Bug#1053310: Fixes for stable/oldstable?
Tomas Pospisek
tpo_deb at sourcepole.ch
Tue Oct 31 12:07:52 GMT 2023
Hi Salvatore,
thanks a lot for your reply (more below):
On Tue, 31 Oct 2023, Salvatore Bonaccorso wrote:
> Hi Tomas,
>
> On Tue, Oct 31, 2023 at 11:07:06AM +0100, Tomas Pospisek wrote:
>> Hello Exim maintainers,
>>
>> this ticket, asking for packages with fixes for CVE-2023-42117 and other
>> security relavant issues is closed.
>>
>> However only a package for unstable has been released:
>>
>> https://security-tracker.debian.org/tracker/CVE-2023-42117
>>
>> all other Debian releases (stable, oldstable) still seem to be carrying the
>> vulnerable Exim4 version.
>>
>> What is the status of releasing fixed Exims for Debian stable, oldstable? Is
>> anybody working on it? Is help needed?
>
> Fixes for CVE-2023-42117 and CVE-2023-42119 are right now considered
> no-dsa (see comment on the security-tracker about it), and are going
> to be fixed in the next point releases.
The notes say:
***
[bookworm] - exim4 <no-dsa> (Only an issue if Exim4 run behind an
untrusted proxy-protocol proxy)
[bullseye] - exim4 <no-dsa> (Only an issue if Exim4 run behind an
untrusted proxy-protocol proxy)
[buster] - exim4 <no-dsa> (Only an issue if Exim4 run behind an untrusted
proxy-protocol proxy)
https://www.zerodayinitiative.com/advisories/ZDI-23-1471/
https://bugs.exim.org/show_bug.cgi?id=3031
https://www.openwall.com/lists/oss-security/2023/09/29/5
https://www.openwall.com/lists/oss-security/2023/10/01/4
https://exim.org/static/doc/security/CVE-2023-zdi.txt
***
So I think I can parse from those that CVE-2023-42117 is only critical
when exim is run behind a "untrusted proxy-protocol proxy".
Questions if you will:
* what does "no-dsa" mean? DSA seems to mean Debian Security Announce.
Does it mean there is no DSA for that problem yet? What does it mean
when a CVE is considered "no-dsa" then? That no DSA will be released for
it?
* what is a "untrusted proxy-protocol proxy" in the context of a mail
transport agent? So exim shouldn't be used behind an untrusted socks
proxy? Well I have no real control who connects how to a public MTA...
anybody can connect to it to try his luck sending me email. That
includes untrusted socks proxies...
So to wrap I it /seems/ that I'm probably fine, however the details are so
terse that my assessement seems to be rather shaky...
> Does this help?
A bit. Thanks a lot!!!!
Best greetings!
*t
More information about the Pkg-exim4-maintainers
mailing list