Hi,
Is there an ETA for the sources to appear on the download servers?
I need those in order to update the package for Gentoo.
Thanks,
Fabian
On 25-07-2019 10:04:19 +0100, Jeremy Harris via Exim-announce wrote:
> General release information
> ===========================
>
> The code fix for this issue has been placed in the project
> public git repository; the project website will be updated
> in due course.
>
>
> CVE ID: CVE-2019-13917
> OVE ID: OVE-20190718-0006
> Date: 2019-07-18
> Credits: Jeremy Harris
> Version(s): 4.85 up to and including 4.92
> Issue: A local or remote attacker can execute programs with root
> privileges - if you've an unusual configuration. For details
> see below.
>
> Coordinated Release Date (CRD) for Exim 4.92.1:
> Thu Jul 25 10:00:00 UTC 2019
>
> Contact: security@???
>
> Details:
> A vulnerability was discovered in the "sort" expansion operator:
> The elements of the list were expanded, giving a possible attack
> if the list included data supplied by an attacker.
>
> If the effective configuration file for exim does not use sort
> then the system is trivially declarable as not being vulnerable.
> Use this command to check: "exim -bP config | grep sort".
>
> --
> Cheers,
> Jeremy
--
Fabian Groffen
Gentoo on a different level
