HostingSecList - Security notices for the hosting community.


Urgent Action Required

A remote code execution vulnerability has been reported in Exim, with 
immediate public disclosure (we were given no private notice). 
A tentative patch exists but has not yet been confirmed. 

With immediate effect, please apply this workaround: if you are running 
Exim 4.88 or newer (4.89 is current, 4.90 is upcoming) then in the main 
section of your Exim configuration, set: 

chunking_advertise_hosts = 

That's an empty value, nothing on the right of the equals. This 
disables advertising the ESMTP CHUNKING extension, making the BDAT verb 
unavailable and avoids letting an attacker apply the logic. 

This should be a complete workaround. Impact of applying the workaround 
is that mail senders have to stick to the traditional DATA verb instead 
of using BDAT. 

We've requested CVEs. More news will be forthcoming as we get this 
worked out.

Ongoing Discussion via WHT:
Our mailing address is:
RACK911 Labs
1110 Palms Airport Drive
Suite 110
Las Vegas, NV 89119

Add us to your address book

Copyright © 2017 RACK911 Labs, All rights reserved.
Email Marketing Powered by Mailchimp