--- /dev/null
+To: distros@vs.openwall.org, exim-maintainers@exim.org
+From: [ do not use a dmarc protected sender ]
+
+** EMBARGO *** This information is not public yet.
+
+CVE ID: CVE-2019-13917
+OVE ID: OVE-20190718-0006
+Date: 2019-07-18
+Credits: Jeremy Harris
+Version(s): 4.85 up to and including 4.92
+Issue: A local or remote attacker can execute programs with root
+ privileges - if you've an unusual configuration. For details
+ see below.
+
+Contact: exim-security@exim.org
+
+Proposed Timeline
+=================
+
+t0: NOW
+ - this notice to distros@vs.openwall.org and exim-maintainers@exim.org
+ - open limited access to our security Git repo. See below.
+
+t0+~4d: Mon Jul 22 10:00:00 UTC 2019
+ - head-up notice to oss-security@lists.openwall.com,
+ exim-users@exim.org, and exim-announce@exim.org
+
+t0+~7d: Thu Jul 25 10:00:00 UTC 2019
+ - Coordinated relase date
+ - publish the patches in our official and public Git repositories
+ and the packages on our FTP server.
+
+Downloads
+=========
+
+For release tarballs (exim-4.92.1):
+
+ git clone --depth 1 ssh://git@exim.org/exim-packages
+
+The package files are signed with my GPG key.
+
+For the full Git repo:
+
+ git clone ssh://git@exim.org/exim
+ - tag exim-4.92.1
+ - branch exim-4.92+fixes
+
+The tagged commit is the officially released version. The tag is signed
+with my GPG key. The +fixes branch isn't officially maintained, but
+contains useful patches *and* the security fix. The relevant commit
+is signed with my GPG key.
+
+If you need help backporting the patch, please contact us directly.
+
+Conditions to be vulnerable
+===========================
+
+If your configuration uses the ${sort } expansion for items that can be
+controlled by an attacker (e.g. $local_part, $domain). The default
+config, as shipped by the Exim developers, does not contain ${sort }.
+
+Details
+=======
+
+The vulnerability is exploitable either remotely or locally and could
+be used to execute other programs with root privilege. The ${sort }
+expansion re-evaluates its items.
+
+Mitigation
+==========
+
+Do not use ${sort } in your configuration.
--- /dev/null
+To: oss-security@lists.openwall.com, exim-users@exim.org,
+ exim-announce@exim.org
+From: [ do not use a dmarc protected sender ]
+
+*** Note: EMBARGO is still in effect until July 25th, 10:00 UTC. ***
+*** Distros must not publish any detail nor release updates yet. ***
+
+CVE ID: CVE-2019-13917
+OVE ID: OVE-20190718-0006
+Date: 2019-07-18
+Credits: Jeremy Harris
+Version(s): 4.85 up to and including 4.92
+Issue: A local or remote attacker can execute programs with root
+ privileges - if you've an unusual configuration. For details
+ see below.
+
+Coordinated Release Date (CRD) for Exim 4.92.1:
+ Thu Jul 25 10:00:00 UTC 2019
+
+Contact: exim-security@exim.org
+
+This is a *heads-up* notice about the upcoming release.
+You may plan your availability and schedule an update of the Exim
+packages supplied by your distribution or build the new release from the
+source, once the release goes public on CRD.
+
+Details
+=======
+
+We discovered a vulnerability. We consider the risk of an exploit as
+low, you need to have a fairly unusual runtime configuration. Neither
+our default runtime configuration nor the runtime configuration shipped
+by the Debian distribution is vulnerable.
+
+The vulnerability is exploitable either remotely or locally and could
+be used to execute other programs with root privilege.
+
+More details and fixes are not yet public, but will be made public on
+CRD, July 25th.
+
+Timeline
+========
+
+t0: Thu Jul 18 2019
+ - this notice to distros@vs.openwall.org and exim-maintainers@exim.org
+ - open limited access to our security Git repo. See below.
