[exim-cvs] Add CVE-2019-10149

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
 
 
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] Add CVE-2019-10149
Gitweb: https://git.exim.org/exim-website.git/commitdiff/4afe2c50eeb22d67679311f19f98e81ead822240
Commit:     4afe2c50eeb22d67679311f19f98e81ead822240
Parent:     af44fdf3233d792599ff095849f0721c1e1a299e
Author:     Heiko Schlittermann (HS12-RIPE) <hs@???>
AuthorDate: Mon Jun 3 15:50:12 2019 +0200
Committer:  Heiko Schlittermann (HS12-RIPE) <hs@???>
CommitDate: Mon Jun 3 15:51:36 2019 +0200


    Add CVE-2019-10149
---
 templates/static/doc/security/CVE-2019-10149.txt | 43 ++++++++++++++++++++++++
 1 file changed, 43 insertions(+)


diff --git a/templates/static/doc/security/CVE-2019-10149.txt b/templates/static/doc/security/CVE-2019-10149.txt
new file mode 100644
index 0000000..cb5a646
--- /dev/null
+++ b/templates/static/doc/security/CVE-2019-10149.txt
@@ -0,0 +1,43 @@
+CVE-2019-10149 Exim 4.87 to 4.91
+================================
+
+We received a report of a possible remote exploit.  Currently there is no
+evidenice of an active use of this exploit.
+
+A patch exists already, is being tested, and backported to all
+versions we released since (and including) 4.87.
+
+The severity depends on your configuration.  It depends on how close to
+the standard configuration your Exim runtime configuration is. The
+closer the better.
+
+Next steps:
+
+* t0:     Distros will get access to our non-public security Git repo
+         (access is granted based on the SSH keys that are known to us)
+
+* t0+7d: Coordinated Release Date: Distros should push the patched
+         version to their repos. The Exim maintainers will publish
+     the fixed source to the official and public Git repo.
+
+t0 is expected to be 2019-06-04, 10:00 UTC
+
+
+Timeline
+--------
+
+* 2019-05-27 Report from Qualys to exim-security list
+* 2019-05-27 Patch provided by Jeremy Harris
+* 2019-05-29 CVE-2019-10149 assigned from Qualys via RedHat
+* 2019-06-03 This announcement
+
+Updates will follow, here and on https://exim.org/security/CVE-2019-10149.txt
+
+    Best regards from Dresden/Germany
+    Viele Grüße aus Dresden
+    Heiko Schlittermann
+--
+ SCHLITTERMANN.de ---------------------------- internet & unix support -
+ Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
+ gnupg encrypted messages are welcome --------------- key ID: F69376CE -
+ ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -


This message was posted to the following mailing lists:
exim-cvs
Mailing List Info | Nearby Messages		<-[exim-cvs] Update date of current documents[exim-cvs] CVE-2019-10149: Add note about 4.92 not being affected->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)