in attacker, remote

CVE-2019-15846: Exim – remote attacker can execute programs with root privileges, Hacker News

1.4k Views


Author:Heiko Schlittermann
Date:
To:oss-security, Exim Users, Exim AnnounceSubject:Re: [exim] CVE – 2019 – 15846: Exim – local or remote attacker can  execute programs with root privileges.

CVE ID: CVE – 2019 – 15846

Credits: Zerons, Qualys Version (s): all versions up to and including 4. 92 .1 Issue: The SMTP Delivery process in all¹ versions up to and             including Exim 4. 92. 1 has a Buffer Overflow . In the default             runtime configuration, this is exploitable with crafted Server             Name Indication (SNI) data during a TLS negotiation. In other             configurations, it is exploitable with a crafted client TLS certificate. Details: doc / doc-txt / cve - 2019 - 15846 in the downloaded source tree
Coordinated Release Date (CRD) for Exim 4. 92 .2:             2019 - 09 - 06 10:  (UTC)
Contact: security @ ???


We released Exim 4. 92 .2. This is a security update based on 4. 92. 1.


Mitigation
==========

	

			

	

			

		
	

		








Do not offer TLS for incomming connections (tls_advertise_hosts).
This mitigation is * not * recommended!


Downloads
=========

	

			

	

			


		
			
			
					
			

		








Starting at CRD the downloads will be available from the following
sources:


Release tarballs (exim-4. 92 .2):

	

			

	

			


		
			
			
					
			

		








    https://ftp.exim.org/pub/exim/exim4/


The package files are signed with my GPG key.



The full Git repo:


    https://git.exim.org/exim.git    https://github.com/Exim/exim[mirror of the above]     - tag exim-4. 92     - branch exim-4. 92 .2   fixes


The tagged commit is the officially released version. The tag is signed
with my GPG key. The   fixes branch isn't officially maintained, but
contains useful patches * and * the security fix. The relevant commit is
signed with my GPG key. The old exim-4. 92. 1   fixes branch is being functionally
replaced by the new exim-4. 92 .2   fixes branch.


¹) We've indication, that only versions starting with 4. 80 up to and
including 4. 92 .1 are affected.


    Best regards from Dresden / Germany     Viele Grüße aus Dresden     Heiko Schlittermann - Hey.  SCHLITTERMANN.de ---------------------------- internet & unix support -  Heiko Schlittermann, Dipl.-Ing. (TU) - {fon, fax}:   (***************************************************************************). 802998 {1,3} -  gnupg encrypted messages are welcome --------------- key ID: F 69376 CE -  ! key id 7CBF 764 A and 972 EAC9F are revoked since 2015 - 01 ------------ -

Brave Browser
Read More
Payeer

What do you think?

0 Points
Upvote Downvote

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

Weight lift twice a week to improve bone density, adults told – Sky News, Sky.com

Weight lift twice a week to improve bone density, adults told – Sky News, Sky.com
PM Modi Inaugurates First 'Make in India' Metro Coach In Mumbai: Live Updates – NDTV News, Ndtv.com

PM Modi Inaugurates First 'Make in India' Metro Coach In Mumbai: Live Updates – NDTV News, Ndtv.com