Re: Multiple Exim4 Zero Days

[Alex Gaynor <alex.gaynor () gmail com>]

Do I understand correctly that none of these are fixed upstream?

Alex

PS: I'd be remiss if I did not note that it appears that 5/6 of these
vulnerabilities have "C is not a memory safe language" as a proximate
cause.

On Fri, Sep 29, 2023 at 10:27 AM Markus Gschwendt
<office+osssecurity () runout at> wrote:
> I bring this up as I have not yet seen any information here about
> several CVEs related to Exim Mailserver which were published by ZDI on
> 2023-09-27 [1]:
>
> * CVE-2023-42114 [CVSS 3.7]
> * CVE-2023-42115 [CVSS 9.8]
> * CVE-2023-42116 [CVSS 8.1]
> * CVE-2023-42117 [CVSS 8.1]
> * CVE-2023-42118 [CVSS 7.5]
> * CVE-2023-42119 [CVSS 3.1]
>
> There also seem to be issues in Exim's bug tracker related to those:
> https://bugs.exim.org/show_bug.cgi?id=2999
> https://bugs.exim.org/show_bug.cgi?id=3000
> https://bugs.exim.org/show_bug.cgi?id=3001
> https://bugs.exim.org/show_bug.cgi?id=3002
> https://bugs.exim.org/show_bug.cgi?id=3003
>
> According to ZDI the original reports were sent in June 2022.
>
> I'm wondering if somebody knows anything about mitigations and/or why
> there are still no fixes for these issues after more than a year.
>
> Markus
>
> [1] https://www.zerodayinitiative.com/advisories/published/
>     search for exim


-- 
All that is necessary for evil to succeed is for good people to do nothing.