+
+t0+~4d: Mon Jul 22 10:00:00 UTC 2019 [NOW]
+ - heads-up notice to oss-security@lists.openwall.com,
+ exim-users@exim.org, and exim-announce@exim.org
+
+t0+~7d: Thu Jul 25 10:00:00 UTC 2019
+ - Coordinated relase date
+ - publish the patches in our official and public Git repositories
+ and the packages on our FTP server.
+
+Downloads available starting at CRD
+====================================
+
+For release tarballs (exim-4.92.1):
+
+ http://ftp.exim.org/pub/exim/exim4/
+
+The package files are signed with my GPG key.
+
+For the full Git repo:
+
+ https://git.exim.org/exim.git
+ https://github.com/Exim/exim [mirror of the above]
+ - tag exim-4.92.1
+ - branch exim-4.92.1+fixes
+
+The tagged commit is the officially released version. The tag is signed
+with my GPG key. The +fixes branch isn't officially maintained, but
+contains useful patches *and* the security fix. The relevant commit is
+signed with my GPG key. The old exim-4.92+fixes branch is being functionally
+replaced by the new exim-4.92.1+fixes branch.
--- /dev/null
+To: exim-users@exim.org, exim-announce@exim.org, exim-maintainers@exim.org
+From: [ do not use a dmarc protected sender ]
+
+CVE ID: CVE-2019-13917
+OVE ID: OVE-20190718-0006
+Date: 2019-07-18
+Credits: Jeremy Harris
+Version(s): 4.85 up to and including 4.92
+Issue: A local or remote attacker can execute programs with root
+ privileges - if you've an unusual configuration. For details
+ see below.
+
+Coordinated Release Date (CRD) for Exim 4.92.1:
+ Thu Jul 25 10:00:00 UTC 2019
+
+Contact: exim-security@exim.org
+
+We released Exim 4.92.1. This is a security update based on 4.92.
+
+Conditions to be vulnerable
+===========================
+
+If your configuration uses the ${sort } expansion for items that can be
+controlled by an attacker (e.g. $local_part, $domain). The default
+config, as shipped by the Exim developers, does not contain ${sort }.
+
+Details
+=======
+
+The vulnerability is exploitable either remotely or locally and could
+be used to execute other programs with root privilege. The ${sort }
+expansion re-evaluates its items.
+
+Mitigation
+==========
+
+Do not use ${sort } in your configuration.
+
+Fix
+===
+
+Install a fixed package supplied by your distribution.
+or download and build a fixed version:
+
+For release tarballs (exim-4.92.1):
+
+ http://ftp.exim.org/pub/exim/exim4/
+
+The package files are signed with a key from the developers
+key set: https://ftp.exim.org/pub/exim/Exim-Maintainers-Keyring.asc
+
+For the full Git repo:
+
+ https://git.exim.org/exim.git
+ https://github.com/Exim/exim [mirror of the above]
+ - tag exim-4.92.1
+ - branch exim-4.92.1+fixes
+
+The tagged commit is the officially released version. The tag is signed
+with a key from the developers keyset. The +fixes branch isn't
+officially maintained, but contains the security fix *and* useful
+patches. The relevant commit is signed with a key from the developers
+keyset. The old exim-4.92+fixes branch is being functionally replaced by
+the new exim-4.92.1+fixes branch.
+
+If you can't install the above versions, ask your package maintainer for
+a version containing the backported fix. On request and depending on our
+resources we will support you in backporting the fix. (Please note,
+that Exim project officially doesn't support versions prior the current
+stable version.)
+
+Timeline
+========
+
+t0: Thu Jul 18 2019
+ - this notice to distros@vs.openwall.org and exim-maintainers@exim.org
+ - open limited access to our security Git repo. See below.
+
+t0+~4d: Mon Jul 22 10:00:00 UTC 2019 [NOW]
+ - heads-up notice to oss-security@lists.openwall.com,
+ exim-users@exim.org, and exim-announce@exim.org
+
+t0+~7d: Thu Jul 25 10:00:00 UTC 2019 [NOW]
+ - Coordinated relase date
+ - publish the patches in our official and public Git repositories
+ and the packages on our FTP server.
projects / exim.git / commitdiff