[exim] Re: Recent CVEs and libspf2 (and Debian)

Top Page
Delete this message
Reply to this message
Author: Laura Williamson via Exim-users
Date:  
To: exim-users
Subject: [exim] Re: Recent CVEs and libspf2 (and Debian)
Hi

this patch is based on 1.2.10, the latest version is 1.2.11, not sure
what the difference is but there might be something overlooked. The website

https://www.libspf2.org/

is 1.2.10 (seems not to be updated)

where github is the

https://github.com/shevek/libspf2

1.2.11

I believe 1.2.11 was launched in 2021.

On 10/4/2023 9:01 AM, Heiko Schlittermann via Exim-users wrote:
> Dear Exim users,
>
> while the recent CVEs addressed some issues that existed in Exim, there
> seems to be at least one issue that is related to a library we
> potentially use.
>
> ZDI-23-1472 | ZDI-CAN-17578 | CVE-2023-42118 | Exim Bug 3032
>
> - https://bugs.exim.org/show_bug.cgi?id=3032
> - https://www.zerodayinitiative.com/advisories/ZDI-23-1472/
>
> Unfortunately we do not have any further details. But the libspf2 repo
> on Github https://github.com/shevek/libspf2 contains at least one pull
> request that potentially addresses the issue: https://github.com/shevek/libspf2/pull/44
>
> IMHO a CVE should be created for that issue. Or the CVE-2023-42118
> should be re-assigned to the libspf2.
>
> So, if you do not want to disable the `spf` condition and `spf`
> lookups in your Exim configuration, you could try to use a patched
> version of the libspf2 library.
>
> Dear Debian users: currently it doesn't seem as Debian provides a
> patched version (because of the above mentioned uncertainty).
>
> To patch my own systems built a libspf2 package containing the patch.
> This package is *not officially supported*! Use it on your own risk. And
> I do not promise any maintenance, updates, functionality, compatibility.
> You're on your own using it. Please do not complain, if it breaks your
> systems. But I'm happy about feedback.
>
> - Git repo for `gbp`: https://gitea.schlittermann.de/DEB/libspf2
> - Packages: https://apt.schlittermann.de/pool/main/libs/libspf2/
>
> Hopefully this private hotfix will be outdated by official packages as soon as
> possible.
>
>      Best regards from Dresden/Germany
>      Viele Grüße aus Dresden
>      Heiko Schlittermann
> --
>   SCHLITTERMANN.de ---------------------------- internet & unix support -
>   Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
>   gnupg encrypted messages are welcome --------------- key ID: F69376CE -
>


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/