Package: exim4 Version: 4.89-9 Severity: grave Tags: security Justification: remote code execution
Source: https://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html ----- Forwarded message from Phil Pennock <p...@exim.org> ----- Date: Fri, 24 Nov 2017 22:48:42 -0500 From: Phil Pennock <p...@exim.org> To: exim-annou...@exim.org Subject: [exim-announce] Critical Exim Security Vulnerability: disable chunking Reply-To: exim-announce-ow...@exim.org Folks, A remote code execution vulnerability has been reported in Exim, with immediate public disclosure (we were given no private notice). A tentative patch exists but has not yet been confirmed. With immediate effect, please apply this workaround: if you are running Exim 4.88 or newer (4.89 is current, 4.90 is upcoming) then in the main section of your Exim configuration, set: chunking_advertise_hosts = That's an empty value, nothing on the right of the equals. This disables advertising the ESMTP CHUNKING extension, making the BDAT verb unavailable and avoids letting an attacker apply the logic. This should be a complete workaround. Impact of applying the workaround is that mail senders have to stick to the traditional DATA verb instead of using BDAT. We've requested CVEs. More news will be forthcoming as we get this worked out. -Phil -- ## List details at https://lists.exim.org/mailman/listinfo/exim-announce Exim details at http://www.exim.org/ ## ----- End forwarded message -----
