Author: Fabian Groffen Date: To: exim-dev CC: Jeremy Harris Subject: Re: [exim-dev] [exim-announce] CVE-2019-13917
Is there an ETA for the sources to appear on the download servers?
I need those in order to update the package for Gentoo.
On 25-07-2019 10:04:19 +0100, Jeremy Harris via Exim-announce wrote: > General release information
> The code fix for this issue has been placed in the project
> public git repository; the project website will be updated
> in due course.
> CVE ID: CVE-2019-13917
> OVE ID: OVE-20190718-0006
> Date: 2019-07-18
> Credits: Jeremy Harris
> Version(s): 4.85 up to and including 4.92
> Issue: A local or remote attacker can execute programs with root
> privileges - if you've an unusual configuration. For details
> see below.
> Coordinated Release Date (CRD) for Exim 4.92.1:
> Thu Jul 25 10:00:00 UTC 2019
> Contact: security@???
> A vulnerability was discovered in the "sort" expansion operator:
> The elements of the list were expanded, giving a possible attack
> if the list included data supplied by an attacker.
> If the effective configuration file for exim does not use sort
> then the system is trivially declarable as not being vulnerable.
> Use this command to check: "exim -bP config | grep sort".
Gentoo on a different level
This message was posted to the following mailing lists: