exim vulnearable to CVE-2023-42115 et al

  • Done
  • quality assurance status badge
Details
3 participants
  • John Kehayias
  • Ludovic Courtès
  • Wilko Meyer
Owner
unassigned
Submitted by
Wilko Meyer
Severity
normal

Debbugs page

W
W
Wilko Meyer wrote on 2 Oct 2023 03:35
(address . bug-guix@gnu.org)
87leclmhdp.fsf@wmeyer.eu
Hi Guix,

Exim currently has unpatched vulnearabilities regarding its EXTERNAL
Auth driver as well as its SPA/NTLM authenticator.

According to the project[0] prospective fixes seem to be around the
corner. We should probably bump the Exim version we ship to a
non-vulnearable version as soon as one is available.


--
Kind regards,

Wilko Meyer
w@wmeyer.eu
L
L
Ludovic Courtès wrote on 4 Oct 2023 09:06
control message for bug #66304
(address . control@debbugs.gnu.org)
87lecibcen.fsf@gnu.org
tags 66304 + security
quit
W
W
Wilko Meyer wrote on 5 Oct 2023 08:25
[PATCH] gnu: exim: Update to 4.96.1
(address . 66304@debbugs.gnu.org)(name . Wilko Meyer)(address . w@wmeyer.eu)
7c2c42679e0ec8205ce3718d988e17868e06169e.1696519379.git.w@wmeyer.eu
* gnu/packages/mail.scm (exim): Update to 4.96.1.
---
gnu/packages/mail.scm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

Toggle diff (39 lines)
diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm
index 72d971eb77..e6923627f4 100644
--- a/gnu/packages/mail.scm
+++ b/gnu/packages/mail.scm
@@ -52,6 +52,7 @@
;;; Copyright © 2022 jgart <jgart@dismail.de>
;;; Copyright © 2022 ( <paren@disroot.org>
;;; Copyright © 2023 Timo Wilken <guix@twilken.net>
+;;; Copyright © 2023 Wilko Meyer <w@wmeyer.eu>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -1895,7 +1896,7 @@ (define-public msmtp
(define-public exim
(package
(name "exim")
- (version "4.96")
+ (version "4.96.1")
(source
(origin
(method url-fetch)
@@ -1909,7 +1910,7 @@ (define-public exim
(string-append "https://ftp.exim.org/pub/exim/exim4/old/"
file-name))))
(sha256
- (base32 "18ziihkpa23lybm7m2l9wp2farxw0bd5ng7xm9ylgcrfgf95d6i9"))))
+ (base32 "0g83cxkq3znh5b3r2a3990qxysw7d2l71jwcxaxzvq8pqdahgb4k"))))
(build-system gnu-build-system)
(arguments
(list #:phases

base-commit: ad5e4fe54a66c725dc03dedebf8e5c65723ccb74
prerequisite-patch-id: 5bde835de1e0f7e9cd752986da0585463713d745
prerequisite-patch-id: cda50d13de497f5c74c87b2def4ae6a7d5807305
prerequisite-patch-id: 7024afc52961b5947429f925c55265f29607c801
prerequisite-patch-id: 10a4f92340880065a5210c983cc878c98c075855
prerequisite-patch-id: e6610085f98fb881bada0bb27b59def23c3d7cc3
--
2.41.0
J
J
John Kehayias wrote on 6 Oct 2023 14:14
Re: bug#66304: exim vulnearable to CVE-2023-42115 et al
(name . Wilko Meyer)(address . w@wmeyer.eu)(address . 66304-done@debbugs.gnu.org)
87wmvz8ne9.fsf_-_@protonmail.com
Hello,

On Thu, Oct 05, 2023 at 05:25 PM, Wilko Meyer wrote:

Toggle quote (43 lines)
> * gnu/packages/mail.scm (exim): Update to 4.96.1.
> ---
> gnu/packages/mail.scm | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm
> index 72d971eb77..e6923627f4 100644
> --- a/gnu/packages/mail.scm
> +++ b/gnu/packages/mail.scm
> @@ -52,6 +52,7 @@
> ;;; Copyright © 2022 jgart <jgart@dismail.de>
> ;;; Copyright © 2022 ( <paren@disroot.org>
> ;;; Copyright © 2023 Timo Wilken <guix@twilken.net>
> +;;; Copyright © 2023 Wilko Meyer <w@wmeyer.eu>
> ;;;
> ;;; This file is part of GNU Guix.
> ;;;
> @@ -1895,7 +1896,7 @@ (define-public msmtp
> (define-public exim
> (package
> (name "exim")
> - (version "4.96")
> + (version "4.96.1")
> (source
> (origin
> (method url-fetch)
> @@ -1909,7 +1910,7 @@ (define-public exim
> (string-append "https://ftp.exim.org/pub/exim/exim4/old/"
> file-name))))
> (sha256
> - (base32 "18ziihkpa23lybm7m2l9wp2farxw0bd5ng7xm9ylgcrfgf95d6i9"))))
> + (base32 "0g83cxkq3znh5b3r2a3990qxysw7d2l71jwcxaxzvq8pqdahgb4k"))))
> (build-system gnu-build-system)
> (arguments
> (list #:phases
>
> base-commit: ad5e4fe54a66c725dc03dedebf8e5c65723ccb74
> prerequisite-patch-id: 5bde835de1e0f7e9cd752986da0585463713d745
> prerequisite-patch-id: cda50d13de497f5c74c87b2def4ae6a7d5807305
> prerequisite-patch-id: 7024afc52961b5947429f925c55265f29607c801
> prerequisite-patch-id: 10a4f92340880065a5210c983cc878c98c075855
> prerequisite-patch-id: e6610085f98fb881bada0bb27b59def23c3d7cc3

Thanks for the patch and quickly noticing the security issues!

Pushed as add2a22ad7bcca2521432e3f486460138401d5a5 with some added
detail to the commit message. I tested that exim and a dependent builds.

John
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 66304@patchwise.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 66304
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch