[exim] Re: Exim Zero Day?

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Cyborg
Datum:  
To: exim-users
Betreff: [exim] Re: Exim Zero Day?
Am 02.10.23 um 21:53 schrieb Christof Meerwald via Exim-users:
> But my understanding here is that fixes were actually already done in
> May 2023, see
> https://git.exim.org/exim.git/commit/7bb5bc2c6592e062bf0b514cc71afd2d93e2e0dd
>
> Auths: fix possible OOB write in external authenticator. Bug 2999
> author Jeremy Harris <jgh146exb@???>
>    Thu, 11 May 2023 19:02:43 +0200 (18:02 +0100)
> committer Jeremy Harris <jgh146exb@???>
>    Tue, 26 Sep 2023 20:07:46 +0200 (19:07 +0100)
>
> similar for the other fixes that were made available today.
>
>
> Christof
>


Of course, any issue that was fixed when they knew about it, but not
made public, because of the pending ZDI publication with 3 additional
unpatched issues.
it's normal that the entire report is handled as one package, even if
you have 6 or 21Nails.

If you put each patch in the public repo without informing the distros
about the security bug, what happens?  Right, a few hours later, all
unpatched exims getting attacked. The process to inform distros about a
security issue and having an embargo repo ready with TESTED fixes needs
a lot of effort. It's not surprising, that a team waits for all bugs to
be fixed, before releasing the info, as the reporter usually confirms
the working fix first.

In this case, there was not enough info for a fix, so no fix to test and
therefore, no reporter to confirm it. The entire process was stalled.
Now you sit on half of the fixes, but do not get the needed additional
infos... what do you do?

If you waited long enough, you decide to release the available fixes and
bugger the reporter for the missing exploits. The only questions are:
How long is "long enough" and how much buggering you can/have to do?

Before you answere, keep in mind, anyone member of the exim team has a
rl job and life.

Best regards,
Marius

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/