GNU bug report logs

#66304 exim vulnearable to CVE-2023-42115 et al

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

Received: (at submit) by debbugs.gnu.org; 2 Oct 2023 10:47:23 +0000
From debbugs-submit-bounces@debbugs.gnu.org Mon Oct 02 06:47:23 2023
Received: from localhost ([127.0.0.1]:36130 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1qnGSR-0006wN-6P
	for submit@debbugs.gnu.org; Mon, 02 Oct 2023 06:47:23 -0400
Received: from lists.gnu.org ([2001:470:142::17]:34260)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <w@wmeyer.eu>) id 1qnGSP-0006w7-64
 for submit@debbugs.gnu.org; Mon, 02 Oct 2023 06:47:21 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <w@wmeyer.eu>) id 1qnGRs-0007JU-7h
 for bug-guix@gnu.org; Mon, 02 Oct 2023 06:46:52 -0400
Received: from mail.wmeyer.eu ([95.216.196.112])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <w@wmeyer.eu>) id 1qnGRf-0005aJ-UZ
 for bug-guix@gnu.org; Mon, 02 Oct 2023 06:46:37 -0400
From: Wilko Meyer <w@wmeyer.eu>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wmeyer.eu; s=mail;
 t=1696243591; bh=D5UHfzwp561sP8LesMn6DIZdk7YIZ1tMInLrCV5v6pU=;
 h=From:To:Subject:Date;
 b=LhQ25Jc9PH65mhv9YsRvN/NCxbZqtBE555O7Z5g6yF1cCgQKy3DCTdnFyqu6Zf9H0
 MdwSMBY250jxxwHiZ2qjl8VsFK20tPnXt45k5UWpACxMwHSKb9buc57uNAs8xWghRm
 I2DjHotVpM0/JNjoWzEQQCe2D5UHxT7VvW/akb2k=
To: bug-guix@gnu.org 
Subject: exim vulnearable to CVE-2023-42115 et al
Date: Mon, 02 Oct 2023 12:35:20 +0200
Message-ID: <87leclmhdp.fsf@wmeyer.eu>
MIME-Version: 1.0
Content-Type: text/plain
Received-SPF: pass client-ip=95.216.196.112; envelope-from=w@wmeyer.eu;
 helo=mail.wmeyer.eu
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 0.9 (/)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.1 (/)

Hi Guix,

Exim currently has unpatched vulnearabilities regarding its EXTERNAL
Auth driver as well as its SPA/NTLM authenticator.

According to the project[0] prospective fixes seem to be around the
corner. We should probably bump the Exim version we ship to a
non-vulnearable version as soon as one is available.

[0]: https://www.exim.org/static/doc/security/CVE-2023-zdi.txt

-- 
Kind regards,

Wilko Meyer
w@wmeyer.eu

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 01:10:20 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.