Hello Andreas and Moritz, On Wed, Mar 15, 2023 at 05:18:15PM +0100, Moritz Mühlenhoff wrote: > Am Sun, Aug 15, 2021 at 07:21:40AM +0200 schrieb Andreas Metzler: > > On 2021-08-14 Salvatore Bonaccorso <car...@debian.org> wrote: > > > Source: exim4 > > > Version: 4.94.2-7 > > > Severity: important > > > Tags: security upstream > > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > > <t...@security.debian.org> > > > > > Hi, > > > > > The following vulnerability was published for exim4, this is to start > > > tracking the issue downstream for us. Note that at time of writing [2] > > > gives still a 404. > > > > > CVE-2021-38371[0]: > > > | The STARTTLS feature in Exim through 4.94.2 allows response injection > > > | (buffering) during MTA SMTP sending. > > [...] > > > > IIRC that is mitigated in experimental (4.95 rc) by ALPN and unkown > > command related changes, I will not be able to check in detail for a > > week or so, though. > > Do you know if this is fixed in 4.96/bookworm?
Looks the planned advisory at https://www.exim.org/static/doc/security/CVE-2021-38371.txt is not online. Looping in as well Heiko Schlittermann. Heiko, can you share details on fixes? Regards, Salvatore
