Package: exim4 Version: 4.89-2+deb9u4 Severity: important Dear Maintainer,
This is just a FYI and I sure hope its nothing. In light of CVE-2019-10149 What I did was build a vagrant instance with Exim 4.89-2+deb9u3 to replicate the POC. Please see https://pastebin.com/raw/EiLbpsH4 for successful exploitation. What was of interest to me, I upgraded to 4.89-2+deb9u4 and redid the POC. Please see https://pastebin.com/raw/iqaJyHt2, but you will see is, the file POC does not work, BUT mail still gets accepted. Please see https://pastebin.com/raw/YLS7CBHY I just want to double check is this is correct / acceptable. Kind Regards Brent Clark P.s. Just a Q of food for thought, should not CHECK_RCPT_LOCAL_LOCALPARTS and / or CHECK_RCPT_REMOTE_LOCALPARTS be updated in /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs? -- Package-specific info: Exim version 4.89 #2 built 28-May-2019 20:13:55 Copyright (c) University of Cambridge, 1995 - 2017 (c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2017 Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013) Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages DKIM DNSSEC Event OCSP PRDR SOCKS TCP_Fast_Open Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch nis nis0 passwd Authenticators: cram_md5 plaintext Routers: accept dnslookup ipliteral manualroute queryprogram redirect Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp Fixed never_users: 0 Configure owner: 0:0 Size of off_t: 8 Configuration file is /var/lib/exim4/config.autogenerated # /etc/exim4/update-exim4.conf.conf # # Edit this file and /etc/mailname by hand and execute update-exim4.conf # yourself or use 'dpkg-reconfigure exim4-config' # # Please note that this is _not_ a dpkg-conffile and that automatic changes # to this file might happen. The code handling this will honor your local # changes, so this is usually fine, but will break local schemes that mess # around with multiple versions of the file. # # update-exim4.conf uses this file to determine variable values to generate # exim configuration macros for the configuration file. # # Most settings found in here do have corresponding questions in the # Debconf configuration, but not all of them. # # This is a Debian specific file dc_eximconfig_configtype='local' dc_other_hostnames='REMOVED dc_local_interfaces='127.0.0.1 ; ::1' dc_readhost='' dc_relay_domains='stephan.trial.co.za' dc_minimaldns='false' dc_relay_nets='' dc_smarthost='' CFILEMODE='644' dc_use_split_config='false' dc_hide_mailname='' dc_mailname_in_oh='true' dc_localdelivery='mail_spool' mailname:stephan.trial.co.za # /etc/default/exim4 EX4DEF_VERSION='' # 'combined' - one daemon running queue and listening on SMTP port # 'no' - no daemon running the queue # 'separate' - two separate daemons # 'ppp' - only run queue with /etc/ppp/ip-up.d/exim4. # 'nodaemon' - no daemon is started at all. # 'queueonly' - only a queue running daemon is started, no SMTP listener. # setting this to 'no' will also disable queueruns from /etc/ppp/ip-up.d/exim4 QUEUERUNNER='combined' # how often should we run the queue QUEUEINTERVAL='30m' # options common to quez-runner and listening daemon COMMONOPTIONS='' # more options for the daemon/process running the queue (applies to the one # started in /etc/ppp/ip-up.d/exim4, too. QUEUERUNNEROPTIONS='' # special flags given to exim directly after the -q. See exim(8) QFLAGS='' # Options for the SMTP listener daemon. By default, it is listening on # port 25 only. To listen on more ports, it is recommended to use # -oX 25:587:10025 -oP /run/exim4/exim.pid SMTPLISTENEROPTIONS='' -- System Information: Debian Release: 9.9 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-9-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages exim4 depends on: ii debconf [debconf-2.0] 1.5.61 ii exim4-base 4.89-2+deb9u4 ii exim4-daemon-light 4.89-2+deb9u4 exim4 recommends no packages. exim4 suggests no packages. -- debconf information: exim4/drec:
