Is MC infected with CVE-2018-6789

Problems/questions regarding MailCleaner installation

Moderators: FlorianB, Pascal, bourgeois, mentor

blason
Posts: 165
Joined: Wed Mar 06, 2013 7:45 am
How did you hear about Mailcleaner: Internet

Is MC infected with CVE-2018-6789

Postby blason » Wed Mar 07, 2018 11:10 am

Hello,

Can someone please confirm if MailCleaner is affected with CVE-2018-6789?
User avatar
Martijn
Posts: 45
Joined: Wed Aug 20, 2014 5:31 pm
How did you hear about Mailcleaner: We love to work with Mailcleaner
Location: Enter - Netherlands
Contact:

Re: Is MC infected with CVE-2018-6789

Postby Martijn » Thu Mar 08, 2018 2:47 pm

It seems not...

See https://www.debian.org/security/2018/dsa-4110
For the oldstable distribution (jessie), this problem has been fixed in version 4.84.2-2+deb8u5.
Image
FlorianB
Posts: 296
Joined: Wed Apr 01, 2015 2:27 pm
How did you hear about Mailcleaner: job

Re: Is MC infected with CVE-2018-6789

Postby FlorianB » Fri Mar 09, 2018 10:43 pm

Hello,
Yes it is or it was.
MailCleaner doesn't use the Debian version sadly but a compiled one so we use the original sources without Debian security patches.
One of my colleague already recompiled Exim so it should be available soon if not already in the repo.
Regards,
Florian
uncltom
Posts: 525
Joined: Tue Aug 26, 2008 3:01 am
How did you hear about Mailcleaner: I dont remember probably google?
Location: Spokane, WA

Re: Is MC infected with CVE-2018-6789

Postby uncltom » Sat Mar 10, 2018 5:52 am

Florian,

I did not see the mc-exim package in the apt-get update / upgrade. When should it be available or did I miss it? What version would it be if it was patched?

Thanks!
NelsonP
Posts: 1
Joined: Wed Dec 27, 2017 11:41 am
How did you hear about Mailcleaner: google

Re: Is MC infected with CVE-2018-6789

Postby NelsonP » Sat Mar 10, 2018 11:24 am

Martijn wrote:It seems not...

See https://www.debian.org/security/2018/dsa-4110
For the oldstable distribution (jessie), this problem has been fixed in version 4.84.2-2+deb8u5.


That's good news. Cheers, Martijn. I was worried about this as well.
FlorianB
Posts: 296
Joined: Wed Apr 01, 2015 2:27 pm
How did you hear about Mailcleaner: job

Re: Is MC infected with CVE-2018-6789

Postby FlorianB » Sun Mar 11, 2018 5:13 pm

Hello,
Please read my previous post, debian package is not used in MailCleaner so the flaw is present.
But my colleague Marin published a new Exim package as you can see here: http://cdnmcpool.mailcleaner.net/pool/main/m/mc-exim/
Exim 4.90.1
apt-get upgrade and it should upgrade it or more specifically, apt-get install mc-exim.
Regards,
Florian
User avatar
Martijn
Posts: 45
Joined: Wed Aug 20, 2014 5:31 pm
How did you hear about Mailcleaner: We love to work with Mailcleaner
Location: Enter - Netherlands
Contact:

Re: Is MC infected with CVE-2018-6789

Postby Martijn » Sun Mar 11, 2018 5:35 pm

Hi Florian,

I do have installed version 4.90.1, but does this version contains the CVE?

If the source at https://github.com/Exim/exim was used, this version is still affected because they fixed the base64d() buffer size on the 5th of Feb.
The installed version is compiled on 15th Jan.
Image
uncltom
Posts: 525
Joined: Tue Aug 26, 2008 3:01 am
How did you hear about Mailcleaner: I dont remember probably google?
Location: Spokane, WA

Re: Is MC infected with CVE-2018-6789

Postby uncltom » Mon Mar 12, 2018 1:45 am

Martijn wrote:Hi Florian,

I do have installed version 4.90.1, but does this version contains the CVE?

If the source at https://github.com/Exim/exim was used, this version is still affected because they fixed the base64d() buffer size on the 5th of Feb.
The installed version is compiled on 15th Jan.


The last modified date of the CVE package is 16 Jan 2018 as well. Is this really the newest compile?
FlorianB
Posts: 296
Joined: Wed Apr 01, 2015 2:27 pm
How did you hear about Mailcleaner: job

Re: Is MC infected with CVE-2018-6789

Postby FlorianB » Mon Mar 12, 2018 9:56 am

Hello,
You re right, this is not the last one ! I called the colleague and it should be published soon (tomorrow or near)
Regards,
Florian

Return to “Installation”

Who is online

Users browsing this forum: No registered users and 5 guests