Bug#992172: exim4: CVE-2021-38371
Salvatore Bonaccorso
carnil at debian.org
Sun Aug 15 08:04:46 BST 2021
HI Andreas,
On Sun, Aug 15, 2021 at 07:21:40AM +0200, Andreas Metzler wrote:
> On 2021-08-14 Salvatore Bonaccorso <carnil at debian.org> wrote:
> > Source: exim4
> > Version: 4.94.2-7
> > Severity: important
> > Tags: security upstream
> > X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
>
> > Hi,
>
> > The following vulnerability was published for exim4, this is to start
> > tracking the issue downstream for us. Note that at time of writing [2]
> > gives still a 404.
>
> > CVE-2021-38371[0]:
> > | The STARTTLS feature in Exim through 4.94.2 allows response injection
> > | (buffering) during MTA SMTP sending.
> [...]
>
> IIRC that is mitigated in experimental (4.95 rc) by ALPN and unkown
> command related changes, I will not be able to check in detail for a
> week or so, though.
Ack thanks for the information. Let's wait to see what's written in de
advisory URL once it becomes public.
Thanks for your work on exim4 packages!
Regards,
Salvatore
More information about the Pkg-exim4-maintainers
mailing list