Qualys Security Advisory
The Return of the WIZard: RCE in Exim (CVE-2019-10149)
========================================================================
Contents
========================================================================
Summary
Local exploitation
Remote exploitation
- Non-default configurations
- Default configuration
Acknowledgm ...
Qualys Security Advisory
The Return of the WIZard: RCE in Exim (CVE-2019-10149)
========================================================================
Contents
========================================================================
Summary
Local exploitation
Remote exploitation
- Non-default configurations
- Default configuration
Acknowledgm ...
Simon McVittie <smcv () debian org> (Di 04 Jun 2019 12:22:46 CEST):
Yes Definitly
--
Heiko ...
On 25072019 21:23, Solar Designer wrote:
Thanks for the feedback, I was a bit unsure how to handle this given two
different reporters
Indeed, moving this one into one entry and including full disclosure as
end of timeline changes the avg from 631 to 669 for may
Stats updated
--
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp: ...
Solar Designer <solar () openwall com> (Di 04 Jun 2019 15:25:34 CEST):
I'll talk to the other devs about this
If the distros give their OK, we're fine to release the patches to the
public sooner
--
Heiko ...
The fix for CVE-2019-10149 is public now
giteximorg/eximgit
Branch exim-4_91+fixes
Thank you to
- Qualys for reporting it
- Jeremy for fixing it
- you for using Exim
Sorry for confusion about the public release We were forced to react,
as details leaked
The patch should apply cleanly to all affected version ...
On Thu, Jul 25, 2019 at 11:01:08PM +0200, Kristian Fiskerstrand wrote:
[]
Now you have updated stats, but you've dropped all of the detail :-(
Please re-add it ASAP
Alexander ...
Hi,
On Thu, Jul 25, 2019 at 08:54:55PM +0200, Kristian Fiskerstrand wrote:
You have two entries for Exim CVE-2019-10149, which is wrong Also,
some of the dates are wrong (eg, the date of Exim's pre-announcement
to oss-security is irrelevant) Please combine this into one entry and
update the dates I guess the range of dates should be from ...
CVE-2019-10149 Exim 487 to 491
================================
We received a report of a possible remote exploit Currently there is no
evidenice of an active use of this exploit
A patch exists already, is being tested, and backported to all
versions we released since (and including) 487
The severity depends on your configuration It dep ...
Qualys Security Advisory
21Nails: Multiple vulnerabilities in Exim
========================================================================
Contents
========================================================================
Summary
Local vulnerabilities
- CVE-2020-28007: Link attack in Exim's log directory
- CVE-2020-28008: Assorted attacks in Ex ...
On Mon, Jun 03, 2019 at 10:19:23PM +0200, Heiko Schlittermann wrote:
I guess I wasn't the only one wondering how revealing this is, so:
$ diff -urwx doc exim-491 exim-492 | diffstat -s
131 files changed, 6898 insertions(+), 4395 deletions(-)
$ diff -urwx doc exim-491 exim-492 | wc
27635 114347 935620
exim-492/doc/ChangeLog lists tens ...
Hi,
our non-public security Git repo is
ssh://git () git exim org/eximgit
Access is granted to the known and trusted SSH keys we have
The branch fix-CVE-2019-10149 contains the fix It is one commit ahead
of the exim-4_91+fixes branch and we'll eventuelly merge it into the
+fixes branch
The relevant commit is d740d2111f189760593a303124f ...
Hi all,
On Wed, Jun 05, 2019 at 05:19:44PM +0200, Heiko Schlittermann wrote:
As per the distros list policy:
Below is an abridged version of our advisory (with all the vulnerability
details, but without exploitation details); we will publish the complete
version in 24 hours, or as soon as third-party exploits are published,
whichever happens fi ...
We will publish the fix today 2019-06-05 15:15 UTC on the exim-4_91+fixes branch of our public Git repo giteximorg
Distros can release their packages by that date
Sorry for the inconveniences
--
Heiko Schlittermann (unterwegs) ...
On Mon, 03 Jun 2019 at 22:19:23 +0200, Heiko Schlittermann wrote:
Was t0+7d meant to be 2019-06-11?
smcv ...