Bug#1059387: exim4: CVE-2023-51766
Salvatore Bonaccorso
carnil at debian.org
Sat Dec 30 17:48:52 GMT 2023
Hi Andreas,
On Sat, Dec 30, 2023 at 03:40:42PM +0100, Andreas Metzler wrote:
> On 2023-12-24 Salvatore Bonaccorso <carnil at debian.org> wrote:
> > Source: exim4
> > Version: 4.97-2
> > Severity: important
> > Tags: security upstream
> > Forwarded: https://bugs.exim.org/show_bug.cgi?id=3063
> [...]
> > The following vulnerability was published for exim4.
>
> > CVE-2023-51766[0]:
> > | Exim through 4.97 allows SMTP smuggling in certain configurations.
> > | Remote attackers can use a published exploitation technique to
> > | inject e-mail messages that appear to originate from the Exim
> > | server, allowing bypass of an SPF protection mechanism. This occurs
> > | because Exim supports <LF>.<CR><LF> but some other popular e-mail
> > | servers do not.
>
> Hello Salvatore,
>
> are you going to release a DSA (I can start preparing one) or should I
> aim for another stable update?
We certainly can do. We have not fully evaluated yet, but it can be
sensible that we do release via a DSA. For postfix there were enough
mitigation options to do, so that it was good enough to schedule the
update via a point release (and fasttrack still trough a SUA, given
the update was a bugfix release rebase).
How is the situation for exim4? Are there similar workarounds which
can be put in place e.g. like the postfix forbid_unauth_pipelining
option?
If there is no such way for exim4 then this lowers the bar for
releasing exim4 trough a DSA.
If so, will you work as well on the bullseye-security update?
Thanks as usual for your diligent work!
Regards,
Salvatore
More information about the Pkg-exim4-maintainers
mailing list