To: distros@vs.openwall.org, exim-maintainers@exim.org From: [ do not use a dmarc protected sender ] ** EMBARGO *** This information is not public yet. CVE ID: CVE-2019-15846 Credits: Zerons , Qualys Version(s): all versions up to and including 4.92.1 Issue: The SMTP Delivery process in all versions up to and including Exim 4.92.1 has a Buffer Overflow. In the default runtime configuration, this is exploitable with crafted Server Name Indication (SNI) data during a TLS negotiation. In other configurations, it is exploitable with a crafted client TLS certificate. Details: doc/doc-txt/cve-2019-15846 in the downloaded source tree Contact: security@exim.org Proposed Timeline ================= 2019-09-03: - This notice to distros@vs.openwall.org and exim-maintainers@exim.org - Open limited access to our security Git repo. See below. 2019-09-04: - Heads-up notice to oss-security@lists.openwall.com, exim-users@exim.org, and exim-announce@exim.org about the upcoming security release 2019-09-06 10:00 UTC: - Coordinated relase date - Publish the patches in our official and public Git repositories and the packages on our FTP/HTTP(S) server. Downloads ========= The downloads mentioned below are accessible only for a limited set of SSH keys. At CRD they will be mirrored to the public repositories. (Note: the repo names changed from the recently used ones.) For release tarballs (exim-4.92.2): git clone --depth 1 ssh://git@git.exim.org/exim-packages-security The package files are signed with my GPG key. For the full Git repo: git clone ssh://git@exim.org/exim-security - tag exim-4.92.2 - branch exim-4.92.2+fixes The tagged commit is the officially maintained version. The tag is signed with my GPG key. The +fixes branch isn't officially maintained, but contains useful patches *and* the security fix. The relevant commit is signed with my GPG key. If you need help backporting the patch, please contact us directly.