MTA, CVE-2014-2957, remote code execution based on email header content when built with the EXPERIMENTAL_DMARC option. Flaw introduced with that option in Exim 4.82, which was previously the current release; no prior releases affected. EXPERIMENTAL_DMARC is not on by default. 4.82.1 is 4.82 with only this fix. Exploitation difficulty should be considered "trivial". (We're also about to start the RC series for 4.83, which has many many more changes; this issue warranted backport). Heads-up went to packagers who've worked closely with us in the past and, I believe, belatedly to linux-distros@. That included the new release tarballs and the separated out patch, also PGP-signed (by an Exim Maintainer key in the Strong Set, per our policy, to maximise chances of verifiability). Root cause: lack of more experienced Exim developer oversight in reviewing commits, given the nature of the comment attached to the bad code: http://git.exim.org/exim.git/commitdiff/5b7a7c051c9ab9ee7c924a611f90ef2be03e0ad0 Also: layer violation, a highly convenient language for configuration and a lack of tainting at the C level to catch this and scream, when untrusted data is inserted via %s formatting into a string which is then expanded with the full power of the configuration language. Morally equivalent to "shell eval of header content". Regards, - -Phil, pdp@...m.org - ----- Forwarded message from Todd Lyons <tlyons@...m.org> ----- From: Todd Lyons <tlyons@...m.org> Subject: [exim-announce] Exim 4.82.1 Security Release To: Exim Dev <exim-dev@...m.org>, Exim Users <exim-users@...m.org>, Exim Announce <exim-announce@...m.org> Date: Wed, 28 May 2014 13:25:36 +0100 Message-ID: <20140528122535.GA28379@...m.org> Exim release 4.82.1 is now available from the primary ftp site: * ftp://ftp.exim.org/pub/exim/exim4/exim-4.82.1.tar.gz * ftp://ftp.exim.org/pub/exim/exim4/exim-4.82.1.tar.bz2 _________________________________________________________________ This is a SECURITY release, addressing a CRITICAL remote code execution flaw in Exim version 4.82 (only) when built with DMARC support (an experimental feature, not on by default). This release is identical to 4.82 except for the small change needed to plug the security hole. The next release of Exim will, eventually, be 4.83, which will include the many improvements we've made since 4.82, but which will require the normal release candidate baking process before release. You are not vulnerable unless you built Exim with EXPERIMENTAL_DMARC. This issue is known by the CVE ID of CVE-2014-2957, was reported directly to the Exim development team by a company which uses Exim for its mail server. An Exim developer constructed a small patch which altered the way the contents of the From header is parsed by converting it to use safer and better internal functions. It was applied and tested on a production server for correctness. We were notified of the vulnerability Friday night, created a patch on Saturday, applied and tested it on Sunday, notified OS packagers on Monday/Tuesday, and are releasing on the next available work day, which is Wednesday. This is why we have made the smallest feasible changes to prevent exploit: we want this chagne to be as safe as possible to expedite into production (if the packages were built with DMARC). _________________________________________________________________ The primary ftp server is in Cambridge, England. There