Commit | Line | Data |
---|---|---|
c3aefacc HSHR |
1 | To: distros@vs.openwall.org, exim-maintainers@exim.org |
2 | From: [ do not use a dmarc protected sender ] | |
3 | ||
4 | ** EMBARGO *** This information is not public yet. | |
5 | ||
6 | CVE ID: CVE-2019-15846 | |
7 | Credits: Zerons <sironhide0null@gmail.com>, Qualys | |
8 | Version(s): all versions up to and including 4.92.1 | |
9 | Issue: The SMTP Delivery process in all versions up to and | |
10 | including Exim 4.92.1 has a Buffer Overflow. In the default | |
11 | runtime configuration, this is exploitable with crafted Server | |
12 | Name Indication (SNI) data during a TLS negotiation. In other | |
13 | configurations, it is exploitable with a crafted client TLS certificate. | |
14 | Details: doc/doc-txt/cve-2019-15846 in the downloaded source tree | |
15 | ||
16 | Contact: security@exim.org | |
17 | ||
18 | Proposed Timeline | |
19 | ================= | |
20 | ||
21 | 2019-09-03: | |
22 | - This notice to distros@vs.openwall.org and exim-maintainers@exim.org | |
23 | - Open limited access to our security Git repo. See below. | |
24 | ||
25 | 2019-09-04: | |
26 | - Heads-up notice to oss-security@lists.openwall.com, | |
27 | exim-users@exim.org, and exim-announce@exim.org | |
28 | about the upcoming security release | |
29 | ||
30 | 2019-09-06 10:00 UTC: | |
31 | - Coordinated relase date | |
32 | - Publish the patches in our official and public Git repositories | |
33 | and the packages on our FTP/HTTP(S) server. | |
34 | ||
35 | Downloads | |
36 | ========= | |
37 | ||
38 | The downloads mentioned below are accessible only for a limited set of SSH | |
39 | keys. At CRD they will be mirrored to the public repositories. | |
40 | (Note: the repo names changed from the recently used ones.) | |
41 | ||
42 | For release tarballs (exim-4.92.2): | |
43 | ||
44 | git clone --depth 1 ssh://git@git.exim.org/exim-packages-security | |
45 | ||
46 | The package files are signed with my GPG key. | |
47 | ||
48 | For the full Git repo: | |
49 | ||
50 | git clone ssh://git@exim.org/exim-security | |
51 | - tag exim-4.92.2 | |
52 | - branch exim-4.92.2+fixes | |
53 | ||
54 | The tagged commit is the officially maintained version. The tag is signed | |
55 | with my GPG key. The +fixes branch isn't officially maintained, but | |
56 | contains useful patches *and* the security fix. The relevant commit | |
57 | is signed with my GPG key. | |
58 | ||
59 | If you need help backporting the patch, please contact us directly. |