oss-sec mailing list archives
Re: Exim4 MTA CVEs assigned from ZDI
From: Solar Designer <solar () openwall com>
Date: Thu, 5 Oct 2023 18:02:43 +0200
On Thu, Oct 05, 2023 at 10:17:41AM +0200, Heiko Schlittermann wrote:
Hi ZDI,
If we want to talk to ZDI, we need to CC them explicitly - added. ZDI - please let us all know if you have any comments on the below. Also to ZDI, I think at this point it'd work best if you make all of the available detail on these bugs public. Will you, please? The advisories you published so far are non-specific to the point of being almost useless beyond an initial heads-up. Sorry for being so direct.
zdi () trendmicro com <zdi () trendmicro com> (Mi 04 Okt 2023 23:01:37 CEST):We have received a notification from the developers that these issues have been patched. We will be happy to update our advisories once they do so.https://exim.org/static/doc/security/CVE-2023-zdi.txt As publicly advertised, we patched only *a subset* of the issues. And those patches are available to the public. Unfortunately there is no confirmation from your side, whether those fixes really fix the issues. One of the open issues is related to libspf2, which is Exim a user of, but not responsible for. ZDI-23-1472 | ZDI-CAN-17578 | CVE-2023-42118 | Exim Bug 3032 And about exactly *this libspf2* issue Salvatore asked you for information. (As I did on Oct 1st already, along with the request for additional information on one of the other unfixed issues (DNSDB)). I didn't receive any response yet. Best regards from Dresden/Germany Viele Gr????e aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --------------- key ID: F69376CE -
Alexander
Current thread:
- Re: Exim4 MTA CVEs assigned from ZDI Heiko Schlittermann (Oct 01)
- Re: Exim4 MTA CVEs assigned from ZDI Heiko Schlittermann (Oct 01)
- Re: Exim4 MTA CVEs assigned from ZDI Heiko Schlittermann (Oct 02)
- Re: Exim4 MTA CVEs assigned from ZDI Heiko Schlittermann (Oct 02)
- New Exim security release 4.96.2 (was: Exim4 MTA CVEs assigned from ZDI) Heiko Schlittermann (Oct 15)
- Re: Exim4 MTA CVEs assigned from ZDI Heiko Schlittermann (Oct 02)
- Re: Exim4 MTA CVEs assigned from ZDI Heiko Schlittermann (Oct 01)
- <Possible follow-ups>
- Re: Exim4 MTA CVEs assigned from ZDI Salvatore Bonaccorso (Oct 04)
- RE: Exim4 MTA CVEs assigned from ZDI zdi () trendmicro com (Oct 04)
- Re: Exim4 MTA CVEs assigned from ZDI Fabian Keil (Oct 04)
- Re: Exim4 MTA CVEs assigned from ZDI Heiko Schlittermann (Oct 05)
- Re: Exim4 MTA CVEs assigned from ZDI Solar Designer (Oct 05)
- RE: Exim4 MTA CVEs assigned from ZDI zdi () trendmicro com (Oct 05)
- Re: Exim4 MTA CVEs assigned from ZDI Salvatore Bonaccorso (Oct 05)
- Re: Exim4 MTA CVEs assigned from ZDI Cory McIntire (Oct 05)
- RE: Exim4 MTA CVEs assigned from ZDI zdi () trendmicro com (Oct 04)