4

CentOS using yum to update Exim. Exim is configured to not allow remote connections using the local_interfaces config option.

My old version was 4.63-5.el5_5.2 and after using:

yum update exim

it shows: 4.63-5.el5_6.2. I would like to know if this updated version includes the recent remote exploit (CVE-2011-1764 discovered May 6th 2011) fix?

user69904
  • 231
  • 3
  • 11

2 Answers2

1

That particular version was released on March 30th, so it's unlikely to contain a fix for that vulnerability (changelog)

That said, you don't appear to be exposed to it, since you're not processing messages from anywhere but your own server. (Unless you're hosting services for 3rd parties and you don't trust them, that is.)

If it's feasible, I'd recommend applying the workaround documented in this redhat ticket. You should be safe enough until the maintainer releases a new package.

SmallClanger
  • 8,947
  • 1
  • 31
  • 45
1

DKIM was added in 4.70. Unless RedHat backported it your version 4.63 won't be affected. Also, the official statement in the redhat ticket SmallClanger referenced is:

Statement:

Not vulnerable. This issue did not affect the versions of exim as shipped with Red Hat Enterprise Linux 4 or 5 as they did not include support for DKIM.

jj33
  • 11,038
  • 1
  • 36
  • 50