Yesterday, Exim.org released an update for its mail server, Exim 4.97. This release includes various bug fixes and introduces new features. According to the November survey conducted by Security Space, Exim is used by 35.90% of mail servers, with Postfix close behind at 34.86%, Sendmail at 3.46%, Mainenable at 1.84%, MDAEMON at 0.40%, and Microsoft Exchange at 0.19%.
Some of the notable changes in this release include:
- An EXIM_MSGDATE utility has been added to convert message IDs into a visual format.
- The testing mechanism now allows for the installation of variables when starting Exim with the “-Be” option.
- An event is now generated on both the client and server sides when SMTP authentication fails.
- A new variable, $sender_helo_verified, has been added, which contains the result of the “Verify=Helo” ACL.
- Support for predetermined macros for operators, conditions, and variables has been added.
- Early disclosure of the SMTP Option “Max_rcpt” is now provided.
- A list of groups of groups has been ensured in the TLS_eccurve option for OpenSSL.
- Queue handlers can now be launched from a single background process.
- An operator has been added to separate long lines of headlines.
- A command-line option has been added to withdraw only specific messages in the queue.
- The Opening Operator {Readsocket} now supports the installation of SNI for TLS.
- In the ACL modifier Remove_header, regular expressions are now allowed.
- A new variable, $recipients_list, has been added to provide a properly shielded list of recipients.
- A parameter has been implemented for log_selector to reflect the identifiers of incoming connections.
In addition to these updates, five vulnerabilities that were identified at the end of September have been addressed in this release. Three of these vulnerabilities (CVE-2023-42115, CVE-2023-42116, CVE-2023-42117) allow remote code execution on the server without authentication. The other two vulnerabilities (CVE-2023-42114 and CVE-2023-42119) can lead to the leakage of contents from the memory of the process servicing network requests.