http://localhost/ticket/871 <p> The infamous <a class="ext-link" href="http://www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html"><span class="icon">​</span>exim bug</a> only needs one mail with prepared headers to travel through a exim system infect it. All local processes could do that, and some services (e.g. cron, webapps) send messages and might be convinced by malicious remote users to produce evil headers. </p> <p> We should either rule out that this could happen on our systems, or upgrade all exims regardless of whether they are localhost-only or not. </p> <p> BTW did we already run a rootkit checker like <a class="ext-link" href="http://rkhunter.sourceforge.net/"><span class="icon">​</span>Rootkit hunter</a> on eu1? If not we should maybe do it now - there was already an exploit out in the wild. <a class="missing wiki">ByteMark?</a> has (a) already observed infections and (b) notified us because they remotely fingerprinted our mailer to be exim&lt;4.70 (our EHLO banner contains the exim version), just as anyone could. </p> en-us http://assets.okfn.org/p/ckan/img/ckan_logo_shortname.png http://localhost/ticket/871 Trac 0.12.3 wwaites Tue, 14 Dec 2010 10:26:01 GMT http://localhost/ticket/871#comment:1 http://localhost/ticket/871#comment:1 <p> Regarding rkhunter -- yes, eu1 appears to be clean </p> <p> Regarding the upgrade -- upgradede to 4.72 from backports which, looking more closely, appears to still have the privilege escalation bug but not the remote root exploit. </p> <p> Regarding exim on other hosts, there is no reason for them to be running a full mta, something like ssmtp should suffice. </p> <p> Also very worth the thought of moving to postfix. It's much easier to configure and I haven't known it to have any comparable bugs in the decade or so I've been running it. In fact I've never seen anyone actually use exim before... </p> Ticket nils.toedtmann Tue, 14 Dec 2010 10:47:36 GMT http://localhost/ticket/871#comment:2 http://localhost/ticket/871#comment:2 <p> Re postfix: I second ww. I like to run some super simple local MTA (e.g. "nullmailer") on all but one server, using a central postfix (or a send-only GMail account) as smarthost. Am happy with postfix for &gt;10years, it's straightforward and rock solid. </p> Ticket rgrp Sat, 29 Jan 2011 22:35:58 GMT http://localhost/ticket/871#comment:3 http://localhost/ticket/871#comment:3 <ul> <li><strong>status</strong> changed from <em>new</em> to <em>closed</em> </li> <li><strong>resolution</strong> set to <em>invalid</em> </li> </ul> <p> This is not a ckan issue. should have been on <a class="ext-link" href="http://knowledgeforge.net/okfn/tasks"><span class="icon">​</span>http://knowledgeforge.net/okfn/tasks</a> </p> Ticket