Re: [exim] CVE-2021-38371 (was: CVE-2022-37452)

2023-03-21 Thread Heiko Schlittermann via Exim-users 
Andreas Metzler via Exim-users  (Do 16 Mär 2023 18:28:49 
CET):
> Thanks to all the involved parties for clearing this up (and obviously
> for handling the whole thing in the first place)!

The missing CVE text is online since yesterday.

https://www.exim.org/static/doc/security/CVE-2021-38371.txt

The website repo https://git.exim.org/exim-website.git

commit ba0da048589d0c808f3161ea03de19d3bb2adc17
Author: Heiko Schlittermann (HS12-RIPE) 
Date:   Mon Mar 20 11:14:19 2023 +0100

chg: add note about CVE-2021-38371 about not being a problem

commit 2fae8e2e6a9d5606ac7eb7c94003d59756a1281a
Author: Andrew Aitchison 
Date:   Mon Mar 20 11:13:22 2023 +0100

add: CVE-2021-38371



-- 
Heiko


signature.asc
Description: PGP signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] CVE-2021-38371 (was: CVE-2022-37452)

2023-03-16 Thread Andreas Metzler via Exim-users 
Thanks to all the involved parties for clearing this up (and obviously
for handling the whole thing in the first place)!

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] CVE-2021-38371 (was: CVE-2022-37452)

2023-03-16 Thread Heiko Schlittermann via Exim-users 
Hi Andrew,
Andrew C Aitchison via Exim-users  (Mi 15 Mär 2023 
21:00:11 CET):
> > > www.exim.org/static/doc/security/CVE-2021-38371.txt

I'll publish your announcement there. Thank you, Andrew, for
preparing it. *But*, as we do not see this as a practical security
issue, we'll place a notice there: "The Exim developers do not consider
this CVE as a security problem." (Suggestions on better wording are
welcome.)

Yesterday JGH and me had a short public IRC chat on this.

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
 SCHLITTERMANN.de  internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --- key ID: F69376CE -


signature.asc
Description: PGP signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] CVE-2021-38371 (was: CVE-2022-37452)

2023-03-15 Thread Jeremy Harris via Exim-users 

On 15/03/2023 20:00, Andrew C Aitchison via Exim-users wrote:


> When exim acting as a mail client wishes to send a message,
a Meddler-in-the-Middle (MitM) may respond to the STARTTLS command
by also sending a response to the *next* command, which exim will
erroneously treat as a trusted response.


Sigh.  Nobody has *ever* shown any way that could have been exploited.-- 
Cheers,

  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] CVE-2021-38371 (was: CVE-2022-37452)

2023-03-15 Thread Andrew C Aitchison via Exim-users 

On Wed, 15 Mar 2023, Andreas Metzler wrote:


On 2022-08-24 17:49, Andrew C Aitchison wrote:
[...]

www.exim.org/static/doc/security/CVE-2021-38371.txt
is advertised on a couple of CVE sites but does not exist.
Like CVE-2022-37452, CVE-2021-38371 was fixed in 4.95 (the fix in git
actually predates the NO STARTTLS announcement).



I wrote up some text for it but Jeremy didn't like the tone of it
- my page sounded as if we agreed that the bug was a security issue.
He clearly did not believe that CVE-2021-38371 is an insecurity;
I agree that there is no evidence that it is one, but lack of evidence is
not evidence of lack, and the fix has been applied.



Like you, I think that we should respond to each CVE, whether they
are security issues or not, but Jeremy gave me the impression that
he does not.



If you are happy to stick to your guns on this one, I will rewrite
mine and report it in the bugzilla, which is what Jeremy suggested.



Since Jeremy does most of the work on exim I am not keen
to make a fuss.


Hello Andrew

the CVE status is still marked as "applies to 4.94.2, might be fixed in
later versions" in all security trackers. Could you point to the fixing
GIT commit?


Took a bit of tracking down but here it is:

commit 1b9ab35f323121aabf029f0496c7227818efad14

https://lists.exim.org/lurker/message/20200802.111710.a42f3573.de.html

I have attached the text I wrote for
  https://www.exim.org/static/doc/security/CVE-2021-38371.txt
This has the wrong date: when Jeremy wrote the patch, rather than when 
it hit the exim git (Aug 2 11:10:35 2020 +0100).


Can you can see a way not to say that this is a security issue ?

--
Andrew C. Aitchison  Kendal, UK
   and...@aitchison.me.ukCVE ID: CVE-2021-38371
Date:   2021-08-10
Version(s): up to and including 4.94.2
Reporter:   Damian Poddebniak, Fabian Ising, Hanno Böck, and Sebastian Schinzel
Reference:  https://nostarttls.secvuln.info/
Issue:  Possible MitM attack on STARTTLS when exim is *sending* email.


Conditions to be vulnerable
===

Versions up to (and including) 4.94.2 are vulnerable when
*sending* emails via a connection encrypted via STARTTLS.
 

Details
===

When exim acting as a mail client wishes to send a message,
a Meddler-in-the-Middle (MitM) may respond to the STARTTLS command
by also sending a response to the *next* command, which exim will
erroneously treat as a trusted response.

Source fixed by
https://git.exim.org/exim.git/commit/1b9ab35f323121aabf029f0496c7227818efad14
commit 1b9ab35f323121aabf029f0496c7227818efad14
Author: Jeremy Harris
Date:   Thu Jul 30 20:16:01 2020 +0100

Mitigation
==

There is - beside updating the server - no known mitigation.

Fix
===

Download and build the fixed version 4.95 or a later version
(4.96 was released in June 2022).
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] CVE-2021-38371 (was: CVE-2022-37452)

2023-03-15 Thread Andreas Metzler via Exim-users 
On 2022-08-24 17:49, Andrew C Aitchison wrote:
[...]
> www.exim.org/static/doc/security/CVE-2021-38371.txt
> is advertised on a couple of CVE sites but does not exist.
> Like CVE-2022-37452, CVE-2021-38371 was fixed in 4.95 (the fix in git 
> actually predates the NO STARTTLS announcement).

> I wrote up some text for it but Jeremy didn't like the tone of it
> - my page sounded as if we agreed that the bug was a security issue.
> He clearly did not believe that CVE-2021-38371 is an insecurity;
> I agree that there is no evidence that it is one, but lack of evidence is 
> not evidence of lack, and the fix has been applied.

> Like you, I think that we should respond to each CVE, whether they
> are security issues or not, but Jeremy gave me the impression that
> he does not.

> If you are happy to stick to your guns on this one, I will rewrite
> mine and report it in the bugzilla, which is what Jeremy suggested.

> Since Jeremy does most of the work on exim I am not keen
> to make a fuss.

Hello Andrew

the CVE status is still marked as "applies to 4.94.2, might be fixed in
later versions" in all security trackers. Could you point to the fixing
GIT commit?

TIA, cu Andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'


signature.asc
Description: PGP signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/