Exim 4 remote root vulnerability

December 13th, 2010 by

If you are running Exim 4 you should be aware that a remote root vulnerability was discovered on Friday 10th December. This means that someone sending a specially crafted email to your server can completely take control of it.

If you are a managed server customer, you do not need to worry. All managed server customers were fully updated by the end of Saturday 11th December, including where necessary building non standard exim packages from source.

If you are not a managed customer then upgrading exim is your responsibility. We have notified all customers who look like they may be running a vulnerable version of exim.

If you’re running Debian Lenny

Make sure /etc/apt/sources.list contains the line

deb http://security.debian.org/ lenny/updates main

then run

apt-get update
apt-get upgrade

this will install a patched exim for you.

If you’re running Centos

yum update

will installed a patched exim for you.

If you’re running Debian Etch

there is no security update provided by Debian. You will have to roll your own Debian package with the fix or upgrade your server or exim package to Debian Lenny.

If you’re running an LTS edition of Ubuntu

You should make sure you have the appropriate security lines in your apt configuration and follow the instructions for Debian Lenny above.

If you don’t know what to do

You should be purchasing a managed service from us and we will manage it for you, contact us at support@mythic-beasts.com.

If you think that building a centos 5.5 backport of exim for a customer who’s compelled to run an early version of Fedora is both possible and fun, contact us at our jobs page and we’ll let you know when we’re hiring.