Re: [embargoed security update] mail/exim -> 4.94.2

Tue, 04 May 2021 10:48:12 -0700 

Embargo has been removed, it's time to commit :)

For further reference a list of related CVEs:

    Local vulnerabilities
    - CVE-2020-28007: Link attack in Exim's log directory
    - CVE-2020-28008: Assorted attacks in Exim's spool directory
    - CVE-2020-28014: Arbitrary PID file creation
    - CVE-2020-28011: Heap buffer overflow in queue_run()
    - CVE-2020-28010: Heap out-of-bounds write in main()
    - CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()
    - CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()
    - CVE-2020-28015: New-line injection into spool header file (local)
    - CVE-2020-28012: Missing close-on-exec flag for privileged pipe
    - CVE-2020-28009: Integer overflow in get_stdinput()
    Remote vulnerabilities
    - CVE-2020-28017: Integer overflow in receive_add_recipient()
    - CVE-2020-28020: Integer overflow in receive_msg()
    - CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()
    - CVE-2020-28021: New-line injection into spool header file (remote)
    - CVE-2020-28022: Heap out-of-bounds read and write in extract_option()
    - CVE-2020-28026: Line truncation and injection in spool_read_header()
    - CVE-2020-28019: Failure to reset function pointer after BDAT error
    - CVE-2020-28024: Heap buffer underflow in smtp_ungetc()
    - CVE-2020-28018: Use-after-free in tls-openssl.c
    - CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()

On 5/4/21 8:20 AM, Renaud Allard wrote:

ping: the disclosure will take place today (2021-05-04 13:30 UTC)

On 5/2/21 10:49 AM, Renaud Allard wrote:

Hi,
There was a problem in exim 4.94.1, so there is now 4.94.2 which solves the issue. Embargo dates are the same. 

Best Regards

On 28/04/2021 08:53, Renaud Allard wrote:

Hello,
Here is an diff to update exim to 4.94.1. This is a very important security update.
Unfortunately, this update is embargoed so that "distro" package maintainers have the time to publish the packages. This means the source tar.gz is not available before 2021-05-04 13:30 UTC. I don't know how we could provide packages for -stable before the tar is published. I can build them for 6.8, but I can't sign them or build for 6.9 yet. 

It solves the following CVE:

- CVE-2020-28007
- CVE-2020-28008
- CVE-2020-28009
- CVE-2020-28010
- CVE-2020-28011
- CVE-2020-28012
- CVE-2020-28013
- CVE-2020-28014
- CVE-2020-28015
- CVE-2020-28016
- CVE-2020-28017
- CVE-2020-28018
- CVE-2020-28019
- CVE-2020-28020
- CVE-2020-28021
- CVE-2020-28022
- CVE-2020-28023
- CVE-2020-28024
- CVE-2020-28025
- CVE-2020-28026
- CVE-2021-27216

Best Regards

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to