Hi, in the course of the current CVEs regarding Exim there is claimed to be an issue with libspf2. We (the Exim developers) are not sure, if this is something *we* can on our side. We're not even sure about the details, as of now we do not have any further information.
But, it *may* be related to this PR: https://github.com/shevek/libspf2/pull/44/files An individual "simon" told so in the #Exim IRC channel on librachat. Do you see any chance to check this? And, if necessary, to release a security update too? If it turns out to be an issue, what do you think, should we at least notify oss-security on that, to help other distros to fixing it? Abstract of the knowledge we have so far: ZDI-23-1472 | ZDI-CAN-17578 | CVE-2023-42118 | Exim Bug 3032 ------------------------------------------------------------ Subject: libspf2 Integer Underflow CVSS Score: 7.5 Mitigation: Do not use the `spf` condition in your ACL Subsystem: spf Remark: It is debatable if this should be filed against libspf2. Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --------------- key ID: F69376CE -
signature.asc
Description: PGP signature
