Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. exim>
  3. users
Wait for fix to appear in distros?
exim-users at lists
Oct 3, 2023, 4:04 AM
Post #1 of 8 (222 views)
Permalink
Hello all,

I'm running exim on a number of servers and after the news yesterday
I expected to see the fixed version appear soon in the various repos.

But so far, nothing has shown up.

I'm wondering now: should I wait a little more (risky?) or replace my
version (from Almalinux 9) with the fixed version that was brought out
yesterday?

My problem is that I don't know in how much the Almalinux version
differs from Exim's own version and if I can mess up things (e.g.
configuration-wise) if I replace one with the other.

BTW, none of my installations advertise the AUTH command to
anyone (and they refuse it when issued). Does that mean I'm
relatively safe?

Kind regards,
Paul Vinkenoog

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Wait for fix to appear in distros? [ In reply to ]
exim-users at lists
Oct 3, 2023, 9:26 AM
Post #2 of 8 (222 views)
Permalink
Am 03.10.23 um 13:04 schrieb Paul Vinkenoog via Exim-users:
> But so far, nothing has shown up.
>
> I'm wondering now: should I wait a little more (risky?) or replace my
> version (from Almalinux 9) with the fixed version that was brought out
> yesterday?
>
>

Isn't it a fork of Redhat? Have you checked the Fedora Repos, they have
the update ready.

Best regards,
Cyborg

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Wait for fix to appear in distros? [ In reply to ]
exim-users at lists
Oct 3, 2023, 9:29 AM
Post #3 of 8 (222 views)
Permalink
D?a 3. októbra 2023 11:04:28 UTC používate? Paul Vinkenoog via Exim-users <exim-users@lists.exim.org> napísal:

>I'm running exim on a number of servers and after the news yesterday
>I expected to see the fixed version appear soon in the various repos.

On debian i updated my mail systems yesterday (2. Oct) at ~19:00 CEST
and that includes time to mirror sync + time until i noticed that.

Ask your distro/packages maintainer.

regards


--
Slavko
https://www.slavino.sk/

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Wait for fix to appear in distros? [ In reply to ]
exim-users at lists
Oct 3, 2023, 9:33 AM
Post #4 of 8 (222 views)
Permalink
On 03/10/2023 12:04, Paul Vinkenoog via Exim-users wrote:
> BTW, none of my installations advertise the AUTH command to
> anyone (and they refuse it when issued). Does that mean I'm
> relatively safe?

That covers CVE-2023-42114 & CVE-2023-42115 only.
--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Wait for fix to appear in distros? [ In reply to ]
exim-users at lists
Oct 3, 2023, 3:30 PM
Post #5 of 8 (222 views)
Permalink
Jeremy Harris wrote:

> On 03/10/2023 12:04, Paul Vinkenoog via Exim-users wrote:
> > BTW, none of my installations advertise the AUTH command to
> > anyone (and they refuse it when issued). Does that mean I'm
> > relatively safe?
>
> That covers CVE-2023-42114 & CVE-2023-42115 only.

That's right, that's why I wrote 'relatively' ;-)

Meanwhile, having read Aliz Hammond's article at labs.watchtowr.com,
it seems that I'm in the clear regarding all six CVE's.

Cheers,
Paul Vinkenoog

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Wait for fix to appear in distros? [ In reply to ]
exim-users at lists
Oct 3, 2023, 3:46 PM
Post #6 of 8 (222 views)
Permalink
On Tue, 3 Oct 2023 18:26:19 +0200, you wrote:

Cyborg wrote:

> > I'm wondering now: should I wait a little more (risky?) or replace my
> > version (from Almalinux 9) with the fixed version that was brought out
> > yesterday?
> >
>
> Isn't it a fork of Redhat? Have you checked the Fedora Repos, they have
> the update ready.

Yes, it's the continuation 'in sprit' of the old CentOS

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Wait for fix to appear in distros? [ In reply to ]
exim-users at lists
Oct 3, 2023, 4:03 PM
Post #7 of 8 (222 views)
Permalink
Sorry, this somehow got sent before I finished it.

Cyborg wrote:

> > I'm wondering now: should I wait a little more (risky?) or replace my
> > version (from Almalinux 9) with the fixed version that was brought out
> > yesterday?
>
> Isn't it a fork of Redhat? Have you checked the Fedora Repos, they have
> the update ready.

Yes, it's the continuation 'in sprit' of the old CentOS before RedHat killed
it. But I was wrong in assuming that my Exim came from the AlmaLinux
repo. For some reason it wasn't included there so I got it from Epel.
And I see the patched version has been pushed to Epel 9 updates-testing
yesterday, so I expect it will appear soon on Epel.

Thanks to all who replied!

Cheers,
Paul Vinkenoog

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Wait for fix to appear in distros? [ In reply to ]
exim-users at lists
Oct 4, 2023, 1:18 PM
Post #8 of 8 (214 views)
Permalink
On 04/10/2023 01:03, Paul Vinkenoog via Exim-users wrote:

> And I see the patched version has been pushed to Epel 9 updates-testing
> yesterday, so I expect it will appear soon on Epel.

It may take up to 7 days, depending on how many people test it and add
feedback [1] (plus when, and of what nature). If you have the ability to test
(and ideally add feedback) that would certainly be useful.

Tim

[1] https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-bb93ecb59d

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal