Skip to main content

Update Exim Version

monza
I have a client who pays for active cyber insurance for his business. The provider is requiring Exim 4.96 to be installed on the server for compliance. However, there is not one single version of cPanel that uses the latest version of EXIM. What are my options? Surely, I don't have to lose clients because cPanel is "insecure"!?!

Comments

4 comments

Date Votes
  • cPRex Jurassic Moderator
    Hey there! I'm guessing you mean "4.96" instead of "1.96" for that version number. cPanel 108, which is currently in the Edge tier, will have Exim 4.96 available. However, if your client is concerned about any specific CVE's or security issues, they have likely been backported to version 4.95 in versions 106 and 102. Here is the output from an Edge server showing this: [root@10-2-34-167 ~]# /usr/local/cpanel/cpanel -V 107.9901 (build 459) [root@10-2-34-167 ~]# rpm -qa | grep -i exim cpanel-exim-4.96-5.cp108~el8.x86_64
    0
  • monza
    Hey there! I'm guessing you mean "4.96" instead of "1.96" for that version number. cPanel 108, which is currently in the Edge tier, will have Exim 4.96 available. However, if your client is concerned about any specific CVE's or security issues, they have likely been backported to version 4.95 in versions 106 and 102. Here is the output from an Edge server showing this: [root@10-2-34-167 ~]# /usr/local/cpanel/cpanel -V 107.9901 (build 459) [root@10-2-34-167 ~]# rpm -qa | grep -i exim cpanel-exim-4.96-5.cp108~el8.x86_64

    Obviously, I'm not going to run EDGE on a production server. If 4.95 has all CVE's backported from 4.96, I'm sure that would suffice. Is there documentation for this?
    0
  • cPRex Jurassic Moderator
    Oh for sure you wouldn't want to run Edge in production, but that will be making its way through the tiers before the end of this year. In fact, it just got moved to Current yesterday. There isn't necessarily documentation on this, but the RPM system can tell you. For example, if you run this command: rpm -q cpanel-exim --changelog | grep CVE
    you'll get a list of CVEs that have been patched. You can also perform other searches on the change log by adjusting the grep command.
    0
  • monza
    Oh for sure you wouldn't want to run Edge in production, but that will be making its way through the tiers before the end of this year. In fact, it just got moved to Current yesterday. There isn't necessarily documentation on this, but the RPM system can tell you. For example, if you run this command: rpm -q cpanel-exim --changelog | grep CVE
    you'll get a list of CVEs that have been patched. You can also perform other searches on the change log by adjusting the grep command.

    Ok, the latest CVE was listed in the patch list, so I guess this will work for now.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post