This article is more than 1 year old

Bad news: Exim hole was going to be patched on Xmas Day. Good news: Keyword 'was'

Code release for info-leak bug brought forward

Updated An information-leaking security hole in widely used email agent Exim – scheduled for repair on Christmas Day – may now be publicly patched earlier, possibly as soon as Friday.

System administrators were stunned by the suggestion that a patch for the vulnerability would be released on December 25 when pretty much everyone working in IT will have the day off.

An Exim maintainer, Heiko Schlittermann, admitted the timing of the release wasn’t ideal and suggested that holding up the release until after the Christmas festivities would be worse.

“We're very sorry for the unfortunate timing,” said Schlittermann. “We got the vulnerability report on Dec 15th, and requested the CVE on 16th. On 18th the patch was ready and passed our tests. We added 7 days to give the distros a chance to prepare their packages and this made up the 25th.

“And yes, we know, it is holiday in many countries. The decision wasn't an easy one. Delaying some days more would probably hit New Year celebration."

In the end, Exim's developers spoke to software distribution makers about hurrying along the bugfix release, and it was decided to bring the update forward to Friday, December 23.

Christmas is saved and sysadmins not providing on-call coverage on December 25 and 26 can stick to their plans, whether that's spending time with family, or getting drunk with friends, or sitting at home alone reinstalling Kubernetes, or perhaps all three.

The seriousness of the bug that’s going to be fixed remains unclear, although Schlittermann did suggest that the “impact of the update should be very minimal.” The revised software will go from 4.87 to 4.87.1, implying a minor step update.

“From what's been said so far, I've no idea how bad the underlying bug might be,” said El Reg reader Ben T, who tipped us off. “It might simply be that you can get disclosure of addresses that have been passed through (which still isn't great), or might be something worse like being able to get the private key used for TLS.”

There's only a placeholder on Exim’s bug tracker for the flaw, designated CVE-2016-9963. ®

Updated to add on December 23

Actually, due to a distro not being ready in time, the release date will be December 25. Doh!

More about

TIP US OFF

Send us news


Other stories you might like