Re: [exim] CVE-2019-10149: 4.87 to 4.91 are vulnerable

Top Page
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: Exim-users
Subject: Re: [exim] CVE-2019-10149: 4.87 to 4.91 are vulnerable
The fix for CVE-2019-10149 is public now.

    https://git.exim.org/exim.git
    Branch exim-4_91+fixes.


Thank you to
    - Qualys for reporting it.
    - Jeremy for fixing it.
    - you for using Exim.


Sorry for confusion about the public release. We were forced to react,
as details leaked.

The patch should apply cleanly to all affected versions (4.87->4.91). We
do not do a security release, as the official Exim version is at 4.92
already and older releases are considered to be outdated and not
supported by the developers anymore.

Please do not hesitate to contact us if you need help backporting the
fix.

Details of the commit:

    |commit d740d2111f189760593a303124ff6b9b1f83453d
    |gpg: Signature made Di 04 Jun 2019 11:27:33 CEST
    |gpg:                using RSA key D0BFD6B9ECA5694A6F149DCEAF4CC676A6B6C142
    |gpg:                issuer "hs@???"
    |gpg: Good signature from "Heiko Schlittermann (Dresden) <hs@???>" [full]
    |gpg:                 aka "Heiko Schlittermann (HS12-RIPE) <hs@???>" [full]
    |gpg:                 aka "[jpeg image of size 4759]" [full]
    |gpg:                 aka "Heiko Schlittermann (Exim MTA Maintainer) <heiko@???>" [full]
    |gpg:                 aka "Heiko Schlittermann (HS12-RIPE) <hs@???>" [undefined]
    |Author: Jeremy Harris <jgh146exb@???>
    |Date:   Mon May 27 21:57:31 2019 +0100
    |
    |   Fix CVE-2019-10149



    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
--
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -