[exim.git] / doc / doc-txt / cve-2019-15846 / posting-1.txt

To: oss-security@lists.openwall.com, exim-users@exim.org,
    exim-announce@exim.org
From: [ do not use a dmarc protected sender ]

*** Note: EMBARGO is still in effect        ***
*** Distros must not publish any detail yet ***

Head up! Security release ahead!

CVE ID:     CVE-2019-15846
Version(s): up to and including 4.92.1
Issue:      A local or remote attacker can execute programs with root
            privileges.
Details:    Will be made public at CRD.

Coordinated Release Date (CRD) for Exim 4.92.2: 2019-09-06 10:00 UTC

Contact:    security@exim.org

Proposed Timeline
=================

2019-09-03:
    - initial notification to distros@openwall.org and
      exim-maintainers@exim.org

2019-09-04: <-- NOW
    - This Heads-up notice to oss-security@lists.openwall.com,
      exim-users@exim.org, and exim-announce@exim.org

2019-09-06 10:00 UTC:
    - Coordinated relase date
    - Publish the patches in our official and public Git repositories
      and the packages on our FTP server.

Downloads available starting at CRD
====================================

The downloads are not yet available. They will be made available
at the above mentioned CRD.

Release tarballs (exim-4.92.2):

    https://ftp.exim.org/pub/exim/exim4/

The package files are signed with my GPG key.

The full Git repo:

    https://git.exim.org/exim.git
    https://github.com/Exim/exim    [mirror of the above]
    - tag    exim-4.92.2
    - branch exim-4.92.2+fixes

The tagged commit is the officially released version. The tag is signed
with my GPG key.  The +fixes branch isn't officially maintained, but
contains useful patches *and* the security fix. The relevant commit is
signed with my GPG key. The old exim-4.92.1+fixes branch is being functionally
replaced by the new exim-4.92.2+fixes branch.
Commit	Line	Data
c3aefacc HSHR	1	To: oss-security@lists.openwall.com, exim-users@exim.org,
	2	exim-announce@exim.org
	3	From: [ do not use a dmarc protected sender ]
	4
	5	* Note: EMBARGO is still in effect *
	6	* Distros must not publish any detail yet *
	7
	8	Head up! Security release ahead!
	9
	10	CVE ID: CVE-2019-15846
	11	Version(s): up to and including 4.92.1
	12	Issue: A local or remote attacker can execute programs with root
	13	privileges.
	14	Details: Will be made public at CRD.
	15
	16	Coordinated Release Date (CRD) for Exim 4.92.2: 2019-09-06 10:00 UTC
	17
	18	Contact: security@exim.org
	19
	20	Proposed Timeline
	21	=================
	22
	23	2019-09-03:
	24	- initial notification to distros@openwall.org and
	25	exim-maintainers@exim.org
	26
	27	2019-09-04: <-- NOW
	28	- This Heads-up notice to oss-security@lists.openwall.com,
	29	exim-users@exim.org, and exim-announce@exim.org
	30
	31	2019-09-06 10:00 UTC:
	32	- Coordinated relase date
	33	- Publish the patches in our official and public Git repositories
	34	and the packages on our FTP server.
	35
	36	Downloads available starting at CRD
	37	====================================
	38
	39	The downloads are not yet available. They will be made available
	40	at the above mentioned CRD.
	41
	42	Release tarballs (exim-4.92.2):
	43
	44	https://ftp.exim.org/pub/exim/exim4/
	45
	46	The package files are signed with my GPG key.
	47
	48	The full Git repo:
	49
	50	https://git.exim.org/exim.git
	51	https://github.com/Exim/exim [mirror of the above]
	52	- tag exim-4.92.2
	53	- branch exim-4.92.2+fixes
	54
	55	The tagged commit is the officially released version. The tag is signed
	56	with my GPG key. The +fixes branch isn't officially maintained, but
	57	contains useful patches and the security fix. The relevant commit is
	58	signed with my GPG key. The old exim-4.92.1+fixes branch is being functionally
	59	replaced by the new exim-4.92.2+fixes branch.