Linux administrators will have to change their holiday plans, because Exim is still releasing a security update on Christmas Day, and not earlier as had been hoped.
An information leakage vulnerability was fixed last week in Exim, a widely used email agent for Unix and Linux systems, and major distributions are currently updating their packages to incorporate the fix. Exim maintainer Heiko Schlittermann originally announced on Dec. 18 that details of the vulnerability and the updated software will be available Dec. 25. There was a possibility the release date could be moved to Dec. 23 if the partner distributions could complete their preparations in a shorter timeframe, but that’s no longer the case.
“As at least one major distro isn’t ready yet, we’ll keep our initial schedule and release the fixed versions on Dec, 25th, 10:00 UTC,” Schlittermann wrote early Dec. 23. “We’re sorry for the release date.”
The timing was unfortunate, but Schlittermann suggested delaying the patch would be worse. “And yes, we know, it is holiday in many countries, maybe in all countries of some of all that many worlds. The decision wasn’t an easy one. Delaying some days more would probably hit New Year celebration or Дед Мороз. Delaying it even more?” Schlittermann asked.
Nothing much about the information leakage vulnerability, designated CVE-2016-9963, is known at the moment, not even its severity. “If several conditions are met, Exim leaks private information to a remote attacker,” Schlittermann said in a different message. That can mean exposing hostnames or IP addresses stored in memory, which isn’t ideal, or as critical as leaking private cryptographic keys.
Exim is going from 4.87 to 4.87.1, which makes the update a fairly minor one. However, Schlittermann originally wrote, “We can’t celebrate any holiday while knowing that there are systems outside, that may leak private information,” suggesting the vulnerability may not be so benign.
The uncertainty puts IT administrators in a quandary on how to handle the update, especially if they weren’t planning on providing on-call coverage on Dec. 25 and 26.
The Exim team appears to have done the best it could to avoid the Christmas Day update. The team received the vulnerability report on Dec. 15, requested CVE on Dec. 16, and had a fix ready and tested by Dec. 18. Major distributions and other partners are given seven days to prepare their packages before the public release, which brings the date to Dec. 25. While maintainers from Red Hat and SUSE said they would be ready by Dec. 23 to accommodate an earlier release date, that wasn’t the case for other distributors.
The impact of the update should be “very minimal” since most administrators will be receiving the patch from their respective distributions. For example, Exim is part of the default Debian installation, so administrators will receive the updated software directly from Debian’s repositories.
“And if you build your own Exim packages, the effort to rebuild it (4.87.1 is almost the same as 4.87, which you should have running already) is minimal,” Schlittermann said. Exim 4.88 and Exim 4.87.1 will be available in the official Exim repository.
Even so, administrators still have to analyze and test the updates to make sure the new version doesn’t cause any problems within their environments. So IT teams have to decide: handle the update in a timely manner, or take a chance and wait a few more days?