Re: [exim-dev] CVE-2021-38371 (allows response injection dur…

Top Page
Delete this message
Reply to this message
Author: Andrew C Aitchison
Date:  
To: Harry Mills
CC: exim-dev
Subject: Re: [exim-dev] CVE-2021-38371 (allows response injection during MTA SMTP sending)
On Tue, 4 Jan 2022, Harry Mills via Exim-dev wrote:

> Hi Jeremy,
>
> Thanks for the swift reply. Here is the (anonymised) output of the test tool
> for reference. It looks like exim 4.94.2 (Centos 8) is not vulnerable:
>
> python3 ./command-injection-tester --smtp <MAILSERVER>


As I understand https://nostarttls.secvuln.info/
command-injection-tester only tests for bugs when exim is receiving email;
to test for the *response* injection bugs in CVE-2021-38371, when exim is 
sending email, you need to use
    https://github.com/Email-Analysis-Toolkit/fake-mail-server
which looks more involved to me.


-- 
Andrew C. Aitchison                    Kendal, UK
             andrew@???