is a list of mirrors in: * http://www.exim.org/mirmon/ftp_mirrors.html The master ftp server is ftp.exim.org, which is also accessible at http://ftp.exim.org. The distribution files are signed with Todd Lyons' PGP key 0xC4F4F94804D29EBA (uid tlyons@...m.org with a strong relationship to prior release engineer Phil Pennock's PGP key 0x403043153903637F). This key should be available from all modern PGP keyservers. Please use your own discretion in assessing what trust paths you might have to this uid; the "Release verification" section of the Release Policy might be of assistance: * http://wiki.exim.org/EximReleasePolicy The detached ASCII signature files are in the same directory as the tarbundles. The SHA256 hashes for the distribution files are at the end of this email. The distribution contains an ASCII copy of the 4.82.1 manual and other documents. Other formats of the documentation are also available:- * ftp://ftp.exim.org/pub/exim/exim4/exim-html-4.82.1.tar.gz * ftp://ftp.exim.org/pub/exim/exim4/exim-pdf-4.82.1.tar.gz * ftp://ftp.exim.org/pub/exim/exim4/exim-postscript-4.82.1.tar.gz The .bz2 versions of these tarbundles are also available. The only change is this bugfix, thus no ChangeLog-4.82.1 file. There are no new features, thus no NewStuff-4.82.1 file. _________________________________________________________________ Release Checksums SHA256: 51798cead70b9ca03df88afb63f7a0cabedee8ef82c02bd18d67591c08b14500 exim-4.82.1.tar.bz2 f06f34ab599cd84be605b3a00e0fac81f93d9be46d5b9466ac9b38ac5e12dc4c exim-4.82.1.tar.bz2.asc b8935b31b842cfd77afb345390c07d7b8524a7083fa1963ca7577a66d83d8df0 exim-4.82.1.tar.gz 60487f824f5c8601c21d0ffd70ab56b3d9bc6c62daa801feddee7a49fb8a857d exim-4.82.1.tar.gz.asc 81d0237cff64b259d47c758d5c82da93bd2e7b8ce048974d53d90e597eee122e exim-html-4.82.1.tar.bz2 6f684c90f817a8c41454272310f1a949026a0998c27739493a3c0bdc9346a552 exim-html-4.82.1.tar.bz2.asc b03f2ca40407b16bd287956baee1fb2b215f8bb79e696d50adedc9148331d289 exim-html-4.82.1.tar.gz 57fb26b6870af5681c789c93437278d8601c14b7cd5255cbd466ab0382ea1387 exim-html-4.82.1.tar.gz.asc 2e3705504f22633a14d417ffcb72c6beddc2f142e38ff4f01394b83ae583ff42 exim-pdf-4.82.1.tar.bz2 2c64767ece949306bfa2432d67d1cc9127b9e318147ee01aba912fc2122493ef exim-pdf-4.82.1.tar.bz2.asc d209d3db1a80a38e1737ba6cd2e155d2a7c93c0db78aafde86025137001ebcf7 exim-pdf-4.82.1.tar.gz 423fd129818af8f60493b233a1dea5c34890e807ed59e772e0d6e0143148fc5b exim-pdf-4.82.1.tar.gz.asc f9c69153b1da3ef854c73ac98ec5bcef842438c5630819bc2287dec869bd039d exim-postscript-4.82.1.tar.bz2 c8182006eb59d7a909340f0e7eb4611da3c604ef28a98f5b6ceb676b3c6da9a1 exim-postscript-4.82.1.tar.bz2.asc 1d3c1f1c4bdb66c89b82d3925578f4ab29c87f2af4e3e1c1096366bafdfad000 exim-postscript-4.82.1.tar.gz 067a55860b3da017c6d9f23e8df944e9aca2d73f1de65f44b1557f4878f64cb1 exim-postscript-4.82.1.tar.gz.asc - -- Todd Lyons, pp The Exim Maintainers. - ----- End forwarded message ----- -----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJThflIAAoJEKBsj+IM0duFafkH/1ulHdWdJFW1C7Q7esFRLpM1 AADXUWBx0VQ4itwXaIhXpOWSw2SeX8C9qUP96YusKS2BRZWLk41wb3prWP5ehqUE 5xbTKci7HPPO1d+NfmYkWp55WDuKEgTH7d2tCHC8EnHvm+N/drZNOdZfLPz0UBaM 0KmbOFkueLcEr0JzVqHEoIBtjtWONGVzg63Sfmkw3m0KetT8iX6rBN2ekHvUHnti eKsQ/Y0E8o56OYJ2s/AxDLPs6JMgyIxQV5SjcHZBcb+4PxV0f3dZs5EnCz2ROW1v MKN3eu6N+um+tss8vTafHltcUn/5LFyoXYLoj33k7Bz1pVcqWH4AhNcITpswEvo= =4ybl -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.