Thanks a lot for this heads-up!
I'm running it on buster/stable, but after apt update,
apt search shows:
Sorting... Done
Full Text Search... Done
exim4/stable,stable,now 4.92-8+deb10u6 all [installed]
metapackage to ease Exim MTA (v4) installation
exim4-base/stable,now 4.92-8+deb10u6 i386 [installed]
support files for all Exim MTA (v4) packages
exim4-config/stable,stable 4.92-8+deb10u6 all [upgradable from: 4.92-8+deb10u4]
configuration for the Exim MTA (v4)
exim4-daemon-heavy/stable 4.92-8+deb10u6 i386
Exim MTA (v4) daemon with extended features, including exiscan-acl
exim4-daemon-light/stable 4.92-8+deb10u6 i386 [upgradable from: 4.92-8+deb10u4]
lightweight Exim MTA (v4) daemon
exim4-dev/stable 4.92-8+deb10u6 i386
header files for the Exim MTA (v4) packages
exim4-doc-html/stable,stable 4.92-1 all
documentation for the Exim MTA (v4) in html format
exim4-doc-info/stable,stable 4.92-1 all
documentation for the Exim MTA (v4) in info format
which is less than the fixed 4.94.2 version. And indeed I see the
same presumably vulnerable version listed for buster here:
https://packages.debian.org/search?keywords=exim4&searchon=names&exact=1&suite=all§ion=all
That list suggests that only sid (unstable), bullseye (testing), and
buster-backports have a fix.
My sources.list is:
deb http://apt-cacher.lon.bitfolk.com/debian/ftp.uk.debian.org/debian/ stable main contrib
deb-src http://apt-cacher.lon.bitfolk.com/debian/ftp.uk.debian.org/debian/ stable main contrib
deb http://apt-cacher.lon.bitfolk.com/debian/security.debian.org/ stable/updates main
deb-src http://apt-cacher.lon.bitfolk.com/debian/security.debian.org/ stable/updates main
deb http://apt-cacher.lon.bitfolk.com/debian/ftp.uk.debian.org/debian/ stable-updates main
deb-src http://apt-cacher.lon.bitfolk.com/debian/ftp.uk.debian.org/debian/ stable-updates main
Presumably that means I need to add buster-backports to get it.
I'll try that now.
Unfortunately it's not the first time Exim has badly let its users
down from a security perspective. I wish there was an easy way to
switch to postfix.
Thanks,
Adam
On Fri, May 07, 2021 at 01:48:44AM +0000, Andy Smith wrote:
>Hi,
>
>TL;DR: There's 21 serious security vulnerabilities recently
>published for the Exim mail server, 10 of which are remotely
>triggerable. Anyone running Exim needs to patch it ASAP or risk
>having their server automatically root compromised as soon as an
>exploit is cooked up. Which may have happened already.
>
>Details: https://lwn.net/Articles/855282/
>
>We don't usually post about other vendors' security issues on the
>announce@ list but I'm making an exception for this one because Exim
>is installed by default on all versions of Debian, and more than
>60% of BitFolk customers use some version of Debian.
>
>If you're running Exim you need to upgrade it immediately. Package
>updates have already been posted for Debian 9 and 10
>(stretch/oldstable and buster/stable). The last time this sort of
>thing happened with Exim several customers were automatically
>compromised. As it's a root level compromise, if it happens to you
>then you will never be sure what exactly what done to your server.
>You might end up needing to reinstall it.
>
>Most hosts, unless they are acting as a server listed in one or more
>domains' MX records, do not need to be remotely accessible on port
>25. If that's the case for you then you would be well advised to
>reconfigure Exim to only listen on localhost. Though there are still
>11 other vulnerabilities that local users could exploit. At least
>you'd only get rooted by a friend, right?
>
>An exploit hasn't been published yet but that doesn't mean that one
>doesn't exist, and now that the source changes are public it should
>be fairly easy for developers to work out how to do it.
>
>Some of the bugs go back to 2004 so basically every Exim install is
>at risk. If you are running a release of Debian prior to version 9
>(stretch) then it's out of security support and may not ever see an
>updated package for this, so you need to strongly consider turning
>off any Exim server and doing an OS upgrade before you turn it back
>on.
>
>If you need help, you could reply to this and seek help from other
>customers, or BitFolk can help you as a consultancy service, but you
>probably don't want to pay consultancy prices and in any moderately
>complicated setup our approach is going to be an OS upgrade anyway.
>Email support@??? to discuss if still interested in that.
>
>Best of luck with the upgrading!
>Andy
>
>--
>https://bitfolk.com/ -- No-nonsense VPS hosting
>_______________________________________________
>announce mailing list
>announce@???
>https://lists.bitfolk.com/mailman/listinfo/announce
>_______________________________________________
>users mailing list
>users@???
>https://lists.bitfolk.com/mailman/listinfo/users
