[exim] Re: New Exim Security Release 4.96.2

Top Page
Delete this message
Reply to this message
Author: Slavko
Date:  
To: exim-users
Subject: [exim] Re: New Exim Security Release 4.96.2
Dňa 15. októbra 2023 17:07:00 UTC používateľ Jeremy Harris via Exim-users <exim-users@???> napísal:

>A resolver that you trust to only send properly-structured DNS responses
>towards you. As opposed to crafted responses with interally-inconsistent
>data, which the resolver access library functions (at least in glibc)
>do no checking on.


That is all nice, i asked on unboud, and answer was -- we don't know as
not enough details was published. Previous discussion in this ML ended,
that even trusted resolver on LAN (on separate host) can be not enough,
as attacker can send crafted data before real resolver response. And
attacker can even provide that crafted response when resolver is on the
same host. Then Heiko step in, that we have to understand, that not all
details can be published (yet).

I respected that, but IMO now is time to publish all related details. Thus
please, do not repeat these confusing words. Confusing, because nor
bind's, nor unbound's devs was able to tell if its resolver is OK (with this
issue), as not enough details was published...

>The Exim project does not supply libspf2 packages. You should ask this
>of your OS distro.


Heiko published debian's libspf2 packages with applied patches and
announced that in this ML, that is what i ask about. Thus please, answer
with that context in mind.

regards


--
Slavko
https://www.slavino.sk/

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/