Hi, On Fri, Oct 13, 2023 at 12:05:19PM +0200, Bert Van de Poel wrote: > Package: libspf2-2 > Version: 1.2.10-7.1~deb11u1 > Severity: critical > Tags: security patch > Justification: root security hole > X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> > > > As already outlined on > https://security-tracker.debian.org/tracker/CVE-2023-42118 there's a > known security issue in libspf2 found through a security review of > Exim by the Zero Day Initiative. An integer underflow in libspf2 was > found which can be used to perform RCEs. A patch on > https://github.com/shevek/libspf2/pull/44 is available and has been > merged into the main repository. All relevant links are already > available on the Debian Security Tracker.
Please note that as already outlined in the security-tracker and on the upstream issue there is still no confirmation from ZDI that the two issues are the same. So no, we cannot consider the pull/44 from upstream the fix for CVE-2023-42118. Better communication on that matter from the anonymous reporter would be very helpfull to clarify the libspf2 status. Regards, Salvatore
