Commit | Line | Data |
---|---|---|
57a4741f HSHR |
1 | To: exim-users@exim.org, exim-announce@exim.org, exim-maintainers@exim.org |
2 | From: [ do not use a dmarc protected sender ] | |
3 | ||
4 | CVE ID: CVE-2019-13917 | |
5 | OVE ID: OVE-20190718-0006 | |
6 | Date: 2019-07-18 | |
7 | Credits: Jeremy Harris | |
8 | Version(s): 4.85 up to and including 4.92 | |
9 | Issue: A local or remote attacker can execute programs with root | |
10 | privileges - if you've an unusual configuration. For details | |
11 | see below. | |
12 | ||
13 | Coordinated Release Date (CRD) for Exim 4.92.1: | |
14 | Thu Jul 25 10:00:00 UTC 2019 | |
15 | ||
165e7dd1 | 16 | Contact: security@exim.org |
57a4741f HSHR |
17 | |
18 | We released Exim 4.92.1. This is a security update based on 4.92. | |
19 | ||
20 | Conditions to be vulnerable | |
21 | =========================== | |
22 | ||
23 | If your configuration uses the ${sort } expansion for items that can be | |
24 | controlled by an attacker (e.g. $local_part, $domain). The default | |
25 | config, as shipped by the Exim developers, does not contain ${sort }. | |
26 | ||
27 | Details | |
28 | ======= | |
29 | ||
30 | The vulnerability is exploitable either remotely or locally and could | |
31 | be used to execute other programs with root privilege. The ${sort } | |
32 | expansion re-evaluates its items. | |
33 | ||
34 | Mitigation | |
35 | ========== | |
36 | ||
37 | Do not use ${sort } in your configuration. | |
38 | ||
39 | Fix | |
40 | === | |
41 | ||
42 | Install a fixed package supplied by your distribution. | |
43 | or download and build a fixed version: | |
44 | ||
45 | For release tarballs (exim-4.92.1): | |
46 | ||
47 | http://ftp.exim.org/pub/exim/exim4/ | |
48 | ||
49 | The package files are signed with a key from the developers | |
50 | key set: https://ftp.exim.org/pub/exim/Exim-Maintainers-Keyring.asc | |
51 | ||
52 | For the full Git repo: | |
53 | ||
54 | https://git.exim.org/exim.git | |
55 | https://github.com/Exim/exim [mirror of the above] | |
56 | - tag exim-4.92.1 | |
57 | - branch exim-4.92.1+fixes | |
58 | ||
59 | The tagged commit is the officially released version. The tag is signed | |
60 | with a key from the developers keyset. The +fixes branch isn't | |
61 | officially maintained, but contains the security fix *and* useful | |
62 | patches. The relevant commit is signed with a key from the developers | |
63 | keyset. The old exim-4.92+fixes branch is being functionally replaced by | |
64 | the new exim-4.92.1+fixes branch. | |
65 | ||
66 | If you can't install the above versions, ask your package maintainer for | |
67 | a version containing the backported fix. On request and depending on our | |
68 | resources we will support you in backporting the fix. (Please note, | |
69 | that Exim project officially doesn't support versions prior the current | |
70 | stable version.) | |
71 | ||
72 | Timeline | |
73 | ======== | |
74 | ||
75 | t0: Thu Jul 18 2019 | |
76 | - this notice to distros@vs.openwall.org and exim-maintainers@exim.org | |
77 | - open limited access to our security Git repo. See below. | |
78 | ||
79 | t0+~4d: Mon Jul 22 10:00:00 UTC 2019 [NOW] | |
80 | - heads-up notice to oss-security@lists.openwall.com, | |
81 | exim-users@exim.org, and exim-announce@exim.org | |
82 | ||
83 | t0+~7d: Thu Jul 25 10:00:00 UTC 2019 [NOW] | |
84 | - Coordinated relase date | |
85 | - publish the patches in our official and public Git repositories | |
86 | and the packages on our FTP server. |