*** Note: EMBARGO is still in effect! ***
*** Distros must not publish any detail yet ***
Head up! Security release ahead!
CVE ID: CVE-2019-15846
Version(s): up to and including 4.92.1
Issue: A local or remote attacker can execute programs with root
privileges.
Details: Will be made public at CRD. Currently there is no known
exploit, but a rudimentary POC exists.
Coordinated Release Date (CRD) for Exim 4.92.2:
2019-09-06 10:00 UTC
Contact: security@???
Proposed Timeline
=================
2019-09-03:
- initial notification to distros@??? and
exim-maintainers@???
2019-09-04: <-- NOW
- This Heads-up notice to oss-security@???,
exim-users@???, and exim-announce@???
2019-09-06 10:00 UTC:
- Coordinated relase date
- Notice to oss-security, exim-users, and exim-announce
- Publish the patches in our official and public Git repositories
and the packages on our FTP server.
Downloads available starting at CRD (not yet)
=============================================
The downloads are not yet available. They will be made available
at the above mentioned CRD.
Release tarballs (exim-4.92.2):
https://ftp.exim.org/pub/exim/exim4/
The package files are signed with my GPG key.
The full Git repo:
https://git.exim.org/exim.git
https://github.com/Exim/exim [mirror of the above]
- tag exim-4.92.2
- branch exim-4.92.2+fixes
The tagged commit is the officially released version. The tag is signed
with my GPG key. The +fixes branch isn't officially maintained, but
contains useful patches *and* the security fix. The relevant commit is
signed with my GPG key. The old exim-4.92.1+fixes branch is being functionally
replaced by the new exim-4.92.2+fixes branch.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
