Re: [exim] CVE-2018-6789 Exim 4.90 and earlier: buffer overflow
Heiko Schlittermann(Mi 07 Feb 2018 11:39:43 CET): > CVE-2018-6789 Exim 4.90 and earlier > === …. > Next steps: > > * t0: Distros will get access to our "security" non-public git repo > (based on the SSH keys known to us) > * t0 +7d: Patch will be published on the official public git repo t0 was 2018-02-08 17:00 UTC We need to cut the time for the distros and we'll release the patch to the public today. 2018-02-10 18:00 UTC Sorry for the inconvenience, thank you for understanding and for using Exim. Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 - signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2018-6789 Exim 4.90 and earlier: buffer overflow
Heiko Schlittermann(Mi 07 Feb 2018 11:39:43 CET): > CVE-2018-6789 Exim 4.90 and earlier > === > > There is a buffer overflow in an utility function, if some pre-conditions > are met. Using a handcrafted message, remote code execution seems to be > possible. > > A patch exists already and is being tested. > > Currently we're unsure about the severity, we *believe*, an exploit > is difficult. A mitigation isn't known. > > Next steps: > > * t0: Distros will get access to our "security" non-public git repo > (based on the SSH keys known to us) > * t0 +7d: Patch will be published on the official public git repo > > t0 will be around 2018-02-08. t0 is now. Distro maintainers please use the following repos URLs: The full git repo: ssh://g...@exim.org/exim.git tag: exim-4_90_1 The tarballs git repo: ssh://g...@exim.org/exim-packages.git tag: exim-4_90_1 The tags are signed with my key¹, as are the tarballs and my own commits. ¹) If you get a warning about my key being expired, please refresh it from the keyservers or from https://ssl.schlittermann.de/keys/gpg/h...@schlittermann.de/F69376CE.asc Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 - signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] CVE-2018-6789 Exim 4.90 and earlier: buffer overflow
CVE-2018-6789 Exim 4.90 and earlier === There is a buffer overflow in an utility function, if some pre-conditions are met. Using a handcrafted message, remote code execution seems to be possible. A patch exists already and is being tested. Currently we're unsure about the severity, we *believe*, an exploit is difficult. A mitigation isn't known. Next steps: * t0: Distros will get access to our "security" non-public git repo (based on the SSH keys known to us) * t0 +7d: Patch will be published on the official public git repo t0 will be around 2018-02-08. Timeline * 2018-02-05 Report from Meh Changvia exim-security mailing list * 2018-02-06 Request CVE on https://cveform.mitre.org/ (heiko) CVE-2018-6789 * 2018-02-07 Announcement to the public via exim-users, exim-maintainers mailing lists and on oss-security mailing list Updates will follow. Here and on https://exim.org/security/CVE-2018-6789.txt (Link will start to exist around 11.00 UTC). Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 - signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/