[exim-cvs] add: CVE-2021-38371

Góra strony
Delete this message
Reply to this message
Autor: Exim Git Commits Mailing List
Data:  
Dla: exim-cvs
Temat: [exim-cvs] add: CVE-2021-38371
Gitweb: https://git.exim.org/exim-website.git/commitdiff/2fae8e2e6a9d5606ac7eb7c94003d59756a1281a
Commit:     2fae8e2e6a9d5606ac7eb7c94003d59756a1281a
Parent:     07da727dd2c1292e3bad99b200da02099529eedf
Author:     Andrew Aitchison <exim@???>
AuthorDate: Mon Mar 20 11:13:22 2023 +0100
Committer:  Heiko Schlittermann (HS12-RIPE) <hs@???>
CommitDate: Mon Mar 20 11:13:22 2023 +0100


    add: CVE-2021-38371
---
 templates/static/doc/security/CVE-2021-38371.txt | 39 ++++++++++++++++++++++++
 1 file changed, 39 insertions(+)


diff --git a/templates/static/doc/security/CVE-2021-38371.txt b/templates/static/doc/security/CVE-2021-38371.txt
new file mode 100644
index 0000000..dfb748b
--- /dev/null
+++ b/templates/static/doc/security/CVE-2021-38371.txt
@@ -0,0 +1,39 @@
+CVE ID:     CVE-2021-38371
+Date:       2021-08-10
+Version(s): up to and including 4.94.2
+Reporter:   Damian Poddebniak, Fabian Ising, Hanno Böck, and Sebastian Schinzel
+Reference:  https://nostarttls.secvuln.info/
+Issue:      Possible MitM attack on STARTTLS when Exim is *sending* email.
+
+
+Conditions to be vulnerable
+===========================
+
+Versions up to (and including) 4.94.2 are vulnerable when
+*sending* emails via a connection encrypted via STARTTLS.
+
+
+Details
+=======
+
+When Exim acting as a mail client wishes to send a message,
+a Meddler-in-the-Middle (MitM) may respond to the STARTTLS command
+by also sending a response to the *next* command, which Exim will
+erroneously treat as a trusted response.
+
+Source fixed by
+https://git.exim.org/exim.git/commit/1b9ab35f323121aabf029f0496c7227818efad14
+commit 1b9ab35f323121aabf029f0496c7227818efad14
+Author: Jeremy Harris
+Date:   Thu Jul 30 20:16:01 2020 +0100
+
+Mitigation
+==========
+
+There is - beside updating the server - no known mitigation.
+
+Fix
+===
+
+Download and build the fixed version 4.95 or a later version
+(4.96 was released in June 2022).