Your message dated Tue, 28 Nov 2017 19:19:00 +0000 with message-id <e1ejlpi-000htd...@fasolo.debian.org> and subject line Bug#882648: fixed in exim4 4.89-12 has caused the Debian Bug report #882648, regarding exim4: CVE-2017-16943: use-after-free vulnerability while reading mail header to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 882648: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882648 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: exim4 Version: 4.89-9 Severity: grave Tags: security Justification: remote code execution Source: https://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html ----- Forwarded message from Phil Pennock <p...@exim.org> ----- Date: Fri, 24 Nov 2017 22:48:42 -0500 From: Phil Pennock <p...@exim.org> To: exim-annou...@exim.org Subject: [exim-announce] Critical Exim Security Vulnerability: disable chunking Reply-To: exim-announce-ow...@exim.org Folks, A remote code execution vulnerability has been reported in Exim, with immediate public disclosure (we were given no private notice). A tentative patch exists but has not yet been confirmed. With immediate effect, please apply this workaround: if you are running Exim 4.88 or newer (4.89 is current, 4.90 is upcoming) then in the main section of your Exim configuration, set: chunking_advertise_hosts = That's an empty value, nothing on the right of the equals. This disables advertising the ESMTP CHUNKING extension, making the BDAT verb unavailable and avoids letting an attacker apply the logic. This should be a complete workaround. Impact of applying the workaround is that mail senders have to stick to the traditional DATA verb instead of using BDAT. We've requested CVEs. More news will be forthcoming as we get this worked out. -Phil -- ## List details at https://lists.exim.org/mailman/listinfo/exim-announce Exim details at http://www.exim.org/ ## ----- End forwarded message -----
--- End Message ---
--- Begin Message ---Source: exim4 Source-Version: 4.89-12 We believe that the bug you reported is fixed in the latest version of exim4, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 882...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andreas Metzler <ametz...@debian.org> (supplier of updated exim4 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 28 Nov 2017 20:04:23 +0100 Source: exim4 Binary: exim4-base exim4-config exim4-daemon-light exim4 exim4-daemon-heavy eximon4 exim4-dev Architecture: source Version: 4.89-12 Distribution: unstable Urgency: high Maintainer: Exim4 Maintainers <pkg-exim4-maintain...@lists.alioth.debian.org> Changed-By: Andreas Metzler <ametz...@debian.org> Closes: 882648 Description: exim4-base - support files for all Exim MTA (v4) packages exim4-config - configuration for the Exim MTA (v4) exim4-daemon-heavy - Exim MTA (v4) daemon with extended features, including exiscan-ac exim4-daemon-light - lightweight Exim MTA (v4) daemon exim4-dev - header files for the Exim MTA (v4) packages exim4 - metapackage to ease Exim MTA (v4) installation eximon4 - monitor application for the Exim MTA (v4) (X11 interface) Changes: exim4 (4.89-12) unstable; urgency=high . * Sync with exim-4_89+fixes branch: + 75_fixes_19-Fix-mariadb-mysql-macro-confusion.patch + 75_fixes_20-Avoid-release-of-store-if-there-have-been-later-allo.patch Closes: #882648 (use-after-free, remote-code-execution) CVE-2017-16943 * Update EDITME* for 75_fixes_19-Fix-mariadb-mysql-macro-confusion.patch. Checksums-Sha1: 28e25489f1900615418390397fbf0cb00cb70cca 2837 exim4_4.89-12.dsc 45f156d5009f5492025d9d17fdb370af45974b03 472392 exim4_4.89-12.debian.tar.xz Checksums-Sha256: c662c771675c96a19d026fbdc4f3be792059207de62422e48fdfd504c9cf0ce0 2837 exim4_4.89-12.dsc ee2efc681a80d9aef0f22a4a61a4c607f9c7c0b6b33b83b9f202cf71b6af3856 472392 exim4_4.89-12.debian.tar.xz Files: 9000d3ef1241d4accb0bc441608b849a 2837 mail standard exim4_4.89-12.dsc 39d06f816bfd44d419967f6eca6d8087 472392 mail standard exim4_4.89-12.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE0uCSA5741Jbt9PpepU8BhUOCFIQFAlods+sACgkQpU8BhUOC FIQOGxAAjNXbyaoi3pUo1n6ci2H2/X6ynOODhBPxjRts/EzEftBBox0B7HkKFyRX +ZkwW8wYHoOJUoUT6h4HcfDsIi8/1HlK59PsBPiN+hPyExEvZ75qP/S1SQD/i5br 3jq62VIxu+BoRBxCRa52BQfnQEkqyn0MtDDl2m5AZzdOXuht2cMUEk2GA5jLxK6C R+Ay7HkTF05d5JJWbdTZeEXEVIYJXyLjk/t/1NDwLIzB3bu4vMHVkw/TM0yNF/80 OVUPTPiPbaz6XY/GRwjfMSH5NN6Ik93TnFRqhwW9VytWce1eb+6pdpoJR+xat/5a zzwNlYbebifmUlG6qjsA01nDyEfrA0m9fl2Ab//GHIk6rONTIKKwF9299ybyHLcX eAKpjqkT9MPJMjDtr5hTMMPoR8L6HkK8IL/NZXDx57Cbissz1FbtugZYW9cvzs8H Cmo/02+f11oQmmlzyJM2ZAQmPdZBsUztWQsjGEopmcNTmVCiX0HxoPuFrY4PoxeX GR9ZNfljpeRuzOi9Y4KPTO5JqZOcbyYWszTDiHTAXe9XeeQ96MBJOwFVNUVxMowZ up/VN7ePLcogS8TmaIFiQXtgYhYLAb6+McoCzwyovsaPGHpvTqbuE+GiAU8W8Gar 9XKfkSjIQM3qYmPbYIVM6snhki31GPiFOdC9VHW9Btzq4peHhGU= =YgXN -----END PGP SIGNATURE-----
--- End Message ---
