This Debian security advisory says that for stable/buster, they are
fixed in 4.92-8+deb10u6:
https://www.debian.org/security/2021/dsa-4912
So you already have the fixes.
Robin
On 07/05/2021 11:06, Adam Spiers wrote:
> Thanks a lot for this heads-up!
>
> I'm running it on buster/stable, but after apt update,
> apt search shows:
>
> Sorting... Done
> Full Text Search... Done
> exim4/stable,stable,now 4.92-8+deb10u6 all [installed]
> metapackage to ease Exim MTA (v4) installation
>
> exim4-base/stable,now 4.92-8+deb10u6 i386 [installed]
> support files for all Exim MTA (v4) packages
>
> exim4-config/stable,stable 4.92-8+deb10u6 all [upgradable from:
> 4.92-8+deb10u4]
> configuration for the Exim MTA (v4)
>
> exim4-daemon-heavy/stable 4.92-8+deb10u6 i386
> Exim MTA (v4) daemon with extended features, including exiscan-acl
>
> exim4-daemon-light/stable 4.92-8+deb10u6 i386 [upgradable from:
> 4.92-8+deb10u4]
> lightweight Exim MTA (v4) daemon
>
> exim4-dev/stable 4.92-8+deb10u6 i386
> header files for the Exim MTA (v4) packages
>
> exim4-doc-html/stable,stable 4.92-1 all
> documentation for the Exim MTA (v4) in html format
>
> exim4-doc-info/stable,stable 4.92-1 all
> documentation for the Exim MTA (v4) in info format
>
> which is less than the fixed 4.94.2 version. And indeed I see the
> same presumably vulnerable version listed for buster here:
>
> https://packages.debian.org/search?keywords=exim4&searchon=names&exact=1&suite=all§ion=all
>
> That list suggests that only sid (unstable), bullseye (testing), and
> buster-backports have a fix.
>
> My sources.list is:
>
> deb
> http://apt-cacher.lon.bitfolk.com/debian/ftp.uk.debian.org/debian/
> stable main contrib
> deb-src
> http://apt-cacher.lon.bitfolk.com/debian/ftp.uk.debian.org/debian/
> stable main contrib
>
> deb http://apt-cacher.lon.bitfolk.com/debian/security.debian.org/
> stable/updates main
> deb-src
> http://apt-cacher.lon.bitfolk.com/debian/security.debian.org/
> stable/updates main
>
> deb
> http://apt-cacher.lon.bitfolk.com/debian/ftp.uk.debian.org/debian/
> stable-updates main
> deb-src
> http://apt-cacher.lon.bitfolk.com/debian/ftp.uk.debian.org/debian/
> stable-updates main
>
> Presumably that means I need to add buster-backports to get it.
> I'll try that now.
>
> Unfortunately it's not the first time Exim has badly let its users
> down from a security perspective. I wish there was an easy way to
> switch to postfix.
>
> Thanks,
> Adam
>
> On Fri, May 07, 2021 at 01:48:44AM +0000, Andy Smith wrote:
>> Hi,
>>
>> TL;DR: There's 21 serious security vulnerabilities recently
>> published for the Exim mail server, 10 of which are remotely
>> triggerable. Anyone running Exim needs to patch it ASAP or risk
>> having their server automatically root compromised as soon as an
>> exploit is cooked up. Which may have happened already.
>>
>> Details: https://lwn.net/Articles/855282/
>>
>> We don't usually post about other vendors' security issues on the
>> announce@ list but I'm making an exception for this one because Exim
>> is installed by default on all versions of Debian, and more than
>> 60% of BitFolk customers use some version of Debian.
>>
>> If you're running Exim you need to upgrade it immediately. Package
>> updates have already been posted for Debian 9 and 10
>> (stretch/oldstable and buster/stable). The last time this sort of
>> thing happened with Exim several customers were automatically
>> compromised. As it's a root level compromise, if it happens to you
>> then you will never be sure what exactly what done to your server.
>> You might end up needing to reinstall it.
>>
>> Most hosts, unless they are acting as a server listed in one or more
>> domains' MX records, do not need to be remotely accessible on port
>> 25. If that's the case for you then you would be well advised to
>> reconfigure Exim to only listen on localhost. Though there are still
>> 11 other vulnerabilities that local users could exploit. At least
>> you'd only get rooted by a friend, right?
>>
>> An exploit hasn't been published yet but that doesn't mean that one
>> doesn't exist, and now that the source changes are public it should
>> be fairly easy for developers to work out how to do it.
>>
>> Some of the bugs go back to 2004 so basically every Exim install is
>> at risk. If you are running a release of Debian prior to version 9
>> (stretch) then it's out of security support and may not ever see an
>> updated package for this, so you need to strongly consider turning
>> off any Exim server and doing an OS upgrade before you turn it back
>> on.
>>
>> If you need help, you could reply to this and seek help from other
>> customers, or BitFolk can help you as a consultancy service, but you
>> probably don't want to pay consultancy prices and in any moderately
>> complicated setup our approach is going to be an OS upgrade anyway.
>> Email support@??? to discuss if still interested in that.
>>
>> Best of luck with the upgrading!
>> Andy
>>
>> --
>> https://bitfolk.com/ -- No-nonsense VPS hosting
>
>
>
>> _______________________________________________
>> announce mailing list
>> announce@???
>> https://lists.bitfolk.com/mailman/listinfo/announce
>
>> _______________________________________________
>> users mailing list
>> users@???
>> https://lists.bitfolk.com/mailman/listinfo/users
>
>
> _______________________________________________
> users mailing list
> users@???
> https://lists.bitfolk.com/mailman/listinfo/users
