Thanks! Works great. I've also informed the admin of pobox.sfu.ca of the
vulnerability.
On Fri 12.06.08 11:36, Debian Bug Tracking System wrote:
This is an automatic notification regarding your Bug report
which was filed against the src:exim4 package:
#676563: exim4: new minimumum Diffie-Hellman length breaks sending, not
configurable
It has been closed by Andreas Metzler <ametz...@debian.org>.
Their explanation is attached below along with your original report.
If this explanation is unsatisfactory and you have not received a
better one in a separate message then please contact Andreas Metzler
<ametz...@debian.org> by
replying to this email.
Date: Fri, 08 Jun 2012 11:32:57 +0000
From: Andreas Metzler <ametz...@debian.org>
To: 676563-cl...@bugs.debian.org
Subject: Bug#676563: fixed in exim4 4.80-3
Source: exim4
Source-Version: 4.80-3
We believe that the bug you reported is fixed in the latest version of
exim4, which is due to be installed in the Debian FTP archive:
exim4-base_4.80-3_i386.deb
to main/e/exim4/exim4-base_4.80-3_i386.deb
exim4-config_4.80-3_all.deb
to main/e/exim4/exim4-config_4.80-3_all.deb
exim4-daemon-heavy-dbg_4.80-3_i386.deb
to main/e/exim4/exim4-daemon-heavy-dbg_4.80-3_i386.deb
exim4-daemon-heavy_4.80-3_i386.deb
to main/e/exim4/exim4-daemon-heavy_4.80-3_i386.deb
exim4-daemon-light-dbg_4.80-3_i386.deb
to main/e/exim4/exim4-daemon-light-dbg_4.80-3_i386.deb
exim4-daemon-light_4.80-3_i386.deb
to main/e/exim4/exim4-daemon-light_4.80-3_i386.deb
exim4-dbg_4.80-3_i386.deb
to main/e/exim4/exim4-dbg_4.80-3_i386.deb
exim4-dev_4.80-3_i386.deb
to main/e/exim4/exim4-dev_4.80-3_i386.deb
exim4_4.80-3.debian.tar.gz
to main/e/exim4/exim4_4.80-3.debian.tar.gz
exim4_4.80-3.dsc
to main/e/exim4/exim4_4.80-3.dsc
exim4_4.80-3_all.deb
to main/e/exim4/exim4_4.80-3_all.deb
eximon4_4.80-3_i386.deb
to main/e/exim4/eximon4_4.80-3_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 676...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Metzler <ametz...@debian.org> (supplier of updated exim4 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Format: 1.8
Date: Fri, 08 Jun 2012 12:37:05 +0200
Source: exim4
Binary: exim4-base exim4-config exim4-daemon-light exim4 exim4-daemon-heavy
exim4-daemon-custom eximon4 exim4-dbg exim4-daemon-light-dbg
exim4-daemon-heavy-dbg exim4-daemon-custom-dbg exim4-dev
Architecture: source i386 all
Version: 4.80-3
Distribution: unstable
Urgency: low
Maintainer: Exim4 Maintainers <pkg-exim4-maintain...@lists.alioth.debian.org>
Changed-By: Andreas Metzler <ametz...@debian.org>
Description:
exim4 - metapackage to ease Exim MTA (v4) installation
exim4-base - support files for all Exim MTA (v4) packages
exim4-config - configuration for the Exim MTA (v4)
exim4-daemon-custom - custom Exim MTA (v4) daemon with locally set features
exim4-daemon-custom-dbg - debugging symbols for the Exim MTA (v4) packages
exim4-daemon-heavy - Exim MTA (v4) daemon with extended features, including
exiscan-ac
exim4-daemon-heavy-dbg - debugging symbols for the Exim MTA "heavy" daemon
exim4-daemon-light - lightweight Exim MTA (v4) daemon
exim4-daemon-light-dbg - debugging symbols for the Exim MTA "light" daemon
exim4-dbg - debugging symbols for the Exim MTA (utilities)
exim4-dev - header files for the Exim MTA (v4) packages
eximon4 - monitor application for the Exim MTA (v4) (X11 interface)
Closes: 676563
Changes:
exim4 (4.80-3) unstable; urgency=low
.
