On Sun, 01 Oct 2023 20:35:48 +, Slavko via Exim-users wrote:
> Dňa 1. októbra 2023 20:07:45 UTC používateľ Christof Meerwald via Exim-users
> napísal:
>>This was only officially confirmed today (which is very unfortunate),
>
> That is true only in this ML, othervise it was confirmed in Friday
Dňa 1. októbra 2023 20:07:45 UTC používateľ Christof Meerwald via Exim-users
napísal:
>This was only officially confirmed today (which is very unfortunate),
That is true only in this ML, othervise it was confirmed in Friday:
https://www.openwall.com/lists/oss-security/2023/09/29/5
But yes
On Sun, 01 Oct 2023 19:50:43 +, Slavko via Exim-users wrote:
> Dňa 1. októbra 2023 17:49:26 UTC používateľ Rainer Dorsch via Exim-users
> napísal:
>>I stopped the exim4 service on servers with port 25 accessible from the
>>internet
>
> Please why?
>
> + do you use AUTH (NTLM/EXTERNAL) on por
Dňa 1. októbra 2023 17:49:26 UTC používateľ Rainer Dorsch via Exim-users
napísal:
>I stopped the exim4 service on servers with port 25 accessible from the
>internet
Please why?
+ do you use AUTH (NTLM/EXTERNAL) on port 25?
+ do you have untrusted proxy in front?
+ you have not reliable resolv
On Sun, Oct 01, 2023 at 05:50:00PM +0200, Andreas Barth via Exim-users wrote:
> I have seen the security side as debian release manager for quite many
> software products. And I doubt much that postfix would do it much
> different.
Coordinated release of security updates is standard industry prac
I did not want to say that I want to migrate to postfix because it is handling
security issues better than exim4.
I stopped the exim4 service on servers with port 25 accessible from the
internet, but since I cannot do that for a long time, migrating to postfix
would be an emergency fix, since
Summary
---
Six 0day exploits were filed against Exim.
None of these issues is related to transport security (TLS) being
on or off.
* 3 of them are related to SPA/NTLM, and EXTERNAL auth. If you do not use
SPA/NTLM, or EXTERNAL authentication, you're not affected.
These issues are fixed.
* Rainer Dorsch via Exim-users (exim-users@lists.exim.org) [231001 15:02]:
> Am Samstag, 30. September 2023, 10:34:14 CEST schrieb Andrew C Aitchison via
> Exim-users:
> > Yesterday Heiko posted
> > https://seclists.org/oss-sec/2023/q3/254
> > in one of the security lists.
>
> For me, it
Am Samstag, 30. September 2023, 10:34:14 CEST schrieb Andrew C Aitchison via
Exim-users:
> Yesterday Heiko posted
> https://seclists.org/oss-sec/2023/q3/254
> in one of the security lists.
For me, it would be helpful if at least the timelines would be properly
communicated to the users,
On Fri, 29 Sep 2023 15:17:05 +, Some Guy via Exim-users wrote:
> Hi, I'm running an appliance which includes an Exim MTA and now I'm
> wondering, if I should be worried because of the RCE with CVSS 9.8 described
> at the Zero Day Initiative homepage here:
>
> https://www.zerodayinitiative.com
On Sat, 30 Sep 2023, Andrew C Aitchison via Exim-users:
I've seen some second hand reports (eg on the mailop list,
which 1) has a closed archive, and 2) seems unreachable this evening)
that the vulnerabilities are in SPA (Microsoft, NTLM) authentication and
libspf2.
So for authentication, only
Would it (temporary) help to restrict authentication via
auth_advertise_hosts?
- oliver
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscr...@l
12 matches
Mail list logo
