Ticket #871 (closed defect: invalid)

Opened 3 years ago

Last modified 3 years ago

Check whether localhost-only exim installtions need upgrading too

Reported by: nils.toedtmann Owned by:
Priority: awaiting triage Milestone:
Component: ckan Keywords:
Cc: rgrp, wwaites Repository:


The infamous exim bug only needs one mail with prepared headers to travel through a exim system infect it. All local processes could do that, and some services (e.g. cron, webapps) send messages and might be convinced by malicious remote users to produce evil headers.

We should either rule out that this could happen on our systems, or upgrade all exims regardless of whether they are localhost-only or not.

BTW did we already run a rootkit checker like Rootkit hunter on eu1? If not we should maybe do it now - there was already an exploit out in the wild. ByteMark? has (a) already observed infections and (b) notified us because they remotely fingerprinted our mailer to be exim<4.70 (our EHLO banner contains the exim version), just as anyone could.

Change History

comment:1 Changed 3 years ago by wwaites

Regarding rkhunter -- yes, eu1 appears to be clean

Regarding the upgrade -- upgradede to 4.72 from backports which, looking more closely, appears to still have the privilege escalation bug but not the remote root exploit.

Regarding exim on other hosts, there is no reason for them to be running a full mta, something like ssmtp should suffice.

Also very worth the thought of moving to postfix. It's much easier to configure and I haven't known it to have any comparable bugs in the decade or so I've been running it. In fact I've never seen anyone actually use exim before...

comment:2 Changed 3 years ago by nils.toedtmann

Re postfix: I second ww. I like to run some super simple local MTA (e.g. "nullmailer") on all but one server, using a central postfix (or a send-only GMail account) as smarthost. Am happy with postfix for >10years, it's straightforward and rock solid.

comment:3 Changed 3 years ago by rgrp

  • Status changed from new to closed
  • Resolution set to invalid

This is not a ckan issue. should have been on http://knowledgeforge.net/okfn/tasks

Note: See TracTickets for help on using tickets.