Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 25 Dec 2016 11:44:10 +0100
From: Heiko Schlittermann <>
Subject: CVE-2016-9963 | Exim 4.87.1 released (Was: CVE
 Request - Exim 4.69-4.87) - disclosure of private information)

I've uploaded Exim 4.87.1 to:
    git:// (tag exim-4_87_1)

Whilst this release is superseeded by 4.88 already, you're urged
to upgrade to 4.87.1, if 4.88 isn't an option for you yet.

No features are added or removed. This release contains
just a fix for CVE-2016-9963

    - Fix CVE-2016-9963 - Info leak from DKIM.  When signing DKIM, if
      either LMTP or PRDR was used for delivery, the key could appear in
      logs.  Additionally, if the experimental feature "DSN_INFO" was used,
      it could appear in DSN messages (and be sent offsite).

For details about the CVE please see

The release files for 4.87.1 are signed with the PGP key 0xF69376CE,
which has a uid "Heiko Schlittermann (HS12-RIPE) <>".
Please use your own discretion in assessing what trust paths you might
have to this uid.

In case on any problems please contact us on
or on the IRC channel #exim at freenode.

Sorry for the release date.

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -

Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.