blob: 90d754d3f9b3b1eff67319d18a7e2aa54c5ceb44 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
To: distros@vs.openwall.org, exim-maintainers@exim.org
From: [ do not use a dmarc protected sender ]
** EMBARGO *** This information is not public yet.
CVE ID: CVE-2019-15846
Credits: Zerons <sironhide0null@gmail.com>, Qualys
Version(s): all versions up to and including 4.92.1
Issue: The SMTP Delivery process in all versions up to and
including Exim 4.92.1 has a Buffer Overflow. In the default
runtime configuration, this is exploitable with crafted Server
Name Indication (SNI) data during a TLS negotiation. In other
configurations, it is exploitable with a crafted client TLS certificate.
Details: doc/doc-txt/cve-2019-15846 in the downloaded source tree
Contact: security@exim.org
Proposed Timeline
=================
2019-09-03:
- This notice to distros@vs.openwall.org and exim-maintainers@exim.org
- Open limited access to our security Git repo. See below.
2019-09-04:
- Heads-up notice to oss-security@lists.openwall.com,
exim-users@exim.org, and exim-announce@exim.org
about the upcoming security release
2019-09-06 10:00 UTC:
- Coordinated relase date
- Publish the patches in our official and public Git repositories
and the packages on our FTP/HTTP(S) server.
Downloads
=========
The downloads mentioned below are accessible only for a limited set of SSH
keys. At CRD they will be mirrored to the public repositories.
(Note: the repo names changed from the recently used ones.)
For release tarballs (exim-4.92.2):
git clone --depth 1 ssh://git@git.exim.org/exim-packages-security
The package files are signed with my GPG key.
For the full Git repo:
git clone ssh://git@exim.org/exim-security
- tag exim-4.92.2
- branch exim-4.92.2+fixes
The tagged commit is the officially maintained version. The tag is signed
with my GPG key. The +fixes branch isn't officially maintained, but
contains useful patches *and* the security fix. The relevant commit
is signed with my GPG key.
If you need help backporting the patch, please contact us directly.
|
