Commit | Line | Data |
---|---|---|
c3aefacc HSHR |
1 | To: oss-security@lists.openwall.com, exim-users@exim.org, |
2 | exim-announce@exim.org | |
3 | From: [ do not use a dmarc protected sender ] | |
4 | ||
5 | *** Note: EMBARGO is still in effect *** | |
6 | *** Distros must not publish any detail yet *** | |
7 | ||
8 | Head up! Security release ahead! | |
9 | ||
10 | CVE ID: CVE-2019-15846 | |
11 | Version(s): up to and including 4.92.1 | |
12 | Issue: A local or remote attacker can execute programs with root | |
13 | privileges. | |
14 | Details: Will be made public at CRD. | |
15 | ||
16 | Coordinated Release Date (CRD) for Exim 4.92.2: 2019-09-06 10:00 UTC | |
17 | ||
18 | Contact: security@exim.org | |
19 | ||
20 | Proposed Timeline | |
21 | ================= | |
22 | ||
23 | 2019-09-03: | |
24 | - initial notification to distros@openwall.org and | |
25 | exim-maintainers@exim.org | |
26 | ||
27 | 2019-09-04: <-- NOW | |
28 | - This Heads-up notice to oss-security@lists.openwall.com, | |
29 | exim-users@exim.org, and exim-announce@exim.org | |
30 | ||
31 | 2019-09-06 10:00 UTC: | |
32 | - Coordinated relase date | |
33 | - Publish the patches in our official and public Git repositories | |
34 | and the packages on our FTP server. | |
35 | ||
36 | Downloads available starting at CRD | |
37 | ==================================== | |
38 | ||
39 | The downloads are not yet available. They will be made available | |
40 | at the above mentioned CRD. | |
41 | ||
42 | Release tarballs (exim-4.92.2): | |
43 | ||
44 | https://ftp.exim.org/pub/exim/exim4/ | |
45 | ||
46 | The package files are signed with my GPG key. | |
47 | ||
48 | The full Git repo: | |
49 | ||
50 | https://git.exim.org/exim.git | |
51 | https://github.com/Exim/exim [mirror of the above] | |
52 | - tag exim-4.92.2 | |
53 | - branch exim-4.92.2+fixes | |
54 | ||
55 | The tagged commit is the officially released version. The tag is signed | |
56 | with my GPG key. The +fixes branch isn't officially maintained, but | |
57 | contains useful patches *and* the security fix. The relevant commit is | |
58 | signed with my GPG key. The old exim-4.92.1+fixes branch is being functionally | |
59 | replaced by the new exim-4.92.2+fixes branch. |