On Sun, 15 Oct 2023, Cyborg via Exim-users wrote:
> Am 15.10.23 um 18:17 schrieb Heiko Schlittermann via Exim-users:
>> - The remaining issue with `libspf2`, raised as CVE against Exim, can't
>> be addressed by us, as it seems to happen inside the library's code.
>> Library fixes are available.
>
> Hi,
>
> AFAIK that has already been adressed (at least for Fedora) in the libspf
> package:
>
> * Mon Oct 02 2023 XXXXXXXXXXXXXXXX - 1.2.11-10.20210922git4915c308 -
> CVE-2023-42118
>
> But i would image any distro will have it by now.
Sadly no. Ubuntu 23-10/mantic (released last week) still has:
libspf2 (1.2.10-7.2build1) lunar; urgency=medium
Fri, 04 Nov 2022 16:45:25 +0100
Debian is similar.
It seems that libspf2 has been updated to fix a security issue,
but no one is sure whether it is the same bug as ZDI reported in the CVE,
since they gave no details ...
--
Andrew C. Aitchison Kendal, UK
andrew@???
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
