Heiko Schlittermann <hs@???> (Mi 07 Feb 2018 11:39:43 CET):
> CVE-2018-6789 Exim 4.90 and earlier
> ===================================
>
> There is a buffer overflow in an utility function, if some pre-conditions
> are met. Using a handcrafted message, remote code execution seems to be
> possible.
>
> A patch exists already and is being tested.
>
> Currently we're unsure about the severity, we *believe*, an exploit
> is difficult. A mitigation isn't known.
>
> Next steps:
>
> * t0: Distros will get access to our "security" non-public git repo
> (based on the SSH keys known to us)
> * t0 +7d: Patch will be published on the official public git repo
>
> t0 will be around 2018-02-08.
t0 is now. Distro maintainers please use the following repos URLs:
The full git repo:
ssh://git@???/exim.git
tag: exim-4_90_1
The tarballs git repo:
ssh://git@???/exim-packages.git
tag: exim-4_90_1
The tags are signed with my key¹, as are the tarballs and my own
commits.
¹) If you get a warning about my key being expired, please refresh it
from the keyservers or from
https://ssl.schlittermann.de/keys/gpg/hs@schlittermann.de/F69376CE.asc
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
