* One issue is related to data received from a proxy-protocol proxy. If
you do not use a proxy in front of Exim, you're not affected. If your
- proxy is trustworthy, you're not affected. We're working on a fix.
+ proxy is trustworthy, you're not affected. This issue is fixed.
* One is related to libspf2. If you do not use the `spf` lookup type or
the `spf` ACL condition, you are not affected.
* The last one is related to DNS lookups. If you use a trustworthy
resolver (which does validation of the data it receives), you're not
- affected. We're working on a fix.
+ affected. This issue is fixed.
-Schedule
+Timeline
--------
-The available fixes will be published on Monday, Oct 2nd, 12:00 UTC.
-A security release exim-4.96.1 will be published at the same time.
+- 2023-10-03 12:00 UTC
+ - The available fixes are published.
+ - A security release exim-4.96.1 is published.
+ - The major distributions follow.
+
+- 2023-10-15 15:45 UTC
+ - Security release exim-4.96.2 is published (sources only)
+ - Distros will follow.
Distribution points:
--------------------
- git://git.exim.org
- branches:
- - spa-auth-fixes (based on the current master) [commit IDs: 7bb5bc2c6 0519dcfb5 e17b8b0f1 04107e98d]
- - exim-4.96+security (based on exim-4.96) [gpg signed]
- - exim-4.96.1+fixes (based on exim-4.96.1 with the fixes from exim-4.96+fixes) [gpg signed]
- tags:
- - exim-4.96.1 [gpg signed]
+ - tag exim-4.96.2 (based on exim-4.96) [gpg signed]
+ - branch exim-4.96.2+fixes (based on exim-4.96.2 with the fixes from exim-4.96+fixes) [gpg signed]
-- tarballs for exim-4.96.1: https://ftp.exim.org/pub/exim/exim4/ [gpg signed]
+- tarballs for exim-4.96.2: https://ftp.exim.org/pub/exim/exim4/ [gpg signed]
GPG signatures are made by me (hs@schlittermann.de, or Jeremy Harris
jgh@wizmail.org).
CVSS Score: 3.7
Mitigation: Do not use SPA (NTLM) authentication
Subsystem: SPA auth
-Fixed: 04107e98d, 4.96.1, 4.97
+Fixed: 04107e98d, >= 4.96.1, 4.97
ZDI-23-1469 | ZDI-CAN-17434 | CVE-2023-42115 | Exim bug 2999
------------------------------------------------------------
CVSS Score: 9.8
Mitigation: Do not offer EXTERNAL authentication.
Subsystem: EXTERNAL auth
-Fixed: 7bb5bc2c6, 4.96.1, 4.97
+Fixed: 7bb5bc2c6, >= 4.96.1, 4.97
ZDI-23-1470 | ZDI-CAN-17515 | CVE-2023-42116 | Exim bug 3000
------------------------------------------------------------
CVSS Score: 8.1
Mitigation: Do not use SPA (NTLM) authentication
Subsystem: SPA auth
-Fixed: e17b8b0f1, 4.96.1, 4.97
+Fixed: e17b8b0f1, >= 4.96.1, 4.97
ZDI-23-1471 | ZDI-CAN-17554 | CVE-2023-42117 | Exim Bug 3031
-------------------------------------------------------------
CVSS Score: 8.1
Mitigation: Do not use Exim behind an untrusted proxy-protocol proxy
Subsystem: proxy protocol (not socks!)
-Fix: not yet
+Fix: a355463cf, >= 4.96.2, 4.97
ZDI-23-1472 | ZDI-CAN-17578 | CVE-2023-42118 | Exim Bug 3032
------------------------------------------------------------
CVSS Score: 7.5
Mitigation: Do not use the `spf` condition in your ACL
Subsystem: spf
-Remark: It is debatable if this should be filed against
- libspf2. There are hints (simon, #Exim IRC) that this
- is related to
- https://github.com/shevek/libspf2/pull/44
+Remark: This CVE should be filed against libspf2.
+ See: https://github.com/shevek/libspf2/issues/45
ZDI-23-1473 | ZDI-CAN-17643 | CVE-2023-42119 | Exim Bug 3033
------------------------------------------------------------
Mitigation: Use a trustworthy DNS resolver which is able to
validate the data according to the DNS record types.
Subsystem: dns lookups
-Fix: not yet
-Remark: It is still under consideration.
-
+Fix: f6b1f8e7d, >= 4.96.2, 4.97
git://git.exim.org / exim-website.git / blobdiff