On Wed, 15 Mar 2023, Andreas Metzler wrote:
On 2022-08-24 17:49, Andrew C Aitchison wrote:
[...]
www.exim.org/static/doc/security/CVE-2021-38371.txt
is advertised on a couple of CVE sites but does not exist.
Like CVE-2022-37452, CVE-2021-38371 was fixed in 4.95 (the fix in git
actually predates the NO STARTTLS announcement).
I wrote up some text for it but Jeremy didn't like the tone of it
- my page sounded as if we agreed that the bug was a security issue.
He clearly did not believe that CVE-2021-38371 is an insecurity;
I agree that there is no evidence that it is one, but lack of evidence is
not evidence of lack, and the fix has been applied.
Like you, I think that we should respond to each CVE, whether they
are security issues or not, but Jeremy gave me the impression that
he does not.
If you are happy to stick to your guns on this one, I will rewrite
mine and report it in the bugzilla, which is what Jeremy suggested.
Since Jeremy does most of the work on exim I am not keen
to make a fuss.
Hello Andrew
the CVE status is still marked as "applies to 4.94.2, might be fixed in
later versions" in all security trackers. Could you point to the fixing
GIT commit?
Took a bit of tracking down but here it is:
commit 1b9ab35f323121aabf029f0496c7227818efad14
https://lists.exim.org/lurker/message/20200802.111710.a42f3573.de.html
I have attached the text I wrote for
https://www.exim.org/static/doc/security/CVE-2021-38371.txt
This has the wrong date: when Jeremy wrote the patch, rather than when
it hit the exim git (Aug 2 11:10:35 2020 +0100).
Can you can see a way not to say that this is a security issue ?
--
Andrew C. Aitchison Kendal, UK
and...@aitchison.me.ukCVE ID: CVE-2021-38371
Date: 2021-08-10
Version(s): up to and including 4.94.2
Reporter: Damian Poddebniak, Fabian Ising, Hanno Böck, and Sebastian Schinzel
Reference: https://nostarttls.secvuln.info/
Issue: Possible MitM attack on STARTTLS when exim is *sending* email.
Conditions to be vulnerable
===========================
Versions up to (and including) 4.94.2 are vulnerable when
*sending* emails via a connection encrypted via STARTTLS.
Details
=======
When exim acting as a mail client wishes to send a message,
a Meddler-in-the-Middle (MitM) may respond to the STARTTLS command
by also sending a response to the *next* command, which exim will
erroneously treat as a trusted response.
Source fixed by
https://git.exim.org/exim.git/commit/1b9ab35f323121aabf029f0496c7227818efad14
commit 1b9ab35f323121aabf029f0496c7227818efad14
Author: Jeremy Harris
Date: Thu Jul 30 20:16:01 2020 +0100
Mitigation
==========
There is - beside updating the server - no known mitigation.
Fix
===
Download and build the fixed version 4.95 or a later version
(4.96 was released in June 2022).
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
