On Mon, May 17, 2021 at 12:10:26PM +0200, Taylan Kammer wrote: > Hi Guix people, > > Just wanted to make sure everyone's aware, since we package Exim: > > https://blog.qualys.com/vulnerabilities-research/2021/05/04/21nails-multiple-vulnerabilities-in-exim-mail-server > > "Last fall, the Qualys Research Team engaged in a thorough code audit of Exim > and discovered 21 unique vulnerabilities. Ten of these vulnerabilities can be > exploited remotely. Some of them leading to provide root privileges on the > remote system. And eleven can be exploited locally with most of them can be > exploited in either default configuration or in a very common configuration. > Some of the vulnerabilities can be chained together to obtain a full remote > unauthenticated code execution and gain root privileges on the Exim Server. > Most of the vulnerabilities discovered by the Qualys Research Team for e.g. > CVE-2020-28017 affects all versions of Exim going back all the way to 2004 > (going back to the beginning of its Git history 17 years ago)."
Fixed in commit 4ca8a00263 (gnu: Exim: Update to 4.94.2 [security fixes].) https://git.savannah.gnu.org/cgit/guix.git/commit/?id=4ca8a002633f5d5c88c689fd41a686b5cdff33ec
