Re: [exim] CVE-2019-10149: already vulnerable ?

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Calum Mackay
Date:  
À: exim-users
Sujet: Re: [exim] CVE-2019-10149: already vulnerable ?
On 22/06/2019 9:44 am, Andreas Metzler via Exim-users wrote:
> CVE-2019-10149 is not that it is possible to submit a mail that ends
> up frozen in the queue. CVE is a remote command execution
> vulnerabilty. The fix for CVE-2019-10149 does not remove the
> possibility to generate frozen mails in the queue, it stops the remote
> command execution.


by any chance, please, would anyone happen to have an acl_smtp_rcpt
example that catches these particular exploit attempts — so my queue
doesn't fill up with these frozen msgs — /but/ still allows me to have
"user+suffix@domain" which I enable via local_part_suffix on a redirect
router?

i.e. just rejecting '+' in the local part is too strict, here.


thanks very much indeed.

cheers,
calum.