Andreas Metzler via Exim-users (Do 16 Mär 2023 18:28:49
CET):
> Thanks to all the involved parties for clearing this up (and obviously
> for handling the whole thing in the first place)!
The missing CVE text is online since yesterday.
https://www.exim.org/static/doc/security/CVE-2021-38
Thanks to all the involved parties for clearing this up (and obviously
for handling the whole thing in the first place)!
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
--
## List details at ht
Hi Andrew,
Andrew C Aitchison via Exim-users (Mi 15 Mär 2023
21:00:11 CET):
> > > www.exim.org/static/doc/security/CVE-2021-38371.txt
I'll publish your announcement there. Thank you, Andrew, for
preparing it. *But*, as we do not see this as a practical security
issue, we'll place a notice there:
On 15/03/2023 20:00, Andrew C Aitchison via Exim-users wrote:
> When exim acting as a mail client wishes to send a message,
a Meddler-in-the-Middle (MitM) may respond to the STARTTLS command
by also sending a response to the *next* command, which exim will
erroneously treat as a trusted response
On Wed, 15 Mar 2023, Andreas Metzler wrote:
On 2022-08-24 17:49, Andrew C Aitchison wrote:
[...]
www.exim.org/static/doc/security/CVE-2021-38371.txt
is advertised on a couple of CVE sites but does not exist.
Like CVE-2022-37452, CVE-2021-38371 was fixed in 4.95 (the fix in git
actually predates
On 2022-08-24 17:49, Andrew C Aitchison wrote:
[...]
> www.exim.org/static/doc/security/CVE-2021-38371.txt
> is advertised on a couple of CVE sites but does not exist.
> Like CVE-2022-37452, CVE-2021-38371 was fixed in 4.95 (the fix in git
> actually predates the NO STARTTLS announcement).
> I wr
