string.c: do not interpret '\\' before '\0' (CVE-2019-15846)

[exim.git] / doc / doc-txt / cve-2019-15846 / posting-1.txt

To: oss-security@lists.openwall.com, exim-users@exim.org,
    exim-announce@exim.org
From: [ do not use a dmarc protected sender ]

*** Note: EMBARGO is still in effect        ***
*** Distros must not publish any detail yet ***

Head up! Security release ahead!

CVE ID:     CVE-2019-15846
Version(s): up to and including 4.92.1
Issue:      A local or remote attacker can execute programs with root
            privileges.
Details:    Will be made public at CRD.

Coordinated Release Date (CRD) for Exim 4.92.2: 2019-09-06 10:00 UTC

Contact:    security@exim.org

Proposed Timeline
=================

2019-09-03:
    - initial notification to distros@openwall.org and
      exim-maintainers@exim.org

2019-09-04: <-- NOW
    - This Heads-up notice to oss-security@lists.openwall.com,
      exim-users@exim.org, and exim-announce@exim.org

2019-09-06 10:00 UTC:
    - Coordinated relase date
    - Publish the patches in our official and public Git repositories
      and the packages on our FTP server.

Downloads available starting at CRD
====================================

The downloads are not yet available. They will be made available
at the above mentioned CRD.

Release tarballs (exim-4.92.2):

    https://ftp.exim.org/pub/exim/exim4/

The package files are signed with my GPG key.

The full Git repo:

    https://git.exim.org/exim.git
    https://github.com/Exim/exim    [mirror of the above]
    - tag    exim-4.92.2
    - branch exim-4.92.2+fixes

The tagged commit is the officially released version. The tag is signed
with my GPG key.  The +fixes branch isn't officially maintained, but
contains useful patches *and* the security fix. The relevant commit is
signed with my GPG key. The old exim-4.92.1+fixes branch is being functionally
replaced by the new exim-4.92.2+fixes branch.