Date:
To:oss-security, Exim Users, Exim AnnounceSubject:Re: [exim] CVE – 2019 – 15846: Exim – local or remote attacker can execute programs with root privileges.
CVE ID: CVE – 2019 – 15846
Credits: Zerons, Qualys Version (s): all versions up to and including 4. 92 .1 Issue: The SMTP Delivery process in all¹ versions up to and including Exim 4. 92. 1 has a Buffer Overflow . In the default runtime configuration, this is exploitable with crafted Server Name Indication (SNI) data during a TLS negotiation. In other configurations, it is exploitable with a crafted client TLS certificate. Details: doc / doc-txt / cve - 2019 - 15846 in the downloaded source tree
Coordinated Release Date (CRD) for Exim 4. 92 .2: 2019 - 09 - 06 10: (UTC)Contact: security @ ???We released Exim 4. 92 .2. This is a security update based on 4. 92. 1.
Mitigation
==========Do not offer TLS for incomming connections (tls_advertise_hosts).
This mitigation is * not * recommended!Downloads
=========Starting at CRD the downloads will be available from the following
sources:Release tarballs (exim-4. 92 .2):
https://ftp.exim.org/pub/exim/exim4/The package files are signed with my GPG key.
The full Git repo:
https://git.exim.org/exim.git https://github.com/Exim/exim[mirror of the above] - tag exim-4. 92 - branch exim-4. 92 .2 fixesThe tagged commit is the officially released version. The tag is signed
with my GPG key. The fixes branch isn't officially maintained, but
contains useful patches * and * the security fix. The relevant commit is
signed with my GPG key. The old exim-4. 92. 1 fixes branch is being functionally
replaced by the new exim-4. 92 .2 fixes branch.¹) We've indication, that only versions starting with 4. 80 up to and
including 4. 92 .1 are affected.Best regards from Dresden / Germany Viele Grüße aus Dresden Heiko Schlittermann - Hey. SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon, fax}: (***************************************************************************). 802998 {1,3} - gnupg encrypted messages are welcome --------------- key ID: F 69376 CE - ! key id 7CBF 764 A and 972 EAC9F are revoked since 2015 - 01 ------------ -
GIPHY App Key not set. Please check settings