Exim release 4.76 is now available from the primary ftp site:
* ftp://ftp.exim.org/pub/exim/exim4/exim-4.76.tar.gz
* ftp://ftp.exim.org/pub/exim/exim4/exim-4.76.tar.bz2

This is a SECURITY release: Exim versions 4.70 up to and including 4.75 contained a security hole (format string attack) permitting remote execution of arbitrary code as the Exim run-time user. This is CVE-2011-1764. There is also another, lesser security issue. Both lie in the DKIM code and mitigation techniques are described below.

Note that as part of our work to improve Exim and protect against future security issues, some changes were made to the code to pass gcc with many more warnings enabled, and in some cases to compile with Clang.
Although feedback so far has been positive, there remains a chance that these changes will cause compilation problems on lesser-tested platforms; please raise any issues encountered on the exim-users mailing-list.


The primary ftp server is in Cambridge, England. There is a list of mirrors in:
* the status of Exim Download Sites mirrors

The master ftp server is ftp.exim.org.

The distribution files are signed with Phil Pennock's PGP key 0x3903637F (uid [email protected]; signed by Nigel Metheringham's PGP key DDC03262).
This key should be available from all modern PGP keyservers. Please use your own discretion in assessing what trust paths you might have to this uid; the "Release verification" section of the experimental Release Policy might be of assistance:
* EximReleasePolicyProposedDraft - Exim Wiki

The detached ASCII signature files are in the same directory as the tarbundles. The SHA1 and SHA256 hashes for the distribution files are at the end of this email.

The distribution contains an ASCII copy of the 4.76 manual and other documents. Other formats of the documentation are also
* ftp://ftp.exim.org/pub/exim/exim4/exim-html-4.76.tar.gz
* ftp://ftp.exim.org/pub/exim/exim4/exim-pdf-4.76.tar.gz
* ftp://ftp.exim.org/pub/exim/exim4/ex...pt-4.76.tar.gz

The .bz2 versions of these tarbundles are also available.

The ChangeLog for this, and several previous releases, is included in the distribution. Individual change log files are also available on the ftp site, the current one being:-
* ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.76
* ftp://ftp.exim.org/pub/exim/ChangeLo...ngeLog-4.76.gz

Brief documentation for new features is available in the NewStuff file in the distribution. Individual NewStuff files are also available on the ftp site, the current one being:-
* ftp://ftp.exim.org/pub/exim/ChangeLogs/NewStuff-4.76
* ftp://ftp.exim.org/pub/exim/ChangeLogs/NewStuff-4.76.gz


Security notes for 4.75:

Disabling DKIM verification will avoid the security issues. This can be done without recompilation by adding to the start of your RCPT ACL the line:
warn control = dkim_disable_verify

In addition, not defining an ACL for acl_smtp_dkim will avoid the lesser security issue, which permits a crafted DKIM identity to cause matching to be performed against lookup items, not just strings. I believe that the results will not be included in an email or non-debug logs, so this results in attacker-controlled file-system access, tripping IDS systems but not offering an avenue of attack.

Our quick fix for the latter issue does have the side-effect of falsely rejecting some (unusual) DKIM signatures, which we do not believe will have any material impact in the real world. We'll work on a more forgiving solution for a future release.