Re: [exim] CVE-2022-37452

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Andrew C Aitchison
Datum:  
To: Cyborg via Exim-users
Betreff: Re: [exim] CVE-2022-37452
On Wed, 24 Aug 2022, Cyborg via Exim-users wrote:

> Am 24.08.22 um 18:14 schrieb Jeremy Harris via Exim-users:
>> On 24/08/2022 16:45, Ken Olum via Exim-users wrote:
>>> How serious is CVE-2022-37452: buffer overflow for the alias list in
>>> host_name_lookup?
>>
>> The associated bug, 2747, reported it as a segfault in the receive
>> process.
>
> Besides the real impact here, if a CVE number has been assigned, and it's
> reasonable to assume it's correct,
> it should be mentioned in the security section, don't you agree?


www.exim.org/static/doc/security/CVE-2021-38371.txt
is advertised on a couple of CVE sites but does not exist.
Like CVE-2022-37452, CVE-2021-38371 was fixed in 4.95 (the fix in git
actually predates the NO STARTTLS announcement).

I wrote up some text for it but Jeremy didn't like the tone of it
- my page sounded as if we agreed that the bug was a security issue.
He clearly did not believe that CVE-2021-38371 is an insecurity;
I agree that there is no evidence that it is one, but lack of evidence is
not evidence of lack, and the fix has been applied.

Like you, I think that we should respond to each CVE, whether they
are security issues or not, but Jeremy gave me the impression that
he does not.

If you are happy to stick to your guns on this one, I will rewrite
mine and report it in the bugzilla, which is what Jeremy suggested.

Since Jeremy does most of the work on exim I am not keen
to make a fuss.

-- 
Andrew C. Aitchison                      Kendal, UK
                    andrew@???