[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2016-9963 | Exim 4.87.1 released (Was: CVE Request - Exim 4.69-4.87) - disclosure
From:       Heiko Schlittermann <hs () schlittermann ! de>
Date:       2016-12-25 10:44:10
Message-ID: 20161225104410.GU5082 () jumper ! schlittermann ! de
[Download RAW message or body]


I've uploaded Exim 4.87.1 to:

    ftp://ftp.exim.org/pub/exim/exim4/old/
    git://git.exim.org/exim.git (tag exim-4_87_1)

Whilst this release is superseeded by 4.88 already, you're urged
to upgrade to 4.87.1, if 4.88 isn't an option for you yet.

No features are added or removed. This release contains
just a fix for CVE-2016-9963

    - Fix CVE-2016-9963 - Info leak from DKIM.  When signing DKIM, if
      either LMTP or PRDR was used for delivery, the key could appear in
      logs.  Additionally, if the experimental feature "DSN_INFO" was used,
      it could appear in DSN messages (and be sent offsite).

For details about the CVE please see

    https://exim.org/static/doc/CVE-2016-9963.txt

The release files for 4.87.1 are signed with the PGP key 0xF69376CE,
which has a uid "Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>".
Please use your own discretion in assessing what trust paths you might
have to this uid.

In case on any problems please contact us on exim-users@exim.org
or on the IRC channel #exim at freenode.

Sorry for the release date.

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]