Re: [exim] [exim-announce] CVE-2017-16943, CVE-2017-16944

Top Page

Reply to this message
Author: Heiko Schlittermann
To: exim-users, Heiko Schlittermann via Exim-announce
Subject: Re: [exim] [exim-announce] CVE-2017-16943, CVE-2017-16944
Randy Bush <randy@???> (Di 28 Nov 2017 23:34:55 CET):
> > Distros are advised to include these commits.
> deb/ubu distros are so far behind that they do not have the vuln

That isn't true. The current stable Debian (9.x) ships with
Exim 4.89. And from (including) 4.88 onwards Exim is vulnerable.

Though, the Debian Distro changed to built-in default of the chunking
extension to 'disabled'. One need to switch it on explictly in the
runtime config to be vulnerable.

Please correct me, if I'm wrong.

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -