Your message dated Fri, 01 Dec 2017 18:33:50 +0000 with message-id <e1ekq8e-000drp...@fasolo.debian.org> and subject line Bug#882648: fixed in exim4 4.90~RC3-1 has caused the Debian Bug report #882648, regarding exim4: CVE-2017-16943: use-after-free vulnerability while reading mail header to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 882648: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882648 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: exim4 Version: 4.89-9 Severity: grave Tags: security Justification: remote code execution Source: https://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html ----- Forwarded message from Phil Pennock <p...@exim.org> ----- Date: Fri, 24 Nov 2017 22:48:42 -0500 From: Phil Pennock <p...@exim.org> To: exim-annou...@exim.org Subject: [exim-announce] Critical Exim Security Vulnerability: disable chunking Reply-To: exim-announce-ow...@exim.org Folks, A remote code execution vulnerability has been reported in Exim, with immediate public disclosure (we were given no private notice). A tentative patch exists but has not yet been confirmed. With immediate effect, please apply this workaround: if you are running Exim 4.88 or newer (4.89 is current, 4.90 is upcoming) then in the main section of your Exim configuration, set: chunking_advertise_hosts = That's an empty value, nothing on the right of the equals. This disables advertising the ESMTP CHUNKING extension, making the BDAT verb unavailable and avoids letting an attacker apply the logic. This should be a complete workaround. Impact of applying the workaround is that mail senders have to stick to the traditional DATA verb instead of using BDAT. We've requested CVEs. More news will be forthcoming as we get this worked out. -Phil -- ## List details at https://lists.exim.org/mailman/listinfo/exim-announce Exim details at http://www.exim.org/ ## ----- End forwarded message -----
--- End Message ---
--- Begin Message ---Source: exim4 Source-Version: 4.90~RC3-1 We believe that the bug you reported is fixed in the latest version of exim4, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 882...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andreas Metzler <ametz...@debian.org> (supplier of updated exim4 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 01 Dec 2017 19:14:08 +0100 Source: exim4 Binary: exim4-base exim4-config exim4-daemon-light exim4 exim4-daemon-heavy eximon4 exim4-dev Architecture: source Version: 4.90~RC3-1 Distribution: experimental Urgency: medium Maintainer: Exim4 Maintainers <pkg-exim4-maintain...@lists.alioth.debian.org> Changed-By: Andreas Metzler <ametz...@debian.org> Closes: 882648 882671 Description: exim4-base - support files for all Exim MTA (v4) packages exim4-config - configuration for the Exim MTA (v4) exim4-daemon-heavy - Exim MTA (v4) daemon with extended features, including exiscan-ac exim4-daemon-light - lightweight Exim MTA (v4) daemon exim4-dev - header files for the Exim MTA (v4) packages exim4 - metapackage to ease Exim MTA (v4) installation eximon4 - monitor application for the Exim MTA (v4) (X11 interface) Changes: exim4 (4.90~RC3-1) experimental; urgency=medium . * New upstream version. + Fix a use-after-free while reading smtp input for header lines. A crafted sequence of BDAT commands could result in in-use memory being freed. CVE-2017-16943. Closes: #882648 + Fix checking for leading-dot on a line during headers reading from SMTP input. Previously it was always done; now only done for DATA and not BDAT commands. CVE-2017-16944 Closes: #882671 * Drop 78_Disable-chunking-BDAT-by-default.patch again. Checksums-Sha1: 680ae709d49dd5ac685fc0f3c973b41114e04530 2873 exim4_4.90~RC3-1.dsc 494411dda22e8e3c1b40c33b1f4a769465242413 1714872 exim4_4.90~RC3.orig.tar.xz e088699320ded2ec4f0e1d50501eb71e85ee0956 455 exim4_4.90~RC3.orig.tar.xz.asc 26cf3ddb1b110d56530d420d971646b02e9fa605 447176 exim4_4.90~RC3-1.debian.tar.xz Checksums-Sha256: f9f0857b5ce76d888085448e060fbceee41685fd3014fbf7f78214b39b4d7b38 2873 exim4_4.90~RC3-1.dsc cf3066564b1ddff84beb2f25d3c86d6e04c0d5800e6e4b8bff7997fcf5f00d37 1714872 exim4_4.90~RC3.orig.tar.xz c946c925b6bd304f132a4692d7b5a38de0e0ff091bc06d70d9b9ee21759b0819 455 exim4_4.90~RC3.orig.tar.xz.asc d9666555628707c4f0b6bb21587064aece1a33beeb1ebf1cca97365b2482b812 447176 exim4_4.90~RC3-1.debian.tar.xz Files: 4e0187178dee1909fe90c5b50fb04ffd 2873 mail standard exim4_4.90~RC3-1.dsc aa2faa39328bcf12c87c59cac711873c 1714872 mail standard exim4_4.90~RC3.orig.tar.xz c8bb028dba04df83920530c713aa77ad 455 mail standard exim4_4.90~RC3.orig.tar.xz.asc b89f8fed22d29fbec23d5c2c96bc065b 447176 mail standard exim4_4.90~RC3-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE0uCSA5741Jbt9PpepU8BhUOCFIQFAlohncQACgkQpU8BhUOC FISuCQ/+PboMoF5sXibXpVrF2oMSZreoJZ/+VeFoiA3mxn/OssXNEqfDhh3TI6/9 a0ykdVF9ThDBFmXaPB232b1J5symQQV1YJBXcgFF4PMaLySyNtakqG6GG0WdJssK DDNqAyYhzboi9NCrRYUp5xVbfMlBIjwuO/TtA/DSKwJEwNGwVDrEUImO5On2P7ZX qx4kVYyQY0vBTIQAe5FNU16et9W80aOyKPcv4GjYBLuIqWftcnAXljF2udTzWqI5 rXr280LwLjt+XwFRtoVOfmkdqWYmJxGnu76UV3URGcplg3MhKK6lFVEvkWzI2U61 M5j8tJ08aFRzfGAXnk3G8Ke5YltFuZ8HhQLdLjrhmECsXzrSr5U5A2BB2b6GJXuE veIBwsSIsejl6DdwvFQsN1hKLvBEHTOxwrycxoNPH8waRxlsFGiZF67byfyAty9r Qz7xMhph+XVWa6EWKb8CBgRYEN/7MHKZDQ4FYrXOBXn0C0Eh/yHjOrZMgGbzjDhi FiJx7pZcdcFnsRbvOjE++7/U5mKuHRRHss3qee3587MniU6GgFtbS7Qp3T1C3K5x hFE+mV1F95TE8DZfx5oUYSu/XW7i1NfvD7ybLIfsjasxtlIoCfLKnFipMbyNUewW t5jf4isB/ulqnDKBvI6dqL4eBUjgEWphwEVI2XKjo/y1B8iAYiA= =zHLn -----END PGP SIGNATURE-----
--- End Message ---
