[exim] Recent CVEs and libspf2 (and Debian)

Top Page
This message is part of the following thread:
M++\the complete thread tree sorted by date
MMMM 
.M.MLaura Williamson via Exim-users at ->
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: exim-users
Subject: [exim] Recent CVEs and libspf2 (and Debian)
Dear Exim users,

while the recent CVEs addressed some issues that existed in Exim, there
seems to be at least one issue that is related to a library we
potentially use.

ZDI-23-1472 | ZDI-CAN-17578 | CVE-2023-42118 | Exim Bug 3032

- https://bugs.exim.org/show_bug.cgi?id=3032
- https://www.zerodayinitiative.com/advisories/ZDI-23-1472/

Unfortunately we do not have any further details. But the libspf2 repo
on Github https://github.com/shevek/libspf2 contains at least one pull
request that potentially addresses the issue: https://github.com/shevek/libspf2/pull/44

IMHO a CVE should be created for that issue. Or the CVE-2023-42118
should be re-assigned to the libspf2.

So, if you do not want to disable the `spf` condition and `spf`
lookups in your Exim configuration, you could try to use a patched
version of the libspf2 library.

Dear Debian users: currently it doesn't seem as Debian provides a
patched version (because of the above mentioned uncertainty).

To patch my own systems built a libspf2 package containing the patch.
This package is *not officially supported*! Use it on your own risk. And
I do not promise any maintenance, updates, functionality, compatibility.
You're on your own using it. Please do not complain, if it breaks your
systems. But I'm happy about feedback.

- Git repo for `gbp`: https://gitea.schlittermann.de/DEB/libspf2
- Packages: https://apt.schlittermann.de/pool/main/libs/libspf2/

Hopefully this private hotfix will be outdated by official packages as soon as
possible. 

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
--
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-[exim] Re: Mitigation statement for CVE-2023-42119[exim] Configure exim to use remote smtp without authentication->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)