* Pull 75_openssl_sni.diff from upstream. - Segfault caused by NULL
dereference if Exim is built using OpenSSL, tls_sni is used and a
forced expansion failure is configured.
* Pull 76_tls_dh_min_bits.diff (and the corresponding doc change
77_docsfortls_dh_min_bits.diff) from upstream. Adds a new SMTP transport
option tls_dh_min_bits for setting the minimal size of DH parameters.
* Add macro TLS_DH_MIN_BITS for setting the tls_dh_min_bits smtp transport
option. Closes: #676563
* [lintian] Stop shipping empty directory /usr/share/exim4 in exim4-base.
Checksums-Sha1:
cd476f39515945e770302da0cf577ed26328de4a 2162 exim4_4.80-3.dsc
7962d5a61628e6daa9aa0e06ec33459a41e4625f 575324 exim4_4.80-3.debian.tar.gz
7a1c131f503b2b571cd8616a816443cfa96e2c36 1030882 exim4-base_4.80-3_i386.deb
356082518e84db02d3a7ccb2abd5707766604c12 208536 eximon4_4.80-3_i386.deb
a2ff6d14391d0f7bf99ffcaf758356389c53766b 627570
exim4-daemon-light_4.80-3_i386.deb
aa2a98b064ed4d8e5b238233df26728d670b46da 684468
exim4-daemon-heavy_4.80-3_i386.deb
ec4e30642a07be0d601584c7f6f78902593973d8 1132168
exim4-daemon-light-dbg_4.80-3_i386.deb
1476f1125a2d56bb0be7a7e9b58c69c87cef0481 1264600
exim4-daemon-heavy-dbg_4.80-3_i386.deb
9e3154913dbb1d84b62e4e3fa8f7d3e4c6c5d405 421386 exim4-dbg_4.80-3_i386.deb
7f627f2935b6cd8b9bc048cc69821a9cdc71d696 173238 exim4-dev_4.80-3_i386.deb
5647f81452c62edbd06dd51718898cff01143f04 477194 exim4-config_4.80-3_all.deb
cde8fae563ec663e5b2337fdb8cee2dc6bd61025 7794 exim4_4.80-3_all.deb
Checksums-Sha256:
a820240181af11ae63299c7703ad98642e0e98ed57a431fdab533171ef57cd4b 2162
exim4_4.80-3.dsc
1ff66e5b1c9112959246b4ba538afc9f7d778db77884175a61e2320cfb9f89f9 575324
exim4_4.80-3.debian.tar.gz
04f77680514c1e11084d4ea23cae746ccf3cbbd82970751864d0f5acdae6e600 1030882
exim4-base_4.80-3_i386.deb
324364cf0125ab4f14355ecbb22e98611fdd3703f19690020577156b6e04af66 208536
eximon4_4.80-3_i386.deb
7d767871dd0303a71c7fd682957faaa6917eff12f573d8494eded4d779910453 627570
exim4-daemon-light_4.80-3_i386.deb
ef2ad8039f7779edc2e1e62cd5a373ccc2558e64c050fe3d7805bebab6df9426 684468
exim4-daemon-heavy_4.80-3_i386.deb
d8dc6051d65259d8f71a622dc32a65f6e33eb3175738174f94e8b4343dd94d0e 1132168
exim4-daemon-light-dbg_4.80-3_i386.deb
a7e00c15f6fd00ea6e03037eb256ac3d8f6161d29a092195717e7f46a50ed27e 1264600
exim4-daemon-heavy-dbg_4.80-3_i386.deb
8f19dde75c475c0f012fc750f26151b6ca4e2925694b2074dd6946d3626247af 421386
exim4-dbg_4.80-3_i386.deb
d7b7ab85b46e8bd5482d96452002c4a9f6098fbddaec6af771f39cdaaff13daf 173238
exim4-dev_4.80-3_i386.deb
1628d8094708e0df74c951ad59fc26e1134f2cc83493d57420bb503cc92c75f0 477194
exim4-config_4.80-3_all.deb
