Skip to main content

CentOS 6, Exim-4.94.2, CVE-2020-28007+

Volodymyr Petrov
Hello, Recently new version of exim-4.94.2 was published. It have a lot of security fixes. I have an old server with CentOS 6. I know CentOS 6 not supported for now. But I have to use it by some reasons. I see CPanel updated exim recently # cat /etc/redhat-release CentOS release 6.10 (Final) # exim --version Exim version 4.93 #2 built 03-May-2021 19:32:37 Does this release have all the security fixes? Local vulnerabilities - CVE-2020-28007: Link attack in Exim's log directory - CVE-2020-28008: Assorted attacks in Exim's spool directory - CVE-2020-28014: Arbitrary PID file creation - CVE-2020-28011: Heap buffer overflow in queue_run() - CVE-2020-28010: Heap out-of-bounds write in main() - CVE-2020-28013: Heap buffer overflow in parse_fix_phrase() - CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase() - CVE-2020-28015: New-line injection into spool header file (local) - CVE-2020-28012: Missing close-on-exec flag for privileged pipe - CVE-2020-28009: Integer overflow in get_stdinput() Remote vulnerabilities - CVE-2020-28017: Integer overflow in receive_add_recipient() - CVE-2020-28020: Integer overflow in receive_msg() - CVE-2020-28023: Out-of-bounds read in smtp_setup_msg() - CVE-2020-28021: New-line injection into spool header file (remote) - CVE-2020-28022: Heap out-of-bounds read and write in extract_option() - CVE-2020-28026: Line truncation and injection in spool_read_header() - CVE-2020-28019: Failure to reset function pointer after BDAT error - CVE-2020-28024: Heap buffer underflow in smtp_ungetc() - CVE-2020-28018: Use-after-free in tls-openssl.c - CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()

Comments

3 comments

Date Votes
  • cPRex Jurassic Moderator
    Hey there! Ideally, you should be on 4.94.2 in order to get the latest security updates.
    0
  • Volodymyr Petrov
    Can someone tell me for sure? In the CPanel change log I see ---- Change Log for 86.0.40 05/04/2021 08:00 AM Fixed case CPANEL-36865: Update exim to 4.93-8.cp1186. ---- What is the "case CPANEL-36865" ?
    0
  • ffeingol
    That is an internal cPanel case number. Just ssh into your server and run: exim --version
    Per @cPRex it should come back up with version 4.94.2
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post