oss-sec mailing list archives
CVE-2019-15846: Exim - local or remote attacker can execute programs with root privileges.
From: Heiko Schlittermann <hs () nodmarc schlittermann de>
Date: Wed, 4 Sep 2019 11:22:48 +0200
*** Note: EMBARGO is still in effect! *** *** Distros must not publish any detail yet *** Head up! Security release ahead! CVE ID: CVE-2019-15846 Version(s): up to and including 4.92.1 Issue: A local or remote attacker can execute programs with root privileges. Details: Will be made public at CRD. Currently there is no known exploit, but a rudimentary POC exists. Coordinated Release Date (CRD) for Exim 4.92.2: 2019-09-06 10:00 UTC Contact: security () exim org Proposed Timeline ================= 2019-09-03: - initial notification to distros () openwall org and exim-maintainers () exim org 2019-09-04: <-- NOW - This Heads-up notice to oss-security () lists openwall com, exim-users () exim org, and exim-announce () exim org 2019-09-06 10:00 UTC: - Coordinated relase date - Notice to oss-security, exim-users, and exim-announce - Publish the patches in our official and public Git repositories and the packages on our FTP server. Downloads available starting at CRD (not yet) ============================================= The downloads are not yet available. They will be made available at the above mentioned CRD. Release tarballs (exim-4.92.2): https://ftp.exim.org/pub/exim/exim4/ The package files are signed with my GPG key. The full Git repo: https://git.exim.org/exim.git https://github.com/Exim/exim [mirror of the above] - tag exim-4.92.2 - branch exim-4.92.2+fixes The tagged commit is the officially released version. The tag is signed with my GPG key. The +fixes branch isn't officially maintained, but contains useful patches *and* the security fix. The relevant commit is signed with my GPG key. The old exim-4.92.1+fixes branch is being functionally replaced by the new exim-4.92.2+fixes branch. Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --------------- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
Attachment:
signature.asc
Description:
Current thread:
- CVE-2019-15846: Exim - local or remote attacker can execute programs with root privileges. Heiko Schlittermann (Sep 04)
- Re: CVE-2019-15846: Exim - local or remote attacker can execute programs with root privileges. Heiko Schlittermann (Sep 04)
- Re: CVE-2019-15846: Exim - local or remote attacker can execute programs with root privileges. Heiko Schlittermann (Sep 06)
- Re: CVE-2019-15846: Exim - local or remote attacker can execute programs with root privileges. Heiko Schlittermann (Sep 06)
- Re: CVE-2019-15846: Exim - local or remote attacker can execute programs with root privileges. Heiko Schlittermann (Sep 06)
- Sv: [exim] CVE-2019-15846: Exim - local or remote attacker can execute programs with root privileges Sebastian Nielsen (Sep 06)
- Re: Sv: [exim] CVE-2019-15846: Exim - local or remote attacker can execute programs with root privileges Phil Pennock (Sep 06)
- Re: Sv: [exim] CVE-2019-15846: Exim - local or remote attacker can execute programs with root privileges Heiko Schlittermann (Sep 06)
- Re: Sv: [exim] CVE-2019-15846: Exim - local or remote attacker can execute programs with root privileges Phil Pennock (Sep 09)
- Re: CVE-2019-15846: Exim - local or remote attacker can execute programs with root privileges. Heiko Schlittermann (Sep 06)
- <Possible follow-ups>
- Re: CVE-2019-15846: Exim - local or remote attacker can execute programs with root privileges. Heiko Schlittermann (Sep 05)