[Git][security-tracker-team/security-tracker][master] 4 commits: Reference upstream fixes for exim4

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2b174717 by Salvatore Bonaccorso at 2023-10-03T04:25:32+02:00
Reference upstream fixes for exim4

- - - - -
60dc8ac1 by Salvatore Bonaccorso at 2023-10-03T04:26:14+02:00
Track fixed version for three exim4 issues

- - - - -
dc6cf70a by Salvatore Bonaccorso at 2023-10-03T04:26:18+02:00
Add references to exim4 upstream details

- - - - -
87aac031 by Salvatore Bonaccorso at 2023-10-03T04:26:18+02:00
Reserve DSA number for exim4 update

- - - - -


3 changed files:

- data/CVE/list
- data/DSA/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -510,12 +510,14 @@ CVE-2023-42119 [Exim dnsdb Out-Of-Bounds Read Information 
Disclosure Vulnerabili
        NOTE: https://bugs.exim.org/show_bug.cgi?id=3033
        NOTE: https://www.openwall.com/lists/oss-security/2023/09/29/5
        NOTE: https://www.openwall.com/lists/oss-security/2023/10/01/4
+       NOTE: https://exim.org/static/doc/security/CVE-2023-zdi.txt
 CVE-2023-42118 [Exim libspf2 Integer Underflow Remote Code Execution 
Vulnerability]
        - exim4 <unfixed>
        NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1472/
        NOTE: https://bugs.exim.org/show_bug.cgi?id=3032
        NOTE: https://www.openwall.com/lists/oss-security/2023/09/29/5
        NOTE: https://www.openwall.com/lists/oss-security/2023/10/01/4
+       NOTE: https://exim.org/static/doc/security/CVE-2023-zdi.txt
        NOTE: From upstream: Issue is debatable for Exim4 and should be filled 
against libspf2.
 CVE-2023-42117 [Exim Improper Neutralization of Special Elements Remote Code 
Execution Vulnerability]
        - exim4 <unfixed>
@@ -526,25 +528,32 @@ CVE-2023-42117 [Exim Improper Neutralization of Special 
Elements Remote Code Exe
        NOTE: https://bugs.exim.org/show_bug.cgi?id=3031
        NOTE: https://www.openwall.com/lists/oss-security/2023/09/29/5
        NOTE: https://www.openwall.com/lists/oss-security/2023/10/01/4
+       NOTE: https://exim.org/static/doc/security/CVE-2023-zdi.txt
 CVE-2023-42116 [Exim SMTP Challenge Stack-based Buffer Overflow Remote Code 
Execution Vulnerability]
-       - exim4 <unfixed>
+       - exim4 4.97~RC1-2
        NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1470/
        NOTE: https://bugs.exim.org/show_bug.cgi?id=3000
+       NOTE: 
https://git.exim.org/exim.git/log/refs/heads/exim-4.96%20security/exim.git/commit/936e342d560e218c2aee5cb2295be925c27c2106
        NOTE: https://www.openwall.com/lists/oss-security/2023/09/29/5
        NOTE: https://www.openwall.com/lists/oss-security/2023/10/01/4
+       NOTE: https://exim.org/static/doc/security/CVE-2023-zdi.txt
 CVE-2023-42115 [Exim AUTH Out-Of-Bounds Write Remote Code Execution 
Vulnerability]
-       - exim4 <unfixed>
+       - exim4 4.97~RC1-2
        [buster] - exim4 <not-affected> (External authenticator support was 
introduced later)
        NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1469/
        NOTE: https://bugs.exim.org/show_bug.cgi?id=2999
+       NOTE: 
https://git.exim.org/exim.git/log/refs/heads/exim-4.96%20security/exim.git/commit/955f1203c15be96fa84b5331fa2a5cb2e556b9a9
        NOTE: https://www.openwall.com/lists/oss-security/2023/09/29/5
        NOTE: https://www.openwall.com/lists/oss-security/2023/10/01/4
+       NOTE: https://exim.org/static/doc/security/CVE-2023-zdi.txt
 CVE-2023-42114 [Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure 
Vulnerability]
-       - exim4 <unfixed>
+       - exim4 4.97~RC1-2
        NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1468/
        NOTE: https://bugs.exim.org/show_bug.cgi?id=3001
+       NOTE: 
https://git.exim.org/exim.git/log/refs/heads/exim-4.96%20security/exim.git/commit/ccf9816f54fb04ab5508eb8c7f00b08bc3531297
        NOTE: https://www.openwall.com/lists/oss-security/2023/09/29/5
        NOTE: https://www.openwall.com/lists/oss-security/2023/10/01/4
+       NOTE: https://exim.org/static/doc/security/CVE-2023-zdi.txt
 CVE-2023-40476 [Integer overflow in H.265 video parser leading to stack 
overwrite]
        - gst-plugins-bad1.0 <unfixed> (bug #1053259)
        - gst-plugins-bad0.10 <removed>


=====================================
data/DSA/list
=====================================
@@ -1,3 +1,7 @@
+[02 Oct 2023] DSA-5512-1 exim4 - security update
+       {CVE-2023-42114 CVE-2023-42115 CVE-2023-42116}
+       [bullseye] - exim4 4.94.2-7+deb11u1
+       [bookworm] - exim4 4.96-15+deb12u2
 [01 Oct 2023] DSA-5511-1 mosquitto - security update
        {CVE-2021-34434 CVE-2023-0809 CVE-2023-3592 CVE-2023-28366}
        [bullseye] - mosquitto 2.0.11-1+deb11u1


=====================================
data/dsa-needed.txt
=====================================
@@ -19,8 +19,6 @@ cacti
 --
 cinder/oldstable
 --
-exim4 (carnil)
---
 gpac/oldstable (jmm)
 --
 gst-plugins-bad1.0 (carnil)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9b9ab4e5e605c4e60feb8dc63dbc1680e1d58e5f...87aac03100b71174e950aa831d1428c9c220f85b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9b9ab4e5e605c4e60feb8dc63dbc1680e1d58e5f...87aac03100b71174e950aa831d1428c9c220f85b
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits