This Debian security advisory says that for stable/buster, they are fixed in 4.92-8+deb10u6:
https://www.debian.org/security/2021/dsa-4912
So you already have the fixes.
Robin
Thanks a lot for this heads-up!
I'm running it on buster/stable, but after apt update,
apt search shows:
Sorting... Done
Full Text Search... Done
exim4/stable,stable,now 4.92-8+deb10u6 all [installed]
metapackage to ease Exim MTA (v4) installation
exim4-base/stable,now 4.92-8+deb10u6 i386 [installed]
support files for all Exim MTA (v4) packages
exim4-config/stable,stable 4.92-8+deb10u6 all [upgradable from: 4.92-8+deb10u4]
configuration for the Exim MTA (v4)
exim4-daemon-heavy/stable 4.92-8+deb10u6 i386
Exim MTA (v4) daemon with extended features, including exiscan-acl
exim4-daemon-light/stable 4.92-8+deb10u6 i386 [upgradable from: 4.92-8+deb10u4]
lightweight Exim MTA (v4) daemon
exim4-dev/stable 4.92-8+deb10u6 i386
header files for the Exim MTA (v4) packages
exim4-doc-html/stable,stable 4.92-1 all
documentation for the Exim MTA (v4) in html format
exim4-doc-info/stable,stable 4.92-1 all
documentation for the Exim MTA (v4) in info format
which is less than the fixed 4.94.2 version. And indeed I see the
same presumably vulnerable version listed for buster here:
https://packages.debian.org/search?keywords=exim4&searchon=names&exact=1&suite=all§ion=all
That list suggests that only sid (unstable), bullseye (testing), and
buster-backports have a fix.
My sources.list is:
deb http://apt-cacher.lon.bitfolk.com/debian/ftp.uk.debian.org/debian/ stable main contrib
deb-src http://apt-cacher.lon.bitfolk.com/debian/ftp.uk.debian.org/debian/ stable main contrib
deb http://apt-cacher.lon.bitfolk.com/debian/security.debian.org/ stable/updates main
deb-src http://apt-cacher.lon.bitfolk.com/debian/security.debian.org/ stable/updates main
deb http://apt-cacher.lon.bitfolk.com/debian/ftp.uk.debian.org/debian/ stable-updates main
deb-src http://apt-cacher.lon.bitfolk.com/debian/ftp.uk.debian.org/debian/ stable-updates main
Presumably that means I need to add buster-backports to get it.
I'll try that now.
Unfortunately it's not the first time Exim has badly let its users
down from a security perspective. I wish there was an easy way to
switch to postfix.
Thanks,
Adam
On Fri, May 07, 2021 at 01:48:44AM +0000, Andy Smith wrote:
Hi,
TL;DR: There's 21 serious security vulnerabilities recently
published for the Exim mail server, 10 of which are remotely
triggerable. Anyone running Exim needs to patch it ASAP or risk
having their server automatically root compromised as soon as an
exploit is cooked up. Which may have happened already.
Details: https://lwn.net/Articles/855282/
We don't usually post about other vendors' security issues on the
announce@ list but I'm making an exception for this one because Exim
is installed by default on all versions of Debian, and more than
60% of BitFolk customers use some version of Debian.
If you're running Exim you need to upgrade it immediately. Package
updates have already been posted for Debian 9 and 10
(stretch/oldstable and buster/stable). The last time this sort of
thing happened with Exim several customers were automatically
compromised. As it's a root level compromise, if it happens to you
then you will never be sure what exactly what done to your server.
You might end up needing to reinstall it.
Most hosts, unless they are acting as a server listed in one or more
domains' MX records, do not need to be remotely accessible on port
25. If that's the case for you then you would be well advised to
reconfigure Exim to only listen on localhost. Though there are still
11 other vulnerabilities that local users could exploit. At least
you'd only get rooted by a friend, right?
An exploit hasn't been published yet but that doesn't mean that one
doesn't exist, and now that the source changes are public it should
be fairly easy for developers to work out how to do it.
Some of the bugs go back to 2004 so basically every Exim install is
at risk. If you are running a release of Debian prior to version 9
(stretch) then it's out of security support and may not ever see an
updated package for this, so you need to strongly consider turning
off any Exim server and doing an OS upgrade before you turn it back
on.
If you need help, you could reply to this and seek help from other
customers, or BitFolk can help you as a consultancy service, but you
probably don't want to pay consultancy prices and in any moderately
complicated setup our approach is going to be an OS upgrade anyway.
Email support@bitfolk.com to discuss if still interested in that.
Best of luck with the upgrading!
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce@lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
_______________________________________________
users mailing list
users@lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
_______________________________________________
users mailing list
users@lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users