Hi Andreas, On Sat, Dec 30, 2023 at 03:40:42PM +0100, Andreas Metzler wrote: > On 2023-12-24 Salvatore Bonaccorso <car...@debian.org> wrote: > > Source: exim4 > > Version: 4.97-2 > > Severity: important > > Tags: security upstream > > Forwarded: https://bugs.exim.org/show_bug.cgi?id=3063 > [...] > > The following vulnerability was published for exim4. > > > CVE-2023-51766[0]: > > | Exim through 4.97 allows SMTP smuggling in certain configurations. > > | Remote attackers can use a published exploitation technique to > > | inject e-mail messages that appear to originate from the Exim > > | server, allowing bypass of an SPF protection mechanism. This occurs > > | because Exim supports <LF>.<CR><LF> but some other popular e-mail > > | servers do not. > > Hello Salvatore, > > are you going to release a DSA (I can start preparing one) or should I > aim for another stable update?
We certainly can do. We have not fully evaluated yet, but it can be sensible that we do release via a DSA. For postfix there were enough mitigation options to do, so that it was good enough to schedule the update via a point release (and fasttrack still trough a SUA, given the update was a bugfix release rebase). How is the situation for exim4? Are there similar workarounds which can be put in place e.g. like the postfix forbid_unauth_pipelining option? If there is no such way for exim4 then this lowers the bar for releasing exim4 trough a DSA. If so, will you work as well on the bullseye-security update? Thanks as usual for your diligent work! Regards, Salvatore