[exim] Re: Mitigation statement for CVE-2023-42119

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Slavko
Date:  
À: exim-users
Sujet: [exim] Re: Mitigation statement for CVE-2023-42119
Dňa 3. októbra 2023 15:48:01 UTC používateľ Johnnie W Adams via Exim-users <exim-users@???> napísal:
>Hi, folks,
>
>     What I take from this mitigation statement--Use a trustworthy DNS
>resolver which is able to validate the data according to the DNS record
>types--is that if our DNS service is solid, we are not vulnerable. Is this
>accurate, or am I oversimplifying things? The mitigation statement from ZDI
>was much more ominous, but I'm still parsing "network-adjacent attackers".


You may be interested to read independent review of highest issue:

    https://labs.watchtowr.com/exim-0days-90s-vulns-in-90s-software/

As confirmed by Jeremy, it is realistic... And now one can do own
conclusion about ZDI marking it 0day and assign it score 9,8.

The questions which comes into my mind: How reliable is ZDI then in
other issues categorization/scoring? What is ZDI trying to achieve?
I will not answe them, as i can only guess, but i will not consider ZDI
as trustworthy source of security issues.

regards


-- 
Slavko
https://www.slavino.sk/


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/