dd7af8e3cfae085fbc15626bc28d4d01119ee8cb122b178c3bd9e3df5ee85791 7794
exim4_4.80-3_all.deb
Files:
146cab2f5d191ff99cf6b667edaeedb4 2162 mail standard exim4_4.80-3.dsc
5ff04e0a35a9aa0987aef48a51667d0c 575324 mail standard exim4_4.80-3.debian.tar.gz
cdc9b77c56a4e5c3897732af3e7ae175 1030882 mail standard
exim4-base_4.80-3_i386.deb
8f9b92f0dfc29012d929b224ae8366b5 208536 mail optional eximon4_4.80-3_i386.deb
9af16d45844b782b9e0cfd055618f36f 627570 mail standard
exim4-daemon-light_4.80-3_i386.deb
06b59edce6a37ae63220688bf5b5dc2c 684468 mail optional
exim4-daemon-heavy_4.80-3_i386.deb
23af474f201128dea52e3811d4e71cce 1132168 debug extra
exim4-daemon-light-dbg_4.80-3_i386.deb
3c7128431bef54d35f24c23afc3ffbc5 1264600 debug extra
exim4-daemon-heavy-dbg_4.80-3_i386.deb
ea51831747afeea21b5f33411520b069 421386 debug extra exim4-dbg_4.80-3_i386.deb
7655f8d53055d27abfce4550d463fceb 173238 mail extra exim4-dev_4.80-3_i386.deb
12da37438d59d2c64debf03e4a0f1006 477194 mail standard
exim4-config_4.80-3_all.deb
55d3964fb6c3370c4dbb39f35f9cedf9 7794 mail standard exim4_4.80-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEAREDAAYFAk/R33cACgkQHTOcZYuNdmM0qgCfd4SFTUQ/Hjqkjszmbkb7/AiL
d0EAoKkaA5ylvbkXgCie66ibT0KIzNac
=FcnL
-----END PGP SIGNATURE-----
Date: Thu, 07 Jun 2012 12:51:51 -0700
From: Kevin Mitchell <kevmi...@math.sfu.ca>
To: Debian Bug Tracking System <sub...@bugs.debian.org>
Subject: exim4: new minimumum Diffie-Hellman length breaks sending, not
configurable
X-Mailer: reportbug 6.4
Source: exim4
Version: 4.80-2
Severity: important
This breaks relaying to my smarthost which requires secure
authentication, but apparently doesn't have the new required DH size of
2048.
from /var/log/exim4/mainlog:
2012-06-07 11:57:56 1Schu8-0005cQ-SD <= kevmi...@math.sfu.ca U=kevmitch P=local
S=472 id=20120607185756.ga21...@math.sfu.ca
2012-06-07 11:58:02 1Schu8-0005cQ-SD TLS error on connection to pobox.sfu.ca
[142.58.101.28] (gnutls_handshake): The Diffie-Hellman prime sent by the server
is not acceptable (not long enough).
Maybe a key shorter than 2048 is "insecure", but most people (myself
included) are not in a position to "fix" their smarthost. This wouldn't
be so bad as a default, except that as far as I can tell, there is no
way to configure it short of recompiling without
66_enlarge-dh-parameters-size.dpatch.
I would recommend either dropping the patch or adding a runtime configuation
option.
Kevin
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (600, 'unstable'), (500, 'testing'), (400, 'stable'), (300,
'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.4.1.01 (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
