Security News > 2023 > October > Critical zero-days in Exim revealed, only 3 have been fixed

Six zero-days in Exim, the most widely used mail transfer agent, have been revealed by Trend Micro's Zero Day Initiative last Wednesday.

Due to what seems to be insufficient information and poor communication, fixes for only three of them have been included in Exim v4.96.1, a security release made available today.

The popularity of Exim is not surprising: it's free, efficient, highly configurable, regularly updated, and often probed for vulnerabilities by security researchers.

CVE-2023-42115, along with CVE-2023-42116 and CVE-2023-42114 have been fixed in Exim v4.96.1 and the latest v4.97 release candidates.

Exim project team member Heiko Schlittermann has also provided details and mitigation steps for all six flaws, and confirmed that "None of these issues is related to transport security being on or off".

In the security advisories, the ZDI claims that Exim maintainers have not provided satisfactory feedback on what they were doing to fix the vulnerabilities.

News URL

https://www.helpnetsecurity.com/2023/10/02/critical-zero-days-in-exim/