This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Root exploitation issue Exim-Mailserver

At what time will sophos release a fix for this issue ?

because using a exim mail proxy with a root Remote exploitation ins't a good idea at all.

 

see here:

www.openwall.com/.../4



This thread was automatically locked due to age.
Parents
  • Thanks for sharing. So far I don't see any update on the Sophos Kb. Looks like Exim needs to be updated at least to v.4.87.

    CVE-2019-10149 RCE vulnerability in Exim 4.87 to 4.91.

  • Guys, I don't know that this particular vulnerability has been addressed, but the developers are far more likely to make the adjustment in the code they have rather than risk substituting a newer version that they have not vetted.  If you have a paid license, you can ask Support if this vulnerability exists in the current code.  Please share the result here.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Guys, it seems that (at least with XG) enabling recipient verification seems to cure it (see https://community.sophos.com/kb/en-us/134199). Can ANYONE at Sophos please report back if this is also valid for UTM? Further more, why is there an kb for xg but not for utm? BTW UTM 9.603-1 is running EXIM 4.82. This COULD implicate, that UTM is not vulnerable at all ;-) But then again, someone at Sophos should clarify. 

Reply Children
No Data