Re: [exim] CVE-2019-15846: Exim - local or remote attacker c…

Top Page
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: oss-security, Exim Users, Exim Announce
Subject: Re: [exim] CVE-2019-15846: Exim - local or remote attacker can execute programs with root privileges.
CVE ID: CVE-2019-15846
Credits:    Zerons <sironhide0null@???>, Qualys
Version(s): all versions up to and including 4.92.1
Issue:      The SMTP Delivery process in all¹ versions up to and
            including Exim 4.92.1 has a Buffer Overflow.  In the default
            runtime configuration, this is exploitable with crafted Server
            Name Indication (SNI) data during a TLS negotiation. In other
            configurations, it is exploitable with a crafted client TLS certificate.
Details:    doc/doc-txt/cve-2019-15846 in the downloaded source tree


Coordinated Release Date (CRD) for Exim 4.92.2:
            2019-09-06 10:00 UTC


Contact:    security@???


We released Exim 4.92.2. This is a security update based on 4.92.1.

Mitigation
==========

Do not offer TLS for incomming connections (tls_advertise_hosts).
This mitigation is *not* recommended!

Downloads
=========

Starting at CRD the downloads will be available from the following
sources:

Release tarballs (exim-4.92.2):

    https://ftp.exim.org/pub/exim/exim4/


The package files are signed with my GPG key.

The full Git repo:

    https://git.exim.org/exim.git
    https://github.com/Exim/exim    [mirror of the above]
    - tag    exim-4.92.2
    - branch exim-4.92.2+fixes


The tagged commit is the officially released version. The tag is signed
with my GPG key. The +fixes branch isn't officially maintained, but
contains useful patches *and* the security fix. The relevant commit is
signed with my GPG key. The old exim-4.92.1+fixes branch is being functionally
replaced by the new exim-4.92.2+fixes branch.

¹) We've indication, that only versions starting with 4.80 up to and
including 4.92.1 are affected.

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
--
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -