In-Depth HOW TO Articles From The Expert

Learn from the Experts in LinuxSecurity, find the HOWTO or step-by-step guide that you need right here. 


   openSUSE Security Update: Security update for exim
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2024:0007-1
Rating:             important
References:         #1218387 
Cross-References:   CVE-2022-3559 CVE-2023-42114 CVE-2023-42115
                    CVE-2023-42116 CVE-2023-42117 CVE-2023-42119
                    CVE-2023-51766
CVSS scores:
                    CVE-2022-3559 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products:
                    openSUSE Backports SLE-15-SP5
______________________________________________________________________________

   An update that fixes 7 vulnerabilities is now available.

Description:

   This update for exim fixes the following issues:

   exim was updated to 4.97.1 (boo#1218387, CVE-2023-51766):

     * Fixes for the smtp protocol smuggling (CVE-2023-51766)

   exim was updated to exim 4.96:

     * Move from using the pcre library to pcre2.
     * Constification work in the filters module required a major version
       bump for the local-scan API.  Specifically, the "headers_charset"
       global which is visible via the API is now const and may therefore not
       be modified by local-scan code.
     * Bug 2819: speed up command-line messages being read in.  Previously a
       time check was being done for every character; replace that with one
       per buffer.
     * Bug 2815: Fix ALPN sent by server under OpenSSL.  Previously the
       string sent was prefixed with a length byte.
     * Change the SMTP feature name for pipelining connect to be compliant
       with RFC 5321.  Previously Dovecot (at least) would log errors during
       submission.
     * Fix macro-definition during "-be" expansion testing.  The move to
       write-protected store for macros had not accounted for these runtime
       additions; fix by removing this protection for "-be" mode.
     * Convert all uses of select() to poll().
     * Fix use of $sender_host_name in daemon process.  When used in certain
       main-section options or in a connect ACL, the value from the first
       ever connection was never replaced for subsequent connections.
     * Bug 2838: Fix for i32lp64 hard-align platforms
     * Bug 2845: Fix handling of tls_require_ciphers for OpenSSL when a value
       with underbars is given.
     * Bug 1895: TLS: Deprecate RFC 5114 Diffie-Hellman parameters.
     * Debugging initiated by an ACL control now continues through into
       routing and transport processes.
     * The "expand" debug selector now gives more detail, specifically on the
       result of expansion operators and items.
     * Bug 2751: Fix include_directory in redirect routers.  Previously a bad
       comparison between the option value and the name of the file to be
       included was done, and a mismatch was wrongly identified.
     * Support for Berkeley DB versions 1 and 2 is withdrawn.
     * When built with NDBM for hints DB's check for nonexistence of a name
       supplied as the db file-pair basename.
     * Remove the "allow_insecure_tainted_data" main config option and the
       "taint" log_selector.
     * Fix static address-list lookups to properly return the matched item.
       Previously only the domain part was returned.
     * The ${run} expansion item now expands its command string elements
       after splitting.  Previously it was before; the new ordering makes
       handling zero-length arguments simpler.
     * Taint-check exec arguments for transport-initiated external processes.
       Previously, tainted values could be used.  This affects "pipe", "lmtp"
       and "queryprogram" transport, transport-filter, and ETRN commands. The
       ${run} expansion is also affected: in "preexpand" mode no part of the
       command line may be tainted, in default mode the executable name may
       not be tainted.
     * Fix CHUNKING on a continued-transport.  Previously the usabilility of
       the facility was not passed across execs, and only the first message
       passed over a connection could use BDAT; any further ones using DATA.
     * Support the PIPECONNECT facility in the smtp transport when the
       helo_data uses $sending_ip_address and an interface is specified.
     * OpenSSL: fix transport-required OCSP stapling verification under
       session resumption.
     * TLS resumption: the key for session lookup in the client now includes
       more info that a server could potentially use in configuring a TLS
       session, avoiding oferring mismatching sessions to such a server.
     * Fix string_copyn() for limit greater than actual string length.
     * Bug 2886: GnuTLS: Do not free the cached creds on transport connection
       close; it may be needed for a subsequent connection.
     * Fix CHUNKING for a second message on a connection when the first was
       rejected.
     * Fix ${srs_encode ...} to handle an empty sender address, now returning
       an empty address.
     * Bug 2855: Handle a v4mapped sender address given us by a frontending
       proxy.

   update to exim 4.95

     * includes taintwarn (taintwarn.patch)
     * fast-ramp queue run
     * native SRS
     * TLS resumption
     * LMDB lookups with single key
     * smtp transport option "message_linelength_limit"
     * optionally ignore lookup caches
     * quota checking for appendfile transport during message reception
     * sqlite lookups allow a "file=" option
     * lsearch lookups allow a "ret=full" option
     * command line option for the notifier socket
     * faster TLS startup
     * new main config option "proxy_protocol_timeout"
     * expand "smtp_accept_max_per_connection"
     * log selector "queue_size_exclusive"
     * main config option "smtp_backlog_monitor"
     * main config option "hosts_require_helo"
     * main config option "allow_insecure_tainted_data"


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP5:

      zypper in -t patch openSUSE-2024-7=1



Package List:

   - openSUSE Backports SLE-15-SP5 (aarch64 ppc64le s390x x86_64):

      exim-4.97.1-bp155.5.9.1
      eximon-4.97.1-bp155.5.9.1
      eximstats-html-4.97.1-bp155.5.9.1


