Page 1 of 1

RPM's CentOs 6.7 Vulnerability Exim

Posted: 2016/02/10 09:20:33
by peopleinside
I AM running CentOs 6.7 with a Webuzo control panel who have as last edition of Exim the old version 4.72.

This version is vulnerable to the POODLE attack, SSL 3 and there are no way by settings to disable SSL 3 and see mail works.
I have allerted Webuzo Team about this issue and they are discovering now this issue seems to be relative to CentOs RPM's

Ubuntu have updated their RPM's you can try it on a test server
This is centos fault for not upgrading their repos to get the latest version of the software

So anyone can tell me if there are a solution for fix this issue?
Hope Webuzo team will receive a solution to email sent to CentOs support. I don't know what to do as end user of Webuzo but really need to see this security issue resolved in Exim running on CentOs 6.7... where seems I must keep SSL 3 enabled for have email works and this is a security vulnerability POODLE SSL 3.
If I disable SSL 3 support also email have issues and stop to work well also Exim 4.72 is very old.

Re: RPM's CentOs 6.7 Vulnerability Exim

Posted: 2016/02/10 10:10:06
by peopleinside
Seems from yum the last version avaiable of Exim on CentOS 6.7 is Exim 4.72 who is old and insecure.
Can you confirm the same?

A most recent version is needed!

Re: RPM's CentOs 6.7 Vulnerability Exim

Posted: 2016/02/10 10:32:03
by TrevorH
CentOS 6 does not supply exim at all. The default MTA is postfix and sendmail is supplied as an alternative. There is a copy of exim in the EPEL repo for CentOS 6 but that's not a CentOS repo and you need to report problems on in the Fedora EPEL section. Looking at the rpm changelog for the EPEL copy of exim, it does appear to have some backported fixes that are later than the nominal 4.72 version number:

Code: Select all

# repoquery -q --changelog exim | less
* Fri Oct 10 2014 Jaroslav Škarvada <> - 4.72-7
- Do not override LFLAGS (problem reported by Todd Lyons)

* Wed Jul 23 2014 Jaroslav Škarvada <> - 4.72-6
- Only expand integers for integer math once
  Resolves: CVE-2014-2972

* Fri Jun 13 2014 Jaroslav Škarvada <> - 4.72-5
- Rebuilt to show correct version of OpenSSL (exim -bV)
- Fixed bogus dates in changelog (best effort)

* Sun Oct 28 2012 Jaroslav Škarvada <> - 4.72-4
- The wrongly named CVE-2011-1407 patch was renamed to CVE-2011-1764
- Added fix for CVE-2011-1407
  Resolves: CVE-2011-1407

* Thu Oct 25 2012 Jaroslav Škarvada <> - 4.72-3
- Backported fix for CVE-2012-5671
  Resolves: CVE-2012-5671

* Wed May 18 2011 Mark Chappell <> 4.72-2
- Backport various security fixes
- (CVE-2011-1407 CVE-2011-0017 CVE-2010-4345)

* Thu Jun 03 2010 David Woodhouse <> - 4.72-1
- Update to 4.72 (fixes CVE-2010-2023, CVS-2010-2024)

Re: RPM's CentOs 6.7 Vulnerability Exim

Posted: 2016/02/10 10:45:02
by peopleinside
Thank you for your reply.
I have commented an existing BUG and opened a new security BUG.

1. [Commented by Me] [Exim old version]
2. [Opened by Me] [Security]

Re: RPM's CentOs 6.7 Vulnerability Exim

Posted: 2016/02/22 13:33:21
by peopleinside
now the exim patched is under FEDORA testing. ... 8e8ac9dfda

I hope this can be accessible, once is stable, also in CentOS

Re: RPM's CentOs 6.7 Vulnerability Exim

Posted: 2016/02/22 17:44:13
by avij
As kindly explained by TrevorH above, there is no Exim at all in CentOS 6. Sure, you can use EPEL packages with CentOS 6 (as you are doing), but EPEL is a separate project from CentOS and this forum is not an EPEL support forum. To verify that you are indeed using exim provided by EPEL, you can run rpm -qi exim. The output should include the text "Packager: Fedora Project".

That said, you can update to the new exim package that is currently in testing with yum update exim --enablerepo=epel-testing

Re: RPM's CentOs 6.7 Vulnerability Exim

Posted: 2016/02/22 18:20:44
by peopleinside
Thank you avij for the reply, I will try. Thank you for explain to me. SOrry if I AM not very expert on this, you are kindly, thank you, great support!

Re: RPM's CentOs 6.7 Vulnerability Exim

Posted: 2016/03/08 13:43:43
by peopleinside
The Exim released from RedHat in this month resolve two STRONG vulnerability:

- DROWN attack

I suggest to all user to update exim to the version released on February 2016
You can chek the current version in your server by doing SSh command:
exim -bV

and you can see the release date of your version.

After installed the new Exim version I suggest (for not be vulnerable) to add this row in exim.conf
openssl_options = +no_sslv2 +no_sslv3
than save and restart exim.

now you are safe from this two strong vulnerability.

Thanks a lot to Jaroslav Škarvada and to me who discovered and reported this issue.
Thanks also to CentOs Forum Support to TrevorH who gived to me the right link where report the issue