[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2023-41115,exim4: Buster is not affected

Markus Koschany (@apo) apo at debian.org
Tue Oct 3 01:38:34 BST 2023 


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2e81fdd4 by Markus Koschany at 2023-10-03T02:37:46+02:00
CVE-2023-41115,exim4: Buster is not affected

The external authenticator support was introduced later.

https://git.exim.org/exim.git/commit/c4a8c663b74a35b547d8320547079ca56b3b772e

- - - - -
e21481ea by Markus Koschany at 2023-10-03T02:37:47+02:00
Triage CVE-2023-42117,CVE-2023-42119,exim4 as no dsa for Buster

Minor issues

- - - - -
9b9ab4e5 by Markus Koschany at 2023-10-03T02:37:47+02:00
Reserve DLA-3599-1 for exim4

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -505,6 +505,7 @@ CVE-2023-42119 [Exim dnsdb Out-Of-Bounds Read Information Disclosure Vulnerabili
 	- exim4 <unfixed>
 	[bookworm] - exim4 <no-dsa> (Minor issue; use Exim4 with a trustworthy DNS resolver able to validate the data according to the DNS record types)
 	[bullseye] - exim4 <no-dsa> (Minor issue; use Exim4 with a trustworthy DNS resolver able to validate the data according to the DNS record types)
+	[buster] - exim4 <no-dsa> (Minor issue; use Exim4 with a trustworthy DNS resolver able to validate the data according to the DNS record types)
 	NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1473/
 	NOTE: https://bugs.exim.org/show_bug.cgi?id=3033
 	NOTE: https://www.openwall.com/lists/oss-security/2023/09/29/5
@@ -520,6 +521,7 @@ CVE-2023-42117 [Exim Improper Neutralization of Special Elements Remote Code Exe
 	- exim4 <unfixed>
 	[bookworm] - exim4 <no-dsa> (Only an issue if Exim4 run behind an untrusted proxy-protocol proxy)
 	[bullseye] - exim4 <no-dsa> (Only an issue if Exim4 run behind an untrusted proxy-protocol proxy)
+	[buster] - exim4 <no-dsa> (Only an issue if Exim4 run behind an untrusted proxy-protocol proxy)
 	NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1471/
 	NOTE: https://bugs.exim.org/show_bug.cgi?id=3031
 	NOTE: https://www.openwall.com/lists/oss-security/2023/09/29/5
@@ -532,6 +534,7 @@ CVE-2023-42116 [Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Exec
 	NOTE: https://www.openwall.com/lists/oss-security/2023/10/01/4
 CVE-2023-42115 [Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability]
 	- exim4 <unfixed>
+	[buster] - exim4 <not-affected> (External authenticator support was introduced later)
 	NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1469/
 	NOTE: https://bugs.exim.org/show_bug.cgi?id=2999
 	NOTE: https://www.openwall.com/lists/oss-security/2023/09/29/5


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[02 Oct 2023] DLA-3599-1 exim4 - security update
+	{CVE-2023-42114 CVE-2023-42116}
+	[buster] - exim4 4.92-8+deb10u8
 [01 Oct 2023] DLA-3598-1 libvpx - security update
 	{CVE-2023-5217 CVE-2023-44488}
 	[buster] - libvpx 1.7.0-3+deb10u2


=====================================
data/dla-needed.txt
=====================================
@@ -60,9 +60,6 @@ dogecoin
   NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix;
   NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk)
 --
-exim4 (Markus Koschany)
-  NOTE: 20230928: Added by Front-Desk (ola)
---
 freeimage (gladk)
   NOTE: 20230826: Added by Front-Desk (utkarsh)
   NOTE: 20230826: Anton Gladky is the maintainer. Please sync with him about the



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ab624e7ba25919b37cdf4d30fa60790c6b7c4fbc...9b9ab4e5e605c4e60feb8dc63dbc1680e1d58e5f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ab624e7ba25919b37cdf4d30fa60790c6b7c4fbc...9b9ab4e5e605c4e60feb8dc63dbc1680e1d58e5f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20231003/a4739cd3/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list