Hi, [just some additional comments]
On Sat, Nov 25, 2017 at 11:34:56AM +0100, Andreas Metzler wrote: > On 2017-11-25 Dominic Hargreaves <d...@earth.li> wrote: > > Package: exim4 > > Version: 4.89-9 > > Severity: grave > > Tags: security > > Justification: remote code execution > > > ----- Forwarded message from Phil Pennock <p...@exim.org> ----- > [...] > > With immediate effect, please apply this workaround: if you are running > > Exim 4.88 or newer (4.89 is current, 4.90 is upcoming) then in the main > > section of your Exim configuration, set: > > > chunking_advertise_hosts = > [...] > > ----- End forwarded message ----- > > Hello, > > please note that Debian/stable is patched to set > chunking_advertise_hosts = > by default. Therefore stable users should not be affected unless they > have locally set chunking_advertise_hosts to a nonempty value. Ack, let's leave the severity though to grave due to the immediate issue for unstable/experimental version. > Also there seem to be two separate issues > https://bugs.exim.org/show_bug.cgi?id=2199 > and > https://bugs.exim.org/show_bug.cgi?id=2201 yes. I have explicitly associated #882648 with https://bugs.exim.org/show_bug.cgi?id=2199 and then https://bugs.exim.org/show_bug.cgi?id=2201 separately in the security-tracker, cf. https://security-tracker.debian.org/exim4 (will update it once CVEs assigned). Regards, Salvatore
