Bug#992172: exim4: CVE-2021-38371
Salvatore Bonaccorso
carnil at debian.org
Wed Mar 15 19:49:01 GMT 2023
Hello Andreas and Moritz,
On Wed, Mar 15, 2023 at 05:18:15PM +0100, Moritz Mühlenhoff wrote:
> Am Sun, Aug 15, 2021 at 07:21:40AM +0200 schrieb Andreas Metzler:
> > On 2021-08-14 Salvatore Bonaccorso <carnil at debian.org> wrote:
> > > Source: exim4
> > > Version: 4.94.2-7
> > > Severity: important
> > > Tags: security upstream
> > > X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
> >
> > > Hi,
> >
> > > The following vulnerability was published for exim4, this is to start
> > > tracking the issue downstream for us. Note that at time of writing [2]
> > > gives still a 404.
> >
> > > CVE-2021-38371[0]:
> > > | The STARTTLS feature in Exim through 4.94.2 allows response injection
> > > | (buffering) during MTA SMTP sending.
> > [...]
> >
> > IIRC that is mitigated in experimental (4.95 rc) by ALPN and unkown
> > command related changes, I will not be able to check in detail for a
> > week or so, though.
>
> Do you know if this is fixed in 4.96/bookworm?
Looks the planned advisory at
https://www.exim.org/static/doc/security/CVE-2021-38371.txt is not
online.
Looping in as well Heiko Schlittermann. Heiko, can you share details
on fixes?
Regards,
Salvatore
More information about the Pkg-exim4-maintainers
mailing list