This is a SECURITY release, addressing a CRITICAL remote code execution
flaw in versions of Exim between 4.70 and 4.80 inclusive, when built
with DKIM support (the default). This release is identical to 4.80
except for the small changes needed to plug the security hole. The next
release of Exim will, eventually, be 4.82, which will include the many
improvements we’ve made since 4.80, but which will require the normal
release candidate baking process before release.
You are not vulnerable if you built Exim with DISABLE_DKIM or if you
put this at the start of an ACL plumbed into acl_smtp_connect or
warn control = dkim_disable_verify
I apologise for the impact of releasing this on a Friday. I do not
consider there to be an acceptable alternative. This issue, which is
known by the CVE ID of CVE-2012-5671, was found during internal code
review of an area of the Exim codebase relevant to another issue, DKIM
signing and verification, which has been the subject of US-CERT
VU#268267 and Common Weakness identifiers CWE-347 and CWE-326. As such,
I expect that this area of code in various MTAs will be studied by many
security conscious people around about now, so there is a significant
risk that someone unfriendly has also discovered this, concurrently to
our finding it. We discovered the issue on Wednesday, gave Thursday for
the OS packagers to get emergency packages prepared, and are releasing
on the next available work day.
This is why we have made the smallest feasible changes to prevent
exploit: we want this change to be as safe as possible to expedite into
production. This security vulnerability can be exploited by anyone who
can send email from a domain for which they control the DNS. The class
of attack is known as a "heap-based buffer overflow"; your OS might be
built with protections to mitigate against these attacks.
To avoid confusion between "4.80.1" and "4.81", we will skip the "4.81"
version number and the next release will be "4.82".
Hopefully this will be available through custombuild soon!