References:

   https://www.suse.com/security/cve/CVE-2022-3559.html
   https://www.suse.com/security/cve/CVE-2023-42114.html
   https://www.suse.com/security/cve/CVE-2023-42115.html
   https://www.suse.com/security/cve/CVE-2023-42116.html
   https://www.suse.com/security/cve/CVE-2023-42117.html
   https://www.suse.com/security/cve/CVE-2023-42119.html
   https://www.suse.com/security/cve/CVE-2023-51766.html
   https://bugzilla.suse.com/1218387

openSUSE: 2024:0007-1 important: exim

January 4, 2024
An update that fixes 7 vulnerabilities is now available

Description

This update for exim fixes the following issues: exim was updated to 4.97.1 (boo#1218387, CVE-2023-51766): * Fixes for the smtp protocol smuggling (CVE-2023-51766) exim was updated to exim 4.96: * Move from using the pcre library to pcre2. * Constification work in the filters module required a major version bump for the local-scan API. Specifically, the "headers_charset" global which is visible via the API is now const and may therefore not be modified by local-scan code. * Bug 2819: speed up command-line messages being read in. Previously a time check was being done for every character; replace that with one per buffer. * Bug 2815: Fix ALPN sent by server under OpenSSL. Previously the string sent was prefixed with a length byte. * Change the SMTP feature name for pipelining connect to be compliant with RFC 5321. Previously Dovecot (at least) would log errors during submission. * Fix macro-definition during "-be" expansion testing. The move to write-protected store for macros had not accounted for these runtime additions; fix by removing this protection for "-be" mode. * Convert all uses of select() to poll(). * Fix use of $sender_host_name in daemon process. When used in certain main-section options or in a connect ACL, the value from the first ever connection was never replaced for subsequent connections. * Bug 2838: Fix for i32lp64 hard-align platforms * Bug 2845: Fix handling of tls_require_ciphers for OpenSSL when a value with underbars is given. * Bug 1895: TLS: Deprecate RFC 5114 Diffie-Hellman parameters. * Debugging initiated by an ACL control now continues through into routing and transport processes. * The "expand" debug selector now gives more detail, specifically on the result of expansion operators and items. * Bug 2751: Fix include_directory in redirect routers. Previously a bad comparison between the option value and the name of the file to be included was done, and a mismatch was wrongly identified. * Support for Berkeley DB versions 1 and 2 is withdrawn. * When built with NDBM for hints DB's check for nonexistence of a name supplied as the db file-pair basename. * Remove the "allow_insecure_tainted_data" main config option and the "taint" log_selector. * Fix static address-list lookups to properly return the matched item. Previously only the domain part was returned. * The ${run} expansion item now expands its command string elements after splitting. Previously it was before; the new ordering makes handling zero-length arguments simpler. * Taint-check exec arguments for transport-initiated external processes. Previously, tainted values could be used. This affects "pipe", "lmtp" and "queryprogram" transport, transport-filter, and ETRN commands. The ${run} expansion is also affected: in "preexpand" mode no part of the command line may be tainted, in default mode the executable name may not be tainted. * Fix CHUNKING on a continued-transport. Previously the usabilility of the facility was not passed across execs, and only the first message passed over a connection could use BDAT; any further ones using DATA. * Support the PIPECONNECT facility in the smtp transport when the helo_data uses $sending_ip_address and an interface is specified. * OpenSSL: fix transport-required OCSP stapling verification under session resumption. * TLS resumption: the key for session lookup in the client now includes more info that a server could potentially use in configuring a TLS session, avoiding oferring mismatching sessions to such a server. * Fix string_copyn() for limit greater than actual string length. * Bug 2886: GnuTLS: Do not free the cached creds on transport connection close; it may be needed for a subsequent connection. * Fix CHUNKING for a second message on a connection when the first was rejected. * Fix ${srs_encode ...} to handle an empty sender address, now returning an empty address. * Bug 2855: Handle a v4mapped sender address given us by a frontending proxy. update to exim 4.95 * includes taintwarn (taintwarn.patch) * fast-ramp queue run * native SRS * TLS resumption * LMDB lookups with single key * smtp transport option "message_linelength_limit" * optionally ignore lookup caches * quota checking for appendfile transport during message reception * sqlite lookups allow a "file=" option * lsearch lookups allow a "ret=full" option * command line option for the notifier socket * faster TLS startup * new main config option "proxy_protocol_timeout" * expand "smtp_accept_max_per_connection" * log selector "queue_size_exclusive" * main config option "smtp_backlog_monitor" * main config option "hosts_require_helo" * main config option "allow_insecure_tainted_data"

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP5: zypper in -t patch openSUSE-2024-7=1


Package List

- openSUSE Backports SLE-15-SP5 (aarch64 ppc64le s390x x86_64): exim-4.97.1-bp155.5.9.1 eximon-4.97.1-bp155.5.9.1 eximstats-html-4.97.1-bp155.5.9.1


References

https://www.suse.com/security/cve/CVE-2022-3559.html https://www.suse.com/security/cve/CVE-2023-42114.html https://www.suse.com/security/cve/CVE-2023-42115.html https://www.suse.com/security/cve/CVE-2023-42116.html https://www.suse.com/security/cve/CVE-2023-42117.html https://www.suse.com/security/cve/CVE-2023-42119.html https://www.suse.com/security/cve/CVE-2023-51766.html https://bugzilla.suse.com/1218387


Severity
Announcement ID: openSUSE-SU-2024:0007-1
Rating: important
Affected Products: openSUSE Backports SLE-15-SP5 .

Related News