Re: [exim-dev] CVE-2021-38371 (allows response injection dur…

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MHarry Mills at <-
MHarry Mills at ->
Delete this message
Reply to this message
Author: Andrew C Aitchison
Date:  
To: Harry Mills
CC: exim-dev
Subject: Re: [exim-dev] CVE-2021-38371 (allows response injection during MTA SMTP sending)
On Tue, 4 Jan 2022, Harry Mills via Exim-dev wrote:

> Hi Jeremy,
>
> Thanks for the swift reply. Here is the (anonymised) output of the test tool
> for reference. It looks like exim 4.94.2 (Centos 8) is not vulnerable:
>
> python3 ./command-injection-tester --smtp <MAILSERVER> 

As I understand https://nostarttls.secvuln.info/
command-injection-tester only tests for bugs when exim is receiving email;
to test for the *response* injection bugs in CVE-2021-38371, when exim is 
sending email, you need to use
    https://github.com/Email-Analysis-Toolkit/fake-mail-server
which looks more involved to me.


-- 
Andrew C. Aitchison                    Kendal, UK
             andrew@???


This message was posted to the following mailing lists:
Exim-dev
Mailing List Info | Nearby Messages		<-Re: [exim-dev] exim 4.95: Remote host closed connection in response to end of dataRe: [exim-dev] CVE-2021-38371 (allows response injection during MTA SMTP sending)->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)