Re: [exim-dev] Exim 4.82.1 Security Release

Top Page
Delete this message
Reply to this message
Author: Wolfgang Breyha
Date:  
To: exim-dev
Subject: Re: [exim-dev] Exim 4.82.1 Security Release
Todd Lyons wrote, on 28/05/14 14:25:
> This issue is known by the CVE ID of CVE-2014-2957, was reported
> directly to the Exim development team by a company which uses Exim for
> its mail server. An Exim developer constructed a small patch which
> altered the way the contents of the From header is parsed by converting
> it to use safer and better internal functions. It was applied and
> tested on a production server for correctness. We were notified of the
> vulnerability Friday night, created a patch on Saturday, applied and
> tested it on Sunday, notified OS packagers on Monday/Tuesday, and are
> releasing on the next available work day, which is Wednesday.


Reading the diff... besides the improved coding, was this the same issue also
fixed by http://bugs.exim.org/show_bug.cgi?id=1433 ?

The CVE number is not accessible yet.

Greetings, Wolfgang
--
Wolfgang Breyha <wbreyha@???> | http://www.blafasel.at/
Vienna University Computer Center | Austria