Release date Exim 4.98 cPanel with regards to CVE-2024-39929
Due to increased risk of attacks in the wild with CVE-2024-39929 and vulnerable version 4.97.1 we want to update Exim as soon as possible to the new release version 4.98 However cPanel explicitely had stated in the past that manual updates of Exim are not supported which I can totally understand. Source: https://support.cpanel.net/hc/en-us/articles/4408158504599-How-to-manually-update-EXIM-version
However it did not get added in the current build as of yet nor am I seeing any mention in changelog of it.
Our question thus is when can we expect the release to become available.
Thank you for your time as always.
Additional information:
https://nvd.nist.gov/vuln/detail/CVE-2024-39929
https://lists.exim.org/lurker/message/20240710.155945.8823670d.en.html
-
Official comment
This has been released to all tiers now!
-
Hi,
We've recently filed a case with our development team to patch Exim to 4.97.1. The internal case ID is CPANEL-45701. Unfortunately, I can't provide any time estimates regarding the patch. When a fix/patch is released it will be noted in our change logs.
For a complete list of changes and also for tracking the progress of any specific case, please review our change log in the link below:
https://changelog.cpanel.net1 -
Thanks William,
Good enough for me if there is a internal Case ID.
I am sure we will see a release than soon
No further questions. Thanks for the fast response.0 -
Ok, why would you file a case to patch Exim to 4.97.1 when it clearly says that "The vulnerability exists in all Exim versions up to and including 4.97.1. A fix is available in the Release Candidate 3 of Exim 4.98" (https://github.com/Exim/exim/releases/tag/exim-4.98-RC3)
source: https://arstechnica.com/security/2024/07/more-than-1-5-million-email-servers-running-exim-vulnerable-to-critical-attacks/
Seems now that your request to patch Exim will not fix this issue at all and we'll just end up with another vulnerable version in place, albeit a little bit newer than current one...0 -
I am sure that is a typo since we are running on 4.97.1-1.cp118~el8 for quit a while with regards to series 120.0.* on Release tier so I did not take heed to it as being a real problem.
0 -
14 days since 4.98 was released and no updates from cPanel. That kind of delay is not acceptable when it comes to security.
0 -
Agreed. But they have the nerve and audacity to increase their license costs every year or two... where is all that money going to if it takes weeks to push out updates to compromised libraries.
Jesus....
0 -
I see the fix is in test last night, so I'd expect this to get released soon.
1 -
Is there any update regarding the patch to fix the vulnerable version 4.97.1?
0 -
The case is released in Edge right now, and we plan to move it to the more stable tiers soon!
1 -
And I'm just going to add this here for everyone that will say "but my Exim version didn't update to 4.98!"
Remember, we frequently don't update he major version and backport changes. Here's what it will look like after your next update:
[root@host /]# rpm -qa | grep -i exim
cpanel-exim-4.97.1-3.cp118~el8.x86_64
[root@host /]# rpm -q cpanel-exim --changelog | grep 39929
- Apply patches for CVE-2024-39929 from upstream1 -
Thank you, we noticed this in version 120.0.15.
0 -
Thank you cPRex and those involved with the mitigation.
We have confirmed the patch is correctly installed on our own infrastructure.
No idea if you can do it as moderator on zendesk but can you pin your own reply as the thread solution?
Otherwise I will update the Original post to include the permalink to your answer and a small reminder this is an resolved case.0 -
YES - this is one thing Zendesk does have, and I'll do that now.
0 -
According to Exim: All versions of Exim previous to version 4.98 are now obsolete. The last 3.x release was 3.36. It is twenty years obsolete and should not be used.
So CPanel better upgrades to 4.98!
Source: https://www.exim.org/
0 -
Andrei Rachita - where are you seeing version 3 anywhere?
0 -
cPRex My bad here, but also I cannot see version 4.98. So you guys at CPanel are charging people for obsolete versions, since the last version that you have with CPanel is 4.97.1.
0 -
No, that isn't the case - please see my response a few posts up that addresses your concern.
0 -
cPRex Thanks for that. Could you please let me know what CPanel version contains Exim 4.98? I wasn't able to find that info.
Thanks a lot.
0 -
Andrei Rachita - all cPanel versions that are currently supported have been patched, so if you're running any modern version you're just fine. Like I mentioned earlier, it's not going to show 4.98 in our version.
0 -
cPRex Thanks a lot!
0 -
Sure thing!
0 -
cPRex what do you think about this PoC ? legit ? absolute ?
0 -
Systems Operations - honestly I'm not sure. I'm not a dev so that's beyond my pay grade :D
0
Please sign in to leave a comment.
Comments
24 comments