On Fri, Feb 21, 2025 at 10:35:45PM +0100, Heiko Schlittermann wrote: > today, 12:00 UTC we published an Exim security release: exim-4.98.1 > For further details please see > https://exim.org/static/doc/security/CVE-2025-26794.txt
Here's the actual content from the web page above: > # CVE 2025-26794 > > - Sat, 08 Feb 2025 21:14:37 +0100: reported > - by: "Oscar Bataille" <batailleos...@protonmail.com> > - to: secur...@exim.org > - Sun, 9 Feb 2025 00:00:05 +0100: report confirmed > - Tue, 11 Feb 2025 00:23:34 +0100: issue confirmed > - Tue, 11 Feb 2025 00:23:34 +0100: issue confirmed > - Tue, 11 Feb 2025 12:54:10 +0000: CVE ID requested > - Fri, 14 Feb 2025 04:19:13 -0500: CVE ID 2025-26794 received > - Tue, 18 Feb 2025 20:56:25 +0100: sent notification to > <dist...@vs.openwall.org> > - Wed, 19 Feb 2025 23:07:02 +0100: sent notification to > <oss-security@lists.openwall.com>, and <exim-us...@lists.exim.org> > - Wed, 19 Feb 2025 23:07:02 +0100: sent notification to > <oss-security@lists.openwall.com>, and <exim-us...@lists.exim.org> > - Thu, 20 Feb 2025 18:36:34 +0100: sent notification to > <exim-annou...@lists.exim.org> > - Fri, 21 Feb 2025 13:00:00 +0100: published the changes on > https://code.exim.org/exim/exim.git > > > ## Details > > A SQL injection is possible. > > The following conditions have to be met for being vulnerable: > > - Exim Version 4.98 > - Build time option _USE_SQLITE_ is set (it enables the use of SQLite > for the hints databases) -- check the output of `exim -bV`, whether it > contains > ``` > Hints DB: > Using sqlite3 > ``` > - Runtime config enables ETRN (`acl_smtp_etrn` returns _accept_ > (defaults to _deny_)) > - Runtime config enforces ETRN serialization (`smtp_etrn_serialize` is > set to _true_ (defaults to _true_)) > > ## Acknowledgements > > Thanks to Oscar Bataille for discovering and reporting this issue in a > responsible manner. Alexander
