[exim-cvs] upd: 4.96.2 mention fixes

Góra strony
Delete this message
Reply to this message
Autor: Exim Git Commits Mailing List
Data:  
Dla: exim-cvs
Temat: [exim-cvs] upd: 4.96.2 mention fixes
Gitweb: https://git.exim.org/exim-website.git/commitdiff/ce2074176131e562ba032a0da8d1b1e5058880bc
Commit:     ce2074176131e562ba032a0da8d1b1e5058880bc
Parent:     2fb58ba90fe5063d827922eb2cff0e5c948635f9
Author:     Heiko Schlittermann (HS12-RIPE) <hs@???>
AuthorDate: Sun Oct 15 17:39:44 2023 +0200
Committer:  Heiko Schlittermann (HS12-RIPE) <hs@???>
CommitDate: Sun Oct 15 17:39:44 2023 +0200


    upd: 4.96.2 mention fixes
---
 templates/static/doc/security/CVE-2023-zdi.txt | 31 +++++++++++---------------
 1 file changed, 13 insertions(+), 18 deletions(-)


diff --git a/templates/static/doc/security/CVE-2023-zdi.txt b/templates/static/doc/security/CVE-2023-zdi.txt
index 3b45efd..b56fc5e 100644
--- a/templates/static/doc/security/CVE-2023-zdi.txt
+++ b/templates/static/doc/security/CVE-2023-zdi.txt
@@ -11,14 +11,14 @@ on or off.

* One issue is related to data received from a proxy-protocol proxy. If
you do not use a proxy in front of Exim, you're not affected. If your
- proxy is trustworthy, you're not affected. We're working on a fix.
+ proxy is trustworthy, you're not affected. This issue is fixed.

* One is related to libspf2. If you do not use the `spf` lookup type or
the `spf` ACL condition, you are not affected.

* The last one is related to DNS lookups. If you use a trustworthy
resolver (which does validation of the data it receives), you're not
- affected. We're working on a fix.
+ affected. This issue is fixed.

Timeline
--------
@@ -27,20 +27,17 @@ Timeline
- A security release exim-4.96.1 is published.
- The major distributions follow.

-More patches will follow (coordinated with the major distros) as soon as
-they're available.
+- 2023-10-15 15:45 UTC
+ - Security release exim-4.96.2 is published (sources only)
+ - Distros will follow.

Distribution points:
--------------------
- git://git.exim.org
- branches:
- - spa-auth-fixes (based on the current master) [commit IDs: 7bb5bc2c6 0519dcfb5 e17b8b0f1 04107e98d]
- - exim-4.96+security (based on exim-4.96) [gpg signed]
- - exim-4.96.1+fixes (based on exim-4.96.1 with the fixes from exim-4.96+fixes) [gpg signed]
- tags:
- - exim-4.96.1 [gpg signed]
+ - tag exim-4.96.2 (based on exim-4.96) [gpg signed]
+ - branch exim-4.96.2+fixes (based on exim-4.96.2 with the fixes from exim-4.96+fixes) [gpg signed]

-- tarballs for exim-4.96.1: https://ftp.exim.org/pub/exim/exim4/ [gpg signed]
+- tarballs for exim-4.96.2: https://ftp.exim.org/pub/exim/exim4/ [gpg signed]

 GPG signatures are made by me (hs@???, or Jeremy Harris
 jgh@???).
@@ -55,7 +52,7 @@ Subject:    NTLM Challenge Out-Of-Bounds Read
 CVSS Score: 3.7
 Mitigation: Do not use SPA (NTLM) authentication
 Subsystem:  SPA auth
-Fixed:      04107e98d, 4.96.1, 4.97
+Fixed:      04107e98d, >= 4.96.1, 4.97


 ZDI-23-1469 | ZDI-CAN-17434 | CVE-2023-42115 | Exim bug 2999
 ------------------------------------------------------------
@@ -63,7 +60,7 @@ Subject:    AUTH Out-Of-Bounds Write
 CVSS Score: 9.8
 Mitigation: Do not offer EXTERNAL authentication.
 Subsystem:  EXTERNAL auth
-Fixed:      7bb5bc2c6, 4.96.1, 4.97
+Fixed:      7bb5bc2c6, >= 4.96.1, 4.97


 ZDI-23-1470 | ZDI-CAN-17515 | CVE-2023-42116 | Exim bug 3000
 ------------------------------------------------------------
@@ -71,7 +68,7 @@ Subject:    SMTP Challenge Stack-based Buffer Overflow
 CVSS Score: 8.1
 Mitigation: Do not use SPA (NTLM) authentication
 Subsystem:  SPA auth
-Fixed:      e17b8b0f1, 4.96.1, 4.97
+Fixed:      e17b8b0f1, >= 4.96.1, 4.97


 ZDI-23-1471 | ZDI-CAN-17554 | CVE-2023-42117 | Exim Bug 3031
 -------------------------------------------------------------
@@ -79,7 +76,7 @@ Subject:    Improper Neutralization of Special Elements
 CVSS Score: 8.1
 Mitigation: Do not use Exim behind an untrusted proxy-protocol proxy
 Subsystem:  proxy protocol (not socks!)
-Fix:        not yet
+Fix:        a355463cf, >= 4.96.2, 4.97


 ZDI-23-1472 | ZDI-CAN-17578 | CVE-2023-42118 | Exim Bug 3032
 ------------------------------------------------------------
@@ -97,6 +94,4 @@ CVSS Score: 3.1
 Mitigation: Use a trustworthy DNS resolver which is able to
             validate the data according to the DNS record types.
 Subsystem:  dns lookups
-Fix:        not yet
-Remark:     It is still under consideration.
-
+Fix:        f6b1f8e7d, >= 4.96.2, 4.97


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-cvs.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-cvs-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/