Skip to main content

Release date Exim 4.98 cPanel with regards to CVE-2024-39929

Comments

24 comments

  • Official comment
    cPRex Jurassic Moderator

    This has been released to all tiers now!

  • Hi,

     

    We've recently filed a case with our development team to patch Exim to 4.97.1. The internal case ID is CPANEL-45701. Unfortunately, I can't provide any time estimates regarding the patch. When a fix/patch is released it will be noted in our change logs.
     
    For a complete list of changes and also for tracking the progress of any specific case, please review our change log in the link below:
     
    https://changelog.cpanel.net

    1
  • ITHKBO

    Thanks William,

    Good enough for me if there is a internal Case ID.
    I am sure we will see a release than soon

    No further questions. Thanks for the fast response.

    0
  • Serb

    Ok, why would you file a case to patch Exim to 4.97.1 when it clearly says that "The vulnerability exists in all Exim versions up to and including 4.97.1. A fix is available in the Release Candidate 3 of Exim 4.98" (https://github.com/Exim/exim/releases/tag/exim-4.98-RC3)

    source: https://arstechnica.com/security/2024/07/more-than-1-5-million-email-servers-running-exim-vulnerable-to-critical-attacks/

    Seems now that your request to patch Exim will not fix this issue at all and we'll just end up with another vulnerable version in place, albeit a little bit newer than current one...

    0
  • ITHKBO

    I am sure that is a typo since we are running on 4.97.1-1.cp118~el8 for quit a while with regards to series 120.0.* on Release tier so I did not take heed to it as being a real problem.

    0
  • sierrablue

    14 days since 4.98 was released and no updates from cPanel. That kind of delay is not acceptable when it comes to security.

    0
  • Serb

    Agreed. But they have the nerve and audacity to increase their license costs every year or two... where is all that money going to if it takes weeks to push out updates to compromised libraries.

    Jesus....

    0
  • cPRex Jurassic Moderator

    I see the fix is in test last night, so I'd expect this to get released soon.

    1
  • Rini Antony

    Is there any update regarding the patch to fix the vulnerable version 4.97.1?

    0
  • cPRex Jurassic Moderator

    The case is released in Edge right now, and we plan to move it to the more stable tiers soon!

    1
  • cPRex Jurassic Moderator

    And I'm just going to add this here for everyone that will say "but my Exim version didn't update to 4.98!"

    Remember, we frequently don't update he major version and backport changes.  Here's what it will look like after your next update:

    [root@host /]# rpm -qa | grep -i exim
    cpanel-exim-4.97.1-3.cp118~el8.x86_64
    [root@host /]# rpm -q cpanel-exim --changelog | grep 39929
    - Apply patches for CVE-2024-39929 from upstream
    1
  • DELTA SERVERS iNC

    Thank you, we noticed this in version 120.0.15.

    0
  • ITHKBO

    Thank you cPRex and those involved with the mitigation.
    We have confirmed the patch is correctly installed on our own infrastructure.

    No idea if you can do it as moderator on zendesk but can you pin your own reply as the thread solution?
    Otherwise I will update the Original post to include the permalink to your answer and a small reminder this is an resolved case.

    0
  • cPRex Jurassic Moderator

    YES - this is one thing Zendesk does have, and I'll do that now.

    0
  • Andrei Rachita

    According to Exim: All versions of Exim previous to version 4.98 are now obsolete. The last 3.x release was 3.36. It is twenty years obsolete and should not be used.

    So CPanel better upgrades to 4.98!

     

    Source: https://www.exim.org/

    0
  • cPRex Jurassic Moderator

    Andrei Rachita - where are you seeing version 3 anywhere?

    0
  • Andrei Rachita

    cPRex My bad here, but also I cannot see version 4.98. So you guys at CPanel are charging people for obsolete versions, since the last version that you have with CPanel is 4.97.1. 

     

    0
  • cPRex Jurassic Moderator

    No, that isn't the case - please see my response a few posts up that addresses your concern.

    0
  • Andrei Rachita

    cPRex Thanks for that. Could you please let me know what CPanel version contains Exim 4.98? I wasn't able to find that info.

    Thanks a lot. 

    0
  • cPRex Jurassic Moderator

    Andrei Rachita - all cPanel versions that are currently supported have been patched, so if you're running any modern version you're just fine.  Like I mentioned earlier, it's not going to show 4.98 in our version.

    0
  • Andrei Rachita

    cPRex Thanks a lot!

     

    0
  • cPRex Jurassic Moderator

    Sure thing!

    0
  • Systems Operations

    cPRex what do you think about this PoC ?  legit ? absolute ?

     

    https://github.com/michael-david-fry/CVE-2024-39929

    0
  • cPRex Jurassic Moderator

    Systems Operations - honestly I'm not sure.  I'm not a dev so that's beyond my pay grade :D

    0

Please sign in to leave a comment.