From 4f2fdeb7a0492440b33b980ff068fe66883b3d77 Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin Date: Fri, 26 Oct 2012 11:27:13 +0400 Subject: [PATCH] mail/exim: upgrade to 4.80.1 This is bugfix-only release, it eliminates remote code execution in the DKIM code. Security: http://www.vuxml.org/freebsd/b0f3ab1f-1f3b-11e2-8fe9-0022156e8794.html QA page: http://codelabs.ru/fbsd/ports/qa/mail/exim/4.80.1 Feature-safe: yes Signed-off-by: Eygene Ryabinkin --- mail/exim/Makefile | 2 +- mail/exim/distinfo | 4 ++-- security/vuxml/vuln.xml | 39 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 42 insertions(+), 3 deletions(-) diff --git a/mail/exim/Makefile b/mail/exim/Makefile index f034943..dc47f42 100644 --- a/mail/exim/Makefile +++ b/mail/exim/Makefile @@ -78,7 +78,7 @@ PLIST_SUB+= SO_1024="" PLIST_SUB+= SO_1024="@comment " .endif -EXIM_VERSION= 4.80 +EXIM_VERSION= 4.80.1 SA_EXIM_VERSION=4.2 SO_1024_VERSION=3.2 diff --git a/mail/exim/distinfo b/mail/exim/distinfo index 69a1ee5..e3e7330 100644 --- a/mail/exim/distinfo +++ b/mail/exim/distinfo @@ -1,5 +1,5 @@ -SHA256 (exim/exim-4.80.tar.bz2) = 787b6defd37fa75311737bcfc42e9e2b2cc62c5d027eed35bb7d800b2d9a0984 -SIZE (exim/exim-4.80.tar.bz2) = 1649827 +SHA256 (exim/exim-4.80.1.tar.bz2) = 9565b10f06be224fd03adafae2e07e6fdbb479f8873e3894ddb13f98eeebe78f +SIZE (exim/exim-4.80.1.tar.bz2) = 1650082 SHA256 (exim/sa-exim-4.2.tar.gz) = 72e0a735547f18b05785e6c58a71d24623858f0f5234a5dc0e24cb453999e99a SIZE (exim/sa-exim-4.2.tar.gz) = 66575 SHA256 (exim/spamooborona1024-src-3.2.tar.gz) = ab22a430f3860460045f6b213c68c89700a0cd10cbb6c7a808ece326c53787ee diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 0ed09df..92822eb 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -51,6 +51,45 @@ Note: Please add new entries to the beginning of this file. --> + + Exim -- remote code execution + + + exim + 4.704.80.1 + + + + +

This vulnerability affects Exim instances built with DKIM + enabled (this is the default for FreeBSD Exim port) and running + verification of DKIM signatures on the incoming mail + messages.

+

Phil Penncock reports:

+
+

This is a SECURITY release, addressing a CRITICAL remote + code execution flaw in versions of Exim between 4.70 and + 4.80 inclusive, when built with DKIM support (the default).

+

This security vulnerability can be exploited by anyone + who can send email from a domain for which they control the + DNS.

+

You are not vulnerable if you built Exim with DISABLE_DKIM + or if you put this at the start of an ACL plumbed into + acl_smtp_connect or acl_smtp_rcpt:

+
warn control = dkim_disable_verify
+
+ +
+ + CVE-2012-5671 + https://lists.exim.org/lurker/message/20121026.080330.74b9147b.en.html + + + 2012-10-25 + 2012-10-26 + +
+ django -- multiple vulnerabilities -- 1.7.11.3