gmane.mail.exim.announce

Apologies for unexpected exim.org downtime

Tony Finch — 2012-10-26T16:46:33

The machine hosting exim.org suffered some unexpected downtime on the
afternoon of Friday 26 October between 14:51 and 17:12. The server failed
to reboot because of some minor disk corruption and it took rather too
long to fix this problem.

The downtime was not related to the security patch release of Exim earlier
in the day.

Sorry for any inconvenience this may have caused.

Tony.

Exim 4.80.1 Security Release

Phil Pennock — 2012-10-26T08:03:30

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Exim release 4.80.1 is now available from the primary ftp site:
  * ftp://ftp.exim.org/pub/exim/exim4/exim-4.80.1.tar.gz
  * ftp://ftp.exim.org/pub/exim/exim4/exim-4.80.1.tar.bz2
 _________________________________________________________________

This is a SECURITY release, addressing a CRITICAL remote code execution
flaw in versions of Exim between 4.70 and 4.80 inclusive, when built
with DKIM support (the default).  This release is identical to 4.80
except for the small changes needed to plug the security hole.  The next
release of Exim will, eventually, be 4.82, which will include the many
improvements we've made since 4.80, but which will require the normal
release candidate baking process before release.

You are not vulnerable if you built Exim with DISABLE_DKIM or if you
put this at the start of an ACL plumbed into acl_smtp_connect or
acl_smtp_rcpt:

  warn control = dkim_disable_verify

I apologise for the impact of releasing this on a Friday.  I do

Security/DKIM: use adequate key sizes

Phil Pennock — 2012-10-24T20:48:50

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Folks,

For a narrative walk-through of what can go wrong when you don't use
large enough keys in public cryptography, as applied in a real world
attack against DKIM in email:

  http://www.wired.com/threatlevel/2012/10/dkim-vulnerability-widespread/

There is a US-CERT announcement:

  http://www.kb.cert.org/vuls/id/268267

In particular, a number of tutorials on how to set up DKIM will have the
administrator use the openssl command to create a 512 or 768 bit RSA
key.  This is unwise, and may permit others to fraudulently assert that
their mail comes from you.  If your mail and reputation are worth
protecting, they're worth protecting right.

  “A 384-bit key I can factor on my laptop in 24 hours,” he says. “The
  512-bit keys I can factor in about 72 hours using Amazon Web Services
  for $75. And I did do a number of those. Then there are the 768-bit
  keys. Those are not factorable by a normal person like me with my
  resources alone. But the gover

Exim, TLS, "CRIME" attack

Phil Pennock — 2012-10-09T17:34:20

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Short version: if you take authentication data in Exim, or supply it,
over TLS, with Exim built against OpenSSL, then you _might_ want to set:
  openssl_options = +no_compression
in your Exim configuration file.  This option value requires Exim 4.80
and a version of OpenSSL which defines SSL_OP_NO_COMPRESSION (1.0.0 or
greater).  We might fix this for Exim 4.81 to not be necessary.

There's no adjustment possible with GnuTLS yet.

Longer version:

The "CRIME" attack uses TLS compression against itself: if someone can
control part of the content of a TLS session, they can iterate across
multiple sessions to try to make the packets smaller, by trying to
repeat content they don't have access to: your SMTP authentication data.

Any sort of attack would probably trip any ratelimits you might have
configured, and would be visible as many mails, and requires the
attacker to both be able to send mail from a client and witness the
packet sizes on the wire, and send

Exim 4.80 Release for Debian

2012-08-06T10:08:15

When will be available the debianized version ?
I'd like to use the 4.80 in my Ubuntu Server 12.04.
Please excuse me if this is not the correct mlist to discuss this item 
(if so what is the correct one ?).

Best Regards

luciano

Exim 4.80 Release

Phil Pennock — 2012-05-31T10:02:32

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Exim release 4.80 is now available from the primary ftp site:
  * ftp://ftp.exim.org/pub/exim/exim4/exim-4.80.tar.gz
  * ftp://ftp.exim.org/pub/exim/exim4/exim-4.80.tar.bz2
 _________________________________________________________________

This release contains backwards incompatible changes.  PLEASE read the
README.UPDATING file before upgrading.  These changes affect OpenSSL,
GnuTLS and LDAP.

OpenSSL default options have changed to be more secure, including
disabling of SSLv2 by default (and adding support for TLSv1.1 and
TLSv1.2 if using OpenSSL 1.0.1 or newer); GnuTLS has been updated to use
a new API and stop honouring some options starting gnutls_*; users of
LDAP can now distinguish "comma in data" from "multi-valued attribute".
There are more details, covering more changes, in README.UPDATING.

We now enable accept_8bitmime by default, as the Exim maintainers agree
with Dan Bernstein about the best way to deal with the 8BITMIME
extension.

