oss-sec mailing list archives
Multiple Exim4 Zero Days
From: Markus Gschwendt <office+osssecurity () runout at>
Date: Fri, 29 Sep 2023 15:59:09 +0200
I bring this up as I have not yet seen any information here about several CVEs related to Exim Mailserver which were published by ZDI on 2023-09-27 [1]: * CVE-2023-42114 [CVSS 3.7] * CVE-2023-42115 [CVSS 9.8] * CVE-2023-42116 [CVSS 8.1] * CVE-2023-42117 [CVSS 8.1] * CVE-2023-42118 [CVSS 7.5] * CVE-2023-42119 [CVSS 3.1] There also seem to be issues in Exim's bug tracker related to those: https://bugs.exim.org/show_bug.cgi?id=2999 https://bugs.exim.org/show_bug.cgi?id=3000 https://bugs.exim.org/show_bug.cgi?id=3001 https://bugs.exim.org/show_bug.cgi?id=3002 https://bugs.exim.org/show_bug.cgi?id=3003 According to ZDI the original reports were sent in June 2022. I'm wondering if somebody knows anything about mitigations and/or why there are still no fixes for these issues after more than a year. Markus [1] https://www.zerodayinitiative.com/advisories/published/ search for exim
Current thread:
- Multiple Exim4 Zero Days Markus Gschwendt (Sep 29)
- Re: Multiple Exim4 Zero Days Alex Gaynor (Sep 29)
- Exim4 MTA CVEs assigned from ZDI Heiko Schlittermann (Sep 29)
- Re: Exim4 MTA CVEs assigned from ZDI Solar Designer (Sep 29)
- RE: Exim4 MTA CVEs assigned from ZDI zdi () trendmicro com (Sep 29)
- Re: Exim4 MTA CVEs assigned from ZDI Solar Designer (Sep 29)