Re: Exim4 MTA CVEs assigned from ZDI

[Heiko Schlittermann <hs () nodmarc schlittermann de>]

Hi ZDI,

zdi () trendmicro com <zdi () trendmicro com> (Mi 04 Okt 2023 23:01:37 CEST):
> We have received a notification from the developers that these issues have been patched. We will be happy to update 
> our advisories once they do so.

https://exim.org/static/doc/security/CVE-2023-zdi.txt

As publicly advertised, we patched only *a subset* of the issues.  And
those patches are available to the public.  Unfortunately there is no
confirmation from your side, whether those fixes really fix the issues.

One of the open issues is related to libspf2, which is Exim a user of,
but not responsible for.

 ZDI-23-1472 | ZDI-CAN-17578 | CVE-2023-42118 | Exim Bug 3032

And about exactly *this libspf2* issue Salvatore asked you for information.

(As I did on Oct 1st already, along with the request for additional information on one of
the other unfixed issues (DNSDB)). I didn't receive any response yet.

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
--
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -

Attachment: signature.asc
Description: