[exim] Re: New Exim Security Release 4.96.2

Páxina inicial
Borrar esta mensaxe
Responder a esta mensaxe
Autor: Andrew C Aitchison
Data:  
Para: Cyborg
CC: exim-users
Asunto: [exim] Re: New Exim Security Release 4.96.2
On Sun, 15 Oct 2023, Cyborg via Exim-users wrote:

> Am 15.10.23 um 18:17 schrieb Heiko Schlittermann via Exim-users:
>> - The remaining issue with `libspf2`, raised as CVE against Exim, can't
>>    be addressed by us, as it seems to happen inside the library's code.
>>    Library fixes are available.

>
> Hi,
>
> AFAIK that has already been adressed (at least for Fedora) in the libspf
> package:
>
> * Mon Oct 02 2023 XXXXXXXXXXXXXXXX - 1.2.11-10.20210922git4915c308 -
> CVE-2023-42118
>
> But i would image any distro will have it by now.


Sadly no. Ubuntu 23-10/mantic (released last week) still has:
       libspf2 (1.2.10-7.2build1) lunar; urgency=medium
               Fri, 04 Nov 2022 16:45:25 +0100
Debian is similar.


It seems that libspf2 has been updated to fix a security issue,
but no one is sure whether it is the same bug as ZDI reported in the CVE,
since they gave no details ...

-- 
Andrew C. Aitchison                      Kendal, UK
                    andrew@???


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/