Saw this on the Exim List:- From: Tony Finch <dot--at-- at dotat.at> Subject: [exim] CVE-2015-0235 - glibc gethostbyname remotely exploitable via exim Date: Tue, 27 Jan 2015 17:33:45 +0000 "The Exim mail server is exploitable remotely if configured to perform extra security checks on the HELO and EHLO commands ("helo_verify_hosts" or "helo_try_verify_hosts" option, or "verify = helo" ACL); we developed a reliable and fully-functional exploit that bypasses all existing protections (ASLR, PIE, NX) on 32-bit and 64-bit machines. http://www.openwall.com/lists/oss-security/2015/01/27/9 --------------------------------- "- We identified a number of factors that mitigate the impact of this bug. In particular, we discovered that it was fixed on May 21, 2013 (between the releases of glibc-2.17 and glibc-2.18). Unfortunately, it was not recognized as a security threat; as a result, most stable and long-term-support distributions were left exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04, for example." ------------------------------------- I use Exim on C5 and C6 - should I be worried about Exim on C6 ? -- Regards, Paul. England, EU. Je suis Charlie.