[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Multiple Exim4 Zero Days
From:       Alex Gaynor <alex.gaynor () gmail ! com>
Date:       2023-09-29 14:35:02
Message-ID: CAFRnB2ULCAXn6y0b5jGKqf+G11iX+CYCrH8DfraPRQfRAfCtxA () mail ! gmail ! com
[Download RAW message or body]

Do I understand correctly that none of these are fixed upstream?

Alex

PS: I'd be remiss if I did not note that it appears that 5/6 of these
vulnerabilities have "C is not a memory safe language" as a proximate
cause.

On Fri, Sep 29, 2023 at 10:27 AM Markus Gschwendt
<office+osssecurity@runout.at> wrote:
>
> I bring this up as I have not yet seen any information here about
> several CVEs related to Exim Mailserver which were published by ZDI on
> 2023-09-27 [1]:
>
> * CVE-2023-42114 [CVSS 3.7]
> * CVE-2023-42115 [CVSS 9.8]
> * CVE-2023-42116 [CVSS 8.1]
> * CVE-2023-42117 [CVSS 8.1]
> * CVE-2023-42118 [CVSS 7.5]
> * CVE-2023-42119 [CVSS 3.1]
>
> There also seem to be issues in Exim's bug tracker related to those:
> https://bugs.exim.org/show_bug.cgi?id=2999
> https://bugs.exim.org/show_bug.cgi?id=3000
> https://bugs.exim.org/show_bug.cgi?id=3001
> https://bugs.exim.org/show_bug.cgi?id=3002
> https://bugs.exim.org/show_bug.cgi?id=3003
>
> According to ZDI the original reports were sent in June 2022.
>
> I'm wondering if somebody knows anything about mitigations and/or why
> there are still no fixes for these issues after more than a year.
>
> Markus
>
> [1] https://www.zerodayinitiative.com/advisories/published/
>     search for exim
>


-- 
All that is necessary for evil to succeed is for good people to do nothing.
[prev in list] [next in list] [prev in thread] [next in thread]