Gitweb:
https://git.exim.org/exim-website.git/commitdiff/f1356ac2d868910947ccc2b3b4b546a0839c5e45
Commit: f1356ac2d868910947ccc2b3b4b546a0839c5e45
Parent: 13879808eba2c605c5f4c060c332c3cab40cc423
Author: Heiko Schlittermann (HS12-RIPE) <hs@???>
AuthorDate: Mon Mar 20 23:32:52 2023 +0100
Committer: Heiko Schlittermann (HS12-RIPE) <hs@???>
CommitDate: Mon Mar 20 23:32:52 2023 +0100
typos
---
templates/static/doc/security/xx | 43 ++++++++++++++++++++++++++++++++++++++++
templates/web/mirrors.xsl | 6 +++---
2 files changed, 46 insertions(+), 3 deletions(-)
diff --git a/templates/static/doc/security/xx b/templates/static/doc/security/xx
new file mode 100644
index 0000000..2322c43
--- /dev/null
+++ b/templates/static/doc/security/xx
@@ -0,0 +1,43 @@
+CVE ID: CVE-2021-38371
+Date: 2021-08-10
+Version(s): up to and including 4.94.2
+Reporter: Damian Poddebniak, Fabian Ising, Hanno Böck, and Sebastian Schinzel
+Reference: https://nostarttls.secvuln.info/
+Issue: Possible MitM attack on STARTTLS when Exim is *sending* email.
+
+** The Exim developers do not consider this issue as a security problem.
+** Additionally, we do not have any feedback about a successful attack
+** using the scenario described below.
+
+
+Conditions to be vulnerable
+===========================
+
+Versions up to (and including) 4.94.2 are vulnerable when
+*sending* emails via a connection encrypted via STARTTLS.
+
+
+Details
+=======
+
+When Exim acting as a mail client wishes to send a message,
+a Meddler-in-the-Middle (MitM) may respond to the STARTTLS command
+by also sending a response to the *next* command, which Exim will
+erroneously treat as a trusted response.
+
+Source fixed by
+https://git.exim.org/exim.git/commit/1b9ab35f323121aabf029f0496c7227818efad14
+commit 1b9ab35f323121aabf029f0496c7227818efad14
+Author: Jeremy Harris
+Date: Thu Jul 30 20:16:01 2020 +0100
+
+Mitigation
+==========
+
+There is - beside updating the server - no known mitigation.
+
+Fix
+===
+
+Download and build the fixed version 4.95 or a later version
+(4.96 was released in June 2022).
diff --git a/templates/web/mirrors.xsl b/templates/web/mirrors.xsl
index de5c8f5..20e7ca0 100644
--- a/templates/web/mirrors.xsl
+++ b/templates/web/mirrors.xsl
@@ -34,12 +34,12 @@
<a href="https://github.com/Exim/exim">Github</a>.
<xsl:text>Further information on the binary and OS distributions can be found in the </xsl:text>
- <a href="https://wiki.exim.org/ObtainingExim">Exim Wiki.</a>
+ <a href="https://wiki.exim.org/ObtainingExim">Exim Wiki</a>.
- <xsl:text>If we published maintenance releases you can find the tarballs in the </xsl:text>
+ <xsl:text>If we published maintenance releases, you can find the tarballs in the </xsl:text>
<a href="https://downloads.exim.org/exim4/fixes/">fixes</a>
- <xsl:text> directory</xsl:text>
+ <xsl:text> directory.</xsl:text>
</p>
<h3>Verification of Downloads</h3>
