On Sun, 15 Oct 2023, Cyborg via Exim-users wrote:
Am 15.10.23 um 18:17 schrieb Heiko Schlittermann via Exim-users:
- The remaining issue with `libspf2`, raised as CVE against Exim, can't
be addressed by us, as it seems to happen inside the library's code.
Library fixes are available.
Hi,
AFAIK that has already been adressed (at least for Fedora) in the libspf
package:
* Mon Oct 02 2023 XXXXXXXXXXXXXXXX - 1.2.11-10.20210922git4915c308 -
CVE-2023-42118
But i would image any distro will have it by now.
Sadly no. Ubuntu 23-10/mantic (released last week) still has:
libspf2 (1.2.10-7.2build1) lunar; urgency=medium
Fri, 04 Nov 2022 16:45:25 +0100
Debian is similar.
It seems that libspf2 has been updated to fix a security issue,
but no one is sure whether it is the same bug as ZDI reported in the CVE,
since they gave no details ...
--
Andrew C. Aitchison Kendal, UK
[email protected]
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## [email protected]
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