Building

Exim 4.77 Release

Phil Pennock — 2011-10-10T05:56:24

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Exim release 4.77 is now available from the primary ftp site:
  * ftp://ftp.exim.org/pub/exim/exim4/exim-4.77.tar.gz
  * ftp://ftp.exim.org/pub/exim/exim4/exim-4.77.tar.bz2
 _________________________________________________________________

This release contains backwards incompatible changes.  PLEASE read the
README.UPDATING file before upgrading.  Per the recent Exim-Announce
notice, we have realised that the match_<type>{}{} expansion conditions
were too powerful and sometimes misused, leading to configurations with
security issues, such as SQL injection attacks.

So we have restricted their functionality.  The README.UPDATING file
describes precisely what has changed and what the alternatives are, and
how to restore the old functionality, should you need to.

In brighter news: rate-limiting is now more powerful and users of GnuTLS
can now use TLS 1.1 and 1.2 for connections.
 _________________________________________________________________

The primary

Exim Security: 4.77 hardening of match_* conditions

Phil Pennock — 2011-10-03T12:23:26

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Folks,

The forthcoming Exim 4.77 release (now in Release Candidate state) will
have a backwards-incompatible change by default, in configuration
parsing of four expansion conditions: "match_address", "match_domain",
"match_ip" & "match_local_part".

Exim's treatment of these options has matched the documentation, but
does not appear to match the expectations of many administrators, who as
a result may have created configurations which have a security flaw,
leading to problems such as SQL injection.

Exim's configuration language generally provides a lot of power, but
also requires the administrator to use functions like ${quote_mysql:...}
when constructing an SQL query.  We let you shoot yourself in the foot.
We also provide an ${expand:...} operator, to let you re-expand strings;
hopefully it is obvious that re-expanding data extracted from an email's
headers is a security problem.  This is much like the "eval"
functionality of many scripting languages.

Exim, TLS, BEAST et al - security notes

Phil Pennock — 2011-09-24T02:56:11

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Administrators may be worried about the current reports of the so-called
"BEAST" attacks against SSL/TLS.  This mail addresses the impact on Exim
as I currently understand the issues.  I will use "TLS" below to mean
SSL and/or TLS, since most environments can be forced to degrade at
least down to SSL3.0.

Short version: not directly vulnerable to this threat model, but if you
use plaintext passwords over TLS to authenticate to a remote web-server,
or your clients authenticate to you in this way, then there are more
general issues to be aware of.  There are TLS compatibility vs security
trade-offs that you might want to tune in this case.  See the existing
documentation for the "openssl_options" variable and the documented
suggested alternate value; the option was added in Exim 4.73.  Online
documentation:

  http://www.exim.org/exim-html-current/doc/html/spec_html/ch14.html

At this point, there are no plans to release a new version of Exim
specifically to

Exim list changes

Nigel Metheringham — 2011-09-05T20:45:00

I have just made 2 changes to the list configurations on exim.org:-

  1. Monthly list reminders have been switched off.
     It has been a long time since these were considered best
     practice, and routinely sending out clear text passwords
     is not sensible.

  2. VERP has been set on all the lists.  This will make the
     handling of non-delivery notifications much more effective.
     If you filter lists based on the envelope sender address then
     this may break your filtering.  The message headers should not
     change.

VERP handling will increase the load on the exim.org machines, but
the reduced throughput on the list in recent years makes this less 
of an issue.

Nigel.

--
[ Nigel Metheringham ------------------------------ nigel< at >dotdot.it ]
[                 Ellipsis Intangible Technologies                  ]

Exim 4.76 Release: updated impact assessment

Phil Pennock — 2011-05-12T10:29:09

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

On 2011-05-09 at 05:16 -0400, Phil Pennock wrote:

Further analysis revealed that the second security was more severe than
I realised at the time that I wrote the announcement.  The second
security issue has been assigned CVE-2011-1407 and is also a remote code
execution flaw.  For clarity: both issues were introduced with 4.70.

If you have already updated to Exim 4.76, then no further action is
required.  If you are running 4.76 RC1, or have cherry-picked patches
back to your release, then please either update or start hunting some
fresh cherries.


Users of HP-UX will wish to apply the patch available at:
  http://git.exim.org/exim.git/commit/f1a29782e1db8bae2bdadf1335c3687cb8b820f6

Regards,
- -Phil
-----BEGIN PGP SIGNATURE-----

iEYEAREDAAYFAk3LtmIACgkQQDBDFTkDY3+skACeLFLx18wjA7i6xvOU0/TrY1I9
ClkAnjAOMh7wecyPzbmX3VXrB7ovfVxC
=/atc
-----END PGP SIGNATURE-----

Exim 4.76 Release

Phil Pennock — 2011-05-09T09:16:32

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Exim release 4.76 is now available from the primary ftp site:
  * ftp://ftp.exim.org/pub/exim/exim4/exim-4.76.tar.gz
  * ftp://ftp.exim.org/pub/exim/exim4/exim-4.76.tar.bz2
 _________________________________________________________________

This is a SECURITY release: Exim versions 4.70 up to and including 4.75
contained a security hole (format string attack) permitting remote
execution of arbitrary code as the Exim run-time user.  This is
CVE-2011-1764.  There is also another, lesser security issue.  Both lie
in the DKIM code and mitigation techniques are described below.

Note that as part of our work to improve Exim and protect against future
security issues, some changes were made to the code to pass gcc with
many more warnings enabled, and in some cases to compile with Clang.
Although feedback so far has been positive, there remains a chance that
these changes will cause compilation problems on lesser-tested
platforms; please raise any issues encounter

Exim 4.72 release

Nigel Metheringham — 2010-06-03T12:48:41

Exim release 4.72 is now available from the primary ftp site:
  * ftp://ftp.exim.org/pub/exim/exim4/exim-4.72.tar.gz
  * ftp://ftp.exim.org/pub/exim/exim4/exim-4.72.tar.bz2
  _________________________________________________________________

The changes involved are:-

 1. TWO SECURITY FIXES: one relating to mail-spools which are globally
    writable, the other to locking of MBX folders (not mbox).
    These have CVE identifiers CVE-2010-2023 and CVE-2010-2024

 2. MySQL stored procedures are now supported.

 3. The dkim_domain transport option is now a list, not a single 
    string, and messages will be signed for each element in the
    list (discarding duplicates).

 4. The 4.70 release unexpectedly changed the behaviour of dnsdb TXT 
    lookups in the presence of multiple character strings within
    the RR. Prior to 4.70, only the first string would be returned.
    The dnsdb lookup now, by default, preserves the pre-4.70
    semantics, but also now takes an extended output separator
    specificatio

Spam attacks on lists

Nigel Metheringham — 2010-05-18T13:35:43

I've been expecting this for a number of years, but its finally hit us...

We have had 2 instances today of spam sent to these lists from 
subscribers, neither of which was picked up by the content scanning.

So I've made 2 sets of changes to the list configurations:-

  1. All lists now have new members set to be moderated.
     We will then take them off moderation when they post on-subject
     messages to the list.

  2. All lists other than the exim-users lists have had all existing
     members set to be moderated.  Again users will be taken off
     moderation as we approve messages from them.
     All of the affected lists are relatively low traffic.

This will mean longer delays on postings until people get set non-moderated.
Sorry for that, but I'd prefer to keep the lists relatively spam free,
despite it being something like trying to keep back the sea.

Nigel.

--
[ Nigel Metheringham             Nigel.Metheringham< at >InTechnology.com ]
[ - Comments in this message are my own and not ITO opinion/po

Exim 4.71 Release

Nigel Metheringham — 2009-11-24T12:39:20

Exim release 4.71 is now available from the primary ftp site:
   * ftp://ftp.exim.org/pub/exim/exim4/exim-4.71.tar.gz
   * ftp://ftp.exim.org/pub/exim/exim4/exim-4.71.tar.bz2 

=====================================================================

This release is a pure bug fix release over version 4.70. 

The main changes are:-
   * Bugzilla 912: Fix DKIM segfault on empty headers/body
   * Bugzilla 913: Documentation fix for gnutls_* options.
   * Bugzilla 722: Documentation for randint. Better randomness defaults.
   * Bugzilla 847: Enable DNSDB lookup by default.
   * Bugzilla 915: Flag broken perl installation during build.

There are a few other minor build and test suite changes.
As usual, all changes are in the doc/ChangeLog file, which can also be
seen at
  http://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.71

New features in 4.70 (and hence in 4.71) can be seen in
  http://ftp.exim.org/pub/exim/ChangeLogs/NewStuff-4.71

=====================================================================

The pr

Exim 4.70 Release

Nigel Metheringham — 2009-11-14T09:14:51

Exim release 4.70 is now available from the primary ftp site:
    * ftp://ftp.exim.org/pub/exim/exim4/exim-4.70.tar.gz
    * ftp://ftp.exim.org/pub/exim/exim4/exim-4.70.tar.bz2 

=====================================================================

This release is a combination feature and bug fix release. 
The major new features are:-
    * Native DKIM support without an external library.
    * Experimental DCC support via dccifd (contributed by Wolfgang Breyha). 

Other changes:-
    * PCRE is no longer included with the Exim distribution. You will
      need a separate PCRE library (and matching headers) to compile
      Exim. You will need to change your Local/Makefile to support
      this. Most modern systems have a packaged PCRE library,
      alternatively PCRE can be found at http://www.pcre.org/
    * Experimental Yahoo! Domainkeys support dropped in favor of
      native DKIM support. 
    * The documentation has been updated and regenerated.

As usual, all changes are in the doc/ChangeLog file,