From e39f19e031fc0a8df547823725c77af22d6b27c9 Mon Sep 17 00:00:00 2001 From: "Heiko Schlittermann (HS12-RIPE)" Date: Sat, 28 Sep 2019 23:17:41 +0200 Subject: [PATCH] Docs: Update CVE text about the 4.92.3 release CVE-2019-16928 --- doc/doc-txt/cve-2019-16928/cve.txt | 63 ++++++++++++------------------ 1 file changed, 24 insertions(+), 39 deletions(-) diff --git a/doc/doc-txt/cve-2019-16928/cve.txt b/doc/doc-txt/cve-2019-16928/cve.txt index 873b69c34..3a79460e1 100644 --- a/doc/doc-txt/cve-2019-16928/cve.txt +++ b/doc/doc-txt/cve-2019-16928/cve.txt @@ -29,42 +29,27 @@ There is - beside updating the server - no known mitigation. Fix === -We plan to publish a new security release (*will* be 4.92.3) of Exim -during the next 48 hours, ideally before monday 8.00 UTC. (We're still -running regression tests.) - -Distros may have already picked the patch mentioned below and may have -already released a fixed version. Please check your distribution's -changelogs. - -If you can't wait, please use use our git repository http://git.exim.org/exim.git, -checkout the branch exim-4.92.2+fixes and use the commit 478effbfd9c3cc5a627fc671d4bf94d13670d65f - -A direct link to the commit is: -https://git.exim.org/exim.git/patch/478effbfd9c3cc5a627fc671d4bf94d13670d65f - -which basically does: - ---- a/src/src/string.c -+++ b/src/src/string.c -@@ -1132,7 +1132,7 @@ store_reset(g->s + (g->size = g->ptr + 1)); - Arguments: - g the growable-string - p current end of data -- count amount to grow by -+ count amount to grow by, offset from p - */ - - static void -@@ -1590,7 +1590,7 @@ while (*fp) - } - else if (g->ptr >= lim - width) - { -- gstring_grow(g, g->ptr, width - (lim - g->ptr)); -+ gstring_grow(g, g->ptr, width); - lim = g->size - 1; - gp = CS g->s + g->ptr; - } - - -We thank you for using Exim. +Download and build the fixed version 4.92.3 + + Tarballs: https://ftp.exim.org/pub/exim/exim4/ + Git: https://github.com/Exim/exim.git + - tag exim-4.92.3 + - branch exim-4.92.3+fixes + +The tagged commit is the officially released version. The +fixes branch +isn't officially maintained, but contains the security fix *and* useful +fixes. + +If you can't install the above versions, ask your package maintainer for +a version containing the backported fix. On request and depending on our +resources we will support you in backporting the fix. (Please note, +the Exim project officially doesn't support versions prior the current +stable version.) + +Timeline +========= + +- 2019-09-27 Report as Bug 2499 +- 2019-09-28 Announcement to exim-maintainers, oss-security +- 2019-09-28 Release 4.92.3, Release-Announcements to + exim-{announce,users,maintainers}, oss-security -- 2.30.2