[exim] ATTN: Re: CVE-2019-10149: already vulnerable ?

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Cyborg
Datum:  
To: exim-users
Betreff: [exim] ATTN: Re: CVE-2019-10149: already vulnerable ?
Am 23.06.19 um 21:02 schrieb Jeremy Harris via Exim-users:
>   deny  local_parts = \N ^.*$ : ^.*\\x24 : ^.*\\0?44 \N
>         message = no mate

>
> Thie is perhaps over-broad - a dollar sign in a local-part
> is strictly legitimate per the standards. However, it's
> not something most strictly-Ascii sites would be wanting to
> use, I suspect.


Anyone who used this restricted chars patch:

  deny    message       = Restricted characters in address
          domains       = +local_domains
          local_parts   = ^[.] : ^.*[\$@%!/|]

should update to this ruleset :

  deny    message       = Restricted characters in address
          domains       = +local_domains
          local_parts   = ^[.] : ^.*[\$@%!/|] : ^.*x24 : ^.*0.44

as there is a unexpected problem with jeremy's version, which will
reject any x24 in any part of the message.

We are not aware of any exploit succeeding to circumvent the old patched
restricted chars rule yet, but better be safe than sorry!


best regards,
Marius