[ubuntu-hardened] Please backport fix to Exim4: [Bug 1384232] Re: Certificate hostname verification fix

Chuck Peters cp at axs.org
Sun Jun 21 20:54:30 UTC 2015

Andreas Metzler pointed to a set of patches which are included in the upcoming release of Exim4.  I would like to see this issue resolved for trusty and newer releases.

Is someone from the Server Team, or Security Team, backporting this set of patches?

If so, will we see a backport for trusty?

Perhaps this issue could be discussed at the next Security Team meeting Monday or Server Team meeting Tuesday?


----- Forwarded message from Andreas Metzler <1384232 at bugs.launchpad.net> -----

Date: Sun, 21 Jun 2015 05:33:47 -0000
From: Andreas Metzler <1384232 at bugs.launchpad.net>
To: cp at axs.org
Subject: [Bug 1384232] Re: Certificate hostname verification fix

This seems to be enabled by default in 4.86RC.


You received this bug notification because you are subscribed to exim4
in Ubuntu.
Matching subscriptions: Chuck Peters

  Certificate hostname verification fix

Status in exim4 package in Ubuntu:

Bug description:
  We did a automatic static analysis on exim4 packages in Ubuntu and
  found that EXIM will not verify the hostname of a SMTP server against
  its certificate. This will possibly result in man-in-the-middle
  attack. We reported this bug directly to exim.org in May 2014  and
  they fixed this problem in their latest release. So plz fix this issue
  in Ubuntu.

  Bug: http://bugs.exim.org/show_bug.cgi?id=1479


----- End forwarded message -----

More information about the ubuntu-hardened mailing list