[Git][security-tracker-team/security-tracker][master] Re-associate for now CVE-2023-42118 with libspf2

Salvatore Bonaccorso (@carnil) carnil at debian.org
Wed Oct 4 16:08:50 BST 2023 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c7253179 by Salvatore Bonaccorso at 2023-10-04T17:08:25+02:00
Re-associate for now CVE-2023-42118 with libspf2

The details around the CVE are still not clear, but it is sufficiently
acknowledged that it's likely an issue in libspf2 rather than exim4.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -921,13 +921,15 @@ CVE-2023-42119 [Exim dnsdb Out-Of-Bounds Read Information Disclosure Vulnerabili
 	NOTE: https://www.openwall.com/lists/oss-security/2023/10/01/4
 	NOTE: https://exim.org/static/doc/security/CVE-2023-zdi.txt
 CVE-2023-42118 [Exim libspf2 Integer Underflow Remote Code Execution Vulnerability]
-	- exim4 <unfixed>
+	- libspf2 <unfixed>
 	NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1472/
 	NOTE: https://bugs.exim.org/show_bug.cgi?id=3032
 	NOTE: https://www.openwall.com/lists/oss-security/2023/09/29/5
 	NOTE: https://www.openwall.com/lists/oss-security/2023/10/01/4
 	NOTE: https://exim.org/static/doc/security/CVE-2023-zdi.txt
-	NOTE: From upstream: Issue is debatable for Exim4 and should be filled against libspf2.
+	NOTE: https://lists.exim.org/lurker/message/20231004.080103.8c98192c.en.html
+	NOTE: Potentially same issue as: https://github.com/shevek/libspf2/issues/45
+	NOTE: https://github.com/shevek/libspf2/pull/44
 CVE-2023-42117 [Exim Improper Neutralization of Special Elements Remote Code Execution Vulnerability]
 	- exim4 <unfixed>
 	[bookworm] - exim4 <no-dsa> (Only an issue if Exim4 run behind an untrusted proxy-protocol proxy)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c72531793faeebd8ed76ca7e0d989cc1cb55b947

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c72531793faeebd8ed76ca7e0d989cc1cb55b947
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20231004/050468f2/attachment.htm>

More information about the debian-security-tracker-commits mailing list