Bug#1059387: exim4: CVE-2023-51766
Andreas Metzler
ametzler at bebt.de
Sat Dec 30 14:40:42 GMT 2023
On 2023-12-24 Salvatore Bonaccorso <carnil at debian.org> wrote:
> Source: exim4
> Version: 4.97-2
> Severity: important
> Tags: security upstream
> Forwarded: https://bugs.exim.org/show_bug.cgi?id=3063
[...]
> The following vulnerability was published for exim4.
> CVE-2023-51766[0]:
> | Exim through 4.97 allows SMTP smuggling in certain configurations.
> | Remote attackers can use a published exploitation technique to
> | inject e-mail messages that appear to originate from the Exim
> | server, allowing bypass of an SPF protection mechanism. This occurs
> | because Exim supports <LF>.<CR><LF> but some other popular e-mail
> | servers do not.
Hello Salvatore,
are you going to release a DSA (I can start preparing one) or should I
aim for another stable update?
TIA, cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-exim4-maintainers/attachments/20231230/53e86fa5/attachment.sig>
More information about the Pkg-exim4-maintainers
mailing list