Bug#882648: exim4: remote code execution in chunking
Salvatore Bonaccorso
carnil at debian.org
Sat Nov 25 10:41:24 UTC 2017
Hi,
[just some additional comments]
On Sat, Nov 25, 2017 at 11:34:56AM +0100, Andreas Metzler wrote:
> On 2017-11-25 Dominic Hargreaves <dom at earth.li> wrote:
> > Package: exim4
> > Version: 4.89-9
> > Severity: grave
> > Tags: security
> > Justification: remote code execution
>
> > ----- Forwarded message from Phil Pennock <pdp at exim.org> -----
> [...]
> > With immediate effect, please apply this workaround: if you are running
> > Exim 4.88 or newer (4.89 is current, 4.90 is upcoming) then in the main
> > section of your Exim configuration, set:
>
> > chunking_advertise_hosts =
> [...]
> > ----- End forwarded message -----
>
> Hello,
>
> please note that Debian/stable is patched to set
> chunking_advertise_hosts =
> by default. Therefore stable users should not be affected unless they
> have locally set chunking_advertise_hosts to a nonempty value.
Ack, let's leave the severity though to grave due to the immediate
issue for unstable/experimental version.
> Also there seem to be two separate issues
> https://bugs.exim.org/show_bug.cgi?id=2199
> and
> https://bugs.exim.org/show_bug.cgi?id=2201
yes. I have explicitly associated #882648 with
https://bugs.exim.org/show_bug.cgi?id=2199 and then
https://bugs.exim.org/show_bug.cgi?id=2201 separately in the
security-tracker, cf. https://security-tracker.debian.org/exim4
(will update it once CVEs assigned).
Regards,
Salvatore
More information about the Pkg-exim4-maintainers
mailing list