[Git][security-tracker-team/security-tracker][master] 4 commits: Reference upstream fixes for exim4

Salvatore Bonaccorso (@carnil) carnil at debian.org
Tue Oct 3 03:27:04 BST 2023 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2b174717 by Salvatore Bonaccorso at 2023-10-03T04:25:32+02:00
Reference upstream fixes for exim4

- - - - -
60dc8ac1 by Salvatore Bonaccorso at 2023-10-03T04:26:14+02:00
Track fixed version for three exim4 issues

- - - - -
dc6cf70a by Salvatore Bonaccorso at 2023-10-03T04:26:18+02:00
Add references to exim4 upstream details

- - - - -
87aac031 by Salvatore Bonaccorso at 2023-10-03T04:26:18+02:00
Reserve DSA number for exim4 update

- - - - -


3 changed files:

- data/CVE/list
- data/DSA/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -510,12 +510,14 @@ CVE-2023-42119 [Exim dnsdb Out-Of-Bounds Read Information Disclosure Vulnerabili
 	NOTE: https://bugs.exim.org/show_bug.cgi?id=3033
 	NOTE: https://www.openwall.com/lists/oss-security/2023/09/29/5
 	NOTE: https://www.openwall.com/lists/oss-security/2023/10/01/4
+	NOTE: https://exim.org/static/doc/security/CVE-2023-zdi.txt
 CVE-2023-42118 [Exim libspf2 Integer Underflow Remote Code Execution Vulnerability]
 	- exim4 <unfixed>
 	NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1472/
 	NOTE: https://bugs.exim.org/show_bug.cgi?id=3032
 	NOTE: https://www.openwall.com/lists/oss-security/2023/09/29/5
 	NOTE: https://www.openwall.com/lists/oss-security/2023/10/01/4
+	NOTE: https://exim.org/static/doc/security/CVE-2023-zdi.txt
 	NOTE: From upstream: Issue is debatable for Exim4 and should be filled against libspf2.
 CVE-2023-42117 [Exim Improper Neutralization of Special Elements Remote Code Execution Vulnerability]
 	- exim4 <unfixed>
@@ -526,25 +528,32 @@ CVE-2023-42117 [Exim Improper Neutralization of Special Elements Remote Code Exe
 	NOTE: https://bugs.exim.org/show_bug.cgi?id=3031
 	NOTE: https://www.openwall.com/lists/oss-security/2023/09/29/5
 	NOTE: https://www.openwall.com/lists/oss-security/2023/10/01/4
+	NOTE: https://exim.org/static/doc/security/CVE-2023-zdi.txt
 CVE-2023-42116 [Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability]
-	- exim4 <unfixed>
+	- exim4 4.97~RC1-2
 	NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1470/
 	NOTE: https://bugs.exim.org/show_bug.cgi?id=3000
+	NOTE: https://git.exim.org/exim.git/log/refs/heads/exim-4.96%20security/exim.git/commit/936e342d560e218c2aee5cb2295be925c27c2106
 	NOTE: https://www.openwall.com/lists/oss-security/2023/09/29/5
 	NOTE: https://www.openwall.com/lists/oss-security/2023/10/01/4
+	NOTE: https://exim.org/static/doc/security/CVE-2023-zdi.txt
 CVE-2023-42115 [Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability]
-	- exim4 <unfixed>
+	- exim4 4.97~RC1-2
 	[buster] - exim4 <not-affected> (External authenticator support was introduced later)
 	NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1469/
 	NOTE: https://bugs.exim.org/show_bug.cgi?id=2999
+	NOTE: https://git.exim.org/exim.git/log/refs/heads/exim-4.96%20security/exim.git/commit/955f1203c15be96fa84b5331fa2a5cb2e556b9a9
 	NOTE: https://www.openwall.com/lists/oss-security/2023/09/29/5
 	NOTE: https://www.openwall.com/lists/oss-security/2023/10/01/4
+	NOTE: https://exim.org/static/doc/security/CVE-2023-zdi.txt
 CVE-2023-42114 [Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vulnerability]
-	- exim4 <unfixed>
+	- exim4 4.97~RC1-2
 	NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1468/
 	NOTE: https://bugs.exim.org/show_bug.cgi?id=3001
+	NOTE: https://git.exim.org/exim.git/log/refs/heads/exim-4.96%20security/exim.git/commit/ccf9816f54fb04ab5508eb8c7f00b08bc3531297
 	NOTE: https://www.openwall.com/lists/oss-security/2023/09/29/5
 	NOTE: https://www.openwall.com/lists/oss-security/2023/10/01/4
+	NOTE: https://exim.org/static/doc/security/CVE-2023-zdi.txt
 CVE-2023-40476 [Integer overflow in H.265 video parser leading to stack overwrite]
 	- gst-plugins-bad1.0 <unfixed> (bug #1053259)
 	- gst-plugins-bad0.10 <removed>


=====================================
data/DSA/list
=====================================
@@ -1,3 +1,7 @@
+[02 Oct 2023] DSA-5512-1 exim4 - security update
+	{CVE-2023-42114 CVE-2023-42115 CVE-2023-42116}
+	[bullseye] - exim4 4.94.2-7+deb11u1
+	[bookworm] - exim4 4.96-15+deb12u2
 [01 Oct 2023] DSA-5511-1 mosquitto - security update
 	{CVE-2021-34434 CVE-2023-0809 CVE-2023-3592 CVE-2023-28366}
 	[bullseye] - mosquitto 2.0.11-1+deb11u1


=====================================
data/dsa-needed.txt
=====================================
@@ -19,8 +19,6 @@ cacti
 --
 cinder/oldstable
 --
-exim4 (carnil)
---
 gpac/oldstable (jmm)
 --
 gst-plugins-bad1.0 (carnil)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9b9ab4e5e605c4e60feb8dc63dbc1680e1d58e5f...87aac03100b71174e950aa831d1428c9c220f85b

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9b9ab4e5e605c4e60feb8dc63dbc1680e1d58e5f...87aac03100b71174e950aa831d1428c9c220f85b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20231003/8a23012f/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list