[exim.git] / doc / doc-txt / cve-2019-15846 / posting-0.txt

To: distros@vs.openwall.org, exim-maintainers@exim.org
From: [ do not use a dmarc protected sender ]

** EMBARGO *** This information is not public yet.

CVE ID:     CVE-2019-15846
Credits:    Zerons <sironhide0null@gmail.com>, Qualys
Version(s): all versions up to and including 4.92.1
Issue:      The SMTP Delivery process in all versions up to and
            including Exim 4.92.1 has a Buffer Overflow.  In the default
            runtime configuration, this is exploitable with crafted Server
            Name Indication (SNI) data during a TLS negotiation. In other
            configurations, it is exploitable with a crafted client TLS certificate.
Details:    doc/doc-txt/cve-2019-15846 in the downloaded source tree

Contact:    security@exim.org

Proposed Timeline
=================

2019-09-03:
    - This notice to distros@vs.openwall.org and exim-maintainers@exim.org
    - Open limited access to our security Git repo. See below.

2019-09-04:
    - Heads-up notice to oss-security@lists.openwall.com,
      exim-users@exim.org, and exim-announce@exim.org
      about the upcoming security release

2019-09-06 10:00 UTC:
    - Coordinated relase date
    - Publish the patches in our official and public Git repositories
      and the packages on our FTP/HTTP(S) server.

Downloads
=========

The downloads mentioned below are accessible only for a limited set of SSH
keys. At CRD they will be mirrored to the public repositories.
(Note: the repo names changed from the recently used ones.)

For release tarballs (exim-4.92.2):

    git clone --depth 1 ssh://git@git.exim.org/exim-packages-security

The package files are signed with my GPG key.

For the full Git repo:

    git clone ssh://git@exim.org/exim-security
    - tag    exim-4.92.2
    - branch exim-4.92.2+fixes

The tagged commit is the officially maintained version. The tag is signed
with my GPG key.  The +fixes branch isn't officially maintained, but
contains useful patches *and* the security fix. The relevant commit
is signed with my GPG key.

If you need help backporting the patch, please contact us directly.
Commit	Line	Data
c3aefacc HSHR	1	To: distros@vs.openwall.org, exim-maintainers@exim.org
	2	From: [ do not use a dmarc protected sender ]
	3
	4	EMBARGO * This information is not public yet.
	5
	6	CVE ID: CVE-2019-15846
	7	Credits: Zerons <sironhide0null@gmail.com>, Qualys
	8	Version(s): all versions up to and including 4.92.1
	9	Issue: The SMTP Delivery process in all versions up to and
	10	including Exim 4.92.1 has a Buffer Overflow. In the default
	11	runtime configuration, this is exploitable with crafted Server
	12	Name Indication (SNI) data during a TLS negotiation. In other
	13	configurations, it is exploitable with a crafted client TLS certificate.
	14	Details: doc/doc-txt/cve-2019-15846 in the downloaded source tree
	15
	16	Contact: security@exim.org
	17
	18	Proposed Timeline
	19	=================
	20
	21	2019-09-03:
	22	- This notice to distros@vs.openwall.org and exim-maintainers@exim.org
	23	- Open limited access to our security Git repo. See below.
	24
	25	2019-09-04:
	26	- Heads-up notice to oss-security@lists.openwall.com,
	27	exim-users@exim.org, and exim-announce@exim.org
	28	about the upcoming security release
	29
	30	2019-09-06 10:00 UTC:
	31	- Coordinated relase date
	32	- Publish the patches in our official and public Git repositories
	33	and the packages on our FTP/HTTP(S) server.
	34
	35	Downloads
	36	=========
	37
	38	The downloads mentioned below are accessible only for a limited set of SSH
	39	keys. At CRD they will be mirrored to the public repositories.
	40	(Note: the repo names changed from the recently used ones.)
	41
	42	For release tarballs (exim-4.92.2):
	43
	44	git clone --depth 1 ssh://git@git.exim.org/exim-packages-security
	45
	46	The package files are signed with my GPG key.
	47
	48	For the full Git repo:
	49
	50	git clone ssh://git@exim.org/exim-security
	51	- tag exim-4.92.2
	52	- branch exim-4.92.2+fixes
	53
	54	The tagged commit is the officially maintained version. The tag is signed
	55	with my GPG key. The +fixes branch isn't officially maintained, but
	56	contains useful patches and the security fix. The relevant commit
	57	is signed with my GPG key.
	58
	59	If you need help backporting the patch, please contact us directly.