Re: [exim] CVE-2021-38371 (was: CVE-2022-37452)
Andreas Metzler via Exim-users (Do 16 Mär 2023 18:28:49 CET): > Thanks to all the involved parties for clearing this up (and obviously > for handling the whole thing in the first place)! The missing CVE text is online since yesterday. https://www.exim.org/static/doc/security/CVE-2021-38371.txt The website repo https://git.exim.org/exim-website.git commit ba0da048589d0c808f3161ea03de19d3bb2adc17 Author: Heiko Schlittermann (HS12-RIPE) Date: Mon Mar 20 11:14:19 2023 +0100 chg: add note about CVE-2021-38371 about not being a problem commit 2fae8e2e6a9d5606ac7eb7c94003d59756a1281a Author: Andrew Aitchison Date: Mon Mar 20 11:13:22 2023 +0100 add: CVE-2021-38371 -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2021-38371 (was: CVE-2022-37452)
Thanks to all the involved parties for clearing this up (and obviously for handling the whole thing in the first place)! cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2021-38371 (was: CVE-2022-37452)
Hi Andrew, Andrew C Aitchison via Exim-users (Mi 15 Mär 2023 21:00:11 CET): > > > www.exim.org/static/doc/security/CVE-2021-38371.txt I'll publish your announcement there. Thank you, Andrew, for preparing it. *But*, as we do not see this as a practical security issue, we'll place a notice there: "The Exim developers do not consider this CVE as a security problem." (Suggestions on better wording are welcome.) Yesterday JGH and me had a short public IRC chat on this. Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --- key ID: F69376CE - signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2021-38371 (was: CVE-2022-37452)
On 15/03/2023 20:00, Andrew C Aitchison via Exim-users wrote: > When exim acting as a mail client wishes to send a message, a Meddler-in-the-Middle (MitM) may respond to the STARTTLS command by also sending a response to the *next* command, which exim will erroneously treat as a trusted response. Sigh. Nobody has *ever* shown any way that could have been exploited.-- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2021-38371 (was: CVE-2022-37452)
On Wed, 15 Mar 2023, Andreas Metzler wrote: On 2022-08-24 17:49, Andrew C Aitchison wrote: [...] www.exim.org/static/doc/security/CVE-2021-38371.txt is advertised on a couple of CVE sites but does not exist. Like CVE-2022-37452, CVE-2021-38371 was fixed in 4.95 (the fix in git actually predates the NO STARTTLS announcement). I wrote up some text for it but Jeremy didn't like the tone of it - my page sounded as if we agreed that the bug was a security issue. He clearly did not believe that CVE-2021-38371 is an insecurity; I agree that there is no evidence that it is one, but lack of evidence is not evidence of lack, and the fix has been applied. Like you, I think that we should respond to each CVE, whether they are security issues or not, but Jeremy gave me the impression that he does not. If you are happy to stick to your guns on this one, I will rewrite mine and report it in the bugzilla, which is what Jeremy suggested. Since Jeremy does most of the work on exim I am not keen to make a fuss. Hello Andrew the CVE status is still marked as "applies to 4.94.2, might be fixed in later versions" in all security trackers. Could you point to the fixing GIT commit? Took a bit of tracking down but here it is: commit 1b9ab35f323121aabf029f0496c7227818efad14 https://lists.exim.org/lurker/message/20200802.111710.a42f3573.de.html I have attached the text I wrote for https://www.exim.org/static/doc/security/CVE-2021-38371.txt This has the wrong date: when Jeremy wrote the patch, rather than when it hit the exim git (Aug 2 11:10:35 2020 +0100). Can you can see a way not to say that this is a security issue ? -- Andrew C. Aitchison Kendal, UK and...@aitchison.me.ukCVE ID: CVE-2021-38371 Date: 2021-08-10 Version(s): up to and including 4.94.2 Reporter: Damian Poddebniak, Fabian Ising, Hanno Böck, and Sebastian Schinzel Reference: https://nostarttls.secvuln.info/ Issue: Possible MitM attack on STARTTLS when exim is *sending* email. Conditions to be vulnerable === Versions up to (and including) 4.94.2 are vulnerable when *sending* emails via a connection encrypted via STARTTLS. Details === When exim acting as a mail client wishes to send a message, a Meddler-in-the-Middle (MitM) may respond to the STARTTLS command by also sending a response to the *next* command, which exim will erroneously treat as a trusted response. Source fixed by https://git.exim.org/exim.git/commit/1b9ab35f323121aabf029f0496c7227818efad14 commit 1b9ab35f323121aabf029f0496c7227818efad14 Author: Jeremy Harris Date: Thu Jul 30 20:16:01 2020 +0100 Mitigation == There is - beside updating the server - no known mitigation. Fix === Download and build the fixed version 4.95 or a later version (4.96 was released in June 2022). -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] CVE-2021-38371 (was: CVE-2022-37452)
On 2022-08-24 17:49, Andrew C Aitchison wrote: [...] > www.exim.org/static/doc/security/CVE-2021-38371.txt > is advertised on a couple of CVE sites but does not exist. > Like CVE-2022-37452, CVE-2021-38371 was fixed in 4.95 (the fix in git > actually predates the NO STARTTLS announcement). > I wrote up some text for it but Jeremy didn't like the tone of it > - my page sounded as if we agreed that the bug was a security issue. > He clearly did not believe that CVE-2021-38371 is an insecurity; > I agree that there is no evidence that it is one, but lack of evidence is > not evidence of lack, and the fix has been applied. > Like you, I think that we should respond to each CVE, whether they > are security issues or not, but Jeremy gave me the impression that > he does not. > If you are happy to stick to your guns on this one, I will rewrite > mine and report it in the bugzilla, which is what Jeremy suggested. > Since Jeremy does most of the work on exim I am not keen > to make a fuss. Hello Andrew the CVE status is still marked as "applies to 4.94.2, might be fixed in later versions" in all security trackers. Could you point to the fixing GIT commit? TIA, cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/