Vulmon
<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: CVE-2019-10149: Exim 4.87 to 4.91: possible remote exploit
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Solar Designer <solar () openwall com>
Date: Tue, 4 Jun 2019 15:25:34 +0200
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
On Mon, Jun 03, 2019 at 10:19:23PM +0200, Heiko Schlittermann wrote:
CVE-2019-10149 Exim 4.87 to 4.91
================================
We received a report of a possible remote exploit. Currently there is no
evidenice of an active use of this exploit.
A patch exists already, is being tested, and backported to all
versions we released since (and including) 4.87.
The severity depends on your configuration. It depends on how close to
the standard configuration your Exim runtime configuration is. The
closer the better.
Exim 4.92 is not vulnerable.
I guess I wasn't the only one wondering how revealing this is, so:
$ diff -urwx doc exim-4.91 exim-4.92 | diffstat -s
131 files changed, 6898 insertions(+), 4395 deletions(-)
$ diff -urwx doc exim-4.91 exim-4.92 | wc
27635 114347 935620
exim-4.92/doc/ChangeLog lists tens of changes.
Exim 4.92 appears to have been released in February, when the security
issue referred to here was not yet known as such, so this wasn't a
deliberate decision to release the fix publicly yet keep it unmentioned.
Keeping the issue in this semi-public state for 7 days feels weird to
me, but given the above it doesn't look too unrealistic that the issue
won't be rediscovered during this time period. (The risk of leaks is
probably higher.) It'd be curious if someone ends up discovering a
different and yet unknown security issue by reading that diff. ;-)
Alexander
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
CVE-2019-10149: Exim 4.87 to 4.91: possible remote exploit Heiko Schlittermann (Jun 04)
Re: CVE-2019-10149: Exim 4.87 to 4.91: possible remote exploit Simon McVittie (Jun 04)
Re: CVE-2019-10149: Exim 4.87 to 4.91: possible remote exploit Heiko Schlittermann (Jun 04)
Re: CVE-2019-10149: Exim 4.87 to 4.91: possible remote exploit Heiko Schlittermann (Jun 04)
Re: CVE-2019-10149: Exim 4.87 to 4.91: possible remote exploit Solar Designer (Jun 04)
Re: CVE-2019-10149: Exim 4.87 to 4.91: possible remote exploit Heiko Schlittermann (Jun 04)
Re: CVE-2019-10149: Exim 4.87 to 4.91: possible remote exploit Heiko Schlittermann (Jun 05)
Re: CVE-2019-10149: Exim 4.87 to 4.91: possible remote exploit Heiko Schlittermann (Jun 05)
Re: CVE-2019-10149: Exim 4.87 to 4.91: possible remote exploit Qualys Security Advisory (Jun 05)
Re: CVE-2019-10149: Exim 4.87 to 4.91: possible remote exploit Qualys Security Advisory (Jun 06)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->