CVE-2023-42115 Exim - OOB RCE
-
so looks like update is coming very soon Exim issues email server update, mitigations for 6 zero-day vulnerabilities | IT World Canada News how long before cpanel has it? J 0 -
I never give out ETAs, but these critical issues are a top priority. Once Exim releases it, we'll be on it. 0 -
I never give out ETAs, but these critical issues are a top priority. Once Exim releases it, we'll be on it.
I know this is a long shot, but is there a chance that the patch can be deployed to v110 when its released?0 -
I know this is a long shot, but is there a chance that the patch can be deployed to v110 when its released?
110 is current LTS release so it should receive the patch for sure.0 -
The fixed versions will be 110.0.12, 114.0.7, and all versions of 116. 0 -
when will it show for upcp to update (still showing .11 for LTS? 0 -
I never give out ETAs, but these critical issues are a top priority. Once Exim releases it, we'll be on it.
0 -
sorry i thought your post meant it was ready 0 -
The patches are out now 0 -
Does this fix the SPF vulnerability? I'm asking this since I understand the SPF issues are in libspf2 which is used by Exim, so Exim has no control over that. 0 -
Does this fix the SPF vulnerability? I'm asking this since I understand the SPF issues are in libspf2 which is used by Exim, so Exim has no control over that.
According to the change log for 114.0.7, libspf2 was updated, so I am going to assume that is a yes:[security] Fixed case CPANEL-43378: Update cpanel-libspf2 to 1.2.11-2.cp108.
If @cPRex can confirm, that would be better though.0 -
Nope, that's correct! 0 -
All the versions with the fixes have been released at this point! 0 -
Your "this" link isn't working, so I can't see where that leads. I also don't think you're reading the version numbering of the package properly. 4.96-8 was released in January 2023, as outlined here:
Many thanks for your reply @cPRex . indeed my version 4.96-8 (included in cpanel v110.0.7) is earlier than 4.96.1-2. According to this article :0 -
I think you misunderstood that sentence, it means that Exim is NOT vulnerable if the "SPA' auth driver is NOT enabled . 0 -
I think you misunderstood that sentence, it means that Exim is NOT vulnerable if the "SPA' auth driver is NOT enabled .
yes exactly. i think that the default configuration for exim is that SPA auth driver is NOT enabled - so exim is NOT vulnerable by default. How can i confirm this for my installation. ?0 -
You would have had to make manual customizations to Exim through the WHM >> Exim Configuration Manager >> Advanced, and then manually add some code in order for this to be present. If you don't recall doing that, which is unlikely for most users, it isn't going to be affected. 0 -
You would have had to make manual customizations to Exim through the WHM >> Exim Configuration Manager >> Advanced, and then manually add some code in order for this to be present. If you don't recall doing that, which is unlikely for most users, it isn't going to be affected.
thanks @cPRex, so you confirm that exim is NOT vulnerable by default (meaning that SPA auth is not enabled) for CVEs CVE-2023-42114 and CVE-2023-42116 . CVE-2023-42115 mentions that external auth has to be enabled in order to be vulnerable. I assume that external auth also requires manual editing of exim configuration manager?0 -
That's correct! 0
Please sign in to leave a comment.
Comments
22 comments