diff options
Diffstat (limited to '')
-rw-r--r-- | doc/cve-2019-15846/posting-0.txt | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/doc/cve-2019-15846/posting-0.txt b/doc/cve-2019-15846/posting-0.txt new file mode 100644 index 0000000..90d754d --- /dev/null +++ b/doc/cve-2019-15846/posting-0.txt @@ -0,0 +1,59 @@ +To: distros@vs.openwall.org, exim-maintainers@exim.org +From: [ do not use a dmarc protected sender ] + +** EMBARGO *** This information is not public yet. + +CVE ID: CVE-2019-15846 +Credits: Zerons <sironhide0null@gmail.com>, Qualys +Version(s): all versions up to and including 4.92.1 +Issue: The SMTP Delivery process in all versions up to and + including Exim 4.92.1 has a Buffer Overflow. In the default + runtime configuration, this is exploitable with crafted Server + Name Indication (SNI) data during a TLS negotiation. In other + configurations, it is exploitable with a crafted client TLS certificate. +Details: doc/doc-txt/cve-2019-15846 in the downloaded source tree + +Contact: security@exim.org + +Proposed Timeline +================= + +2019-09-03: + - This notice to distros@vs.openwall.org and exim-maintainers@exim.org + - Open limited access to our security Git repo. See below. + +2019-09-04: + - Heads-up notice to oss-security@lists.openwall.com, + exim-users@exim.org, and exim-announce@exim.org + about the upcoming security release + +2019-09-06 10:00 UTC: + - Coordinated relase date + - Publish the patches in our official and public Git repositories + and the packages on our FTP/HTTP(S) server. + +Downloads +========= + +The downloads mentioned below are accessible only for a limited set of SSH +keys. At CRD they will be mirrored to the public repositories. +(Note: the repo names changed from the recently used ones.) + +For release tarballs (exim-4.92.2): + + git clone --depth 1 ssh://git@git.exim.org/exim-packages-security + +The package files are signed with my GPG key. + +For the full Git repo: + + git clone ssh://git@exim.org/exim-security + - tag exim-4.92.2 + - branch exim-4.92.2+fixes + +The tagged commit is the officially maintained version. The tag is signed +with my GPG key. The +fixes branch isn't officially maintained, but +contains useful patches *and* the security fix. The relevant commit +is signed with my GPG key. + +If you need help backporting the patch, please contact us directly. |