Thread View: gmane.mail.exim.announce
3 messages
3 total messages
Started by Heiko Schlitterm
Tue, 04 Jun 2019 15:57
CVE-2019-10149
Author: Heiko Schlitterm
Date: Tue, 04 Jun 2019 15:57
Date: Tue, 04 Jun 2019 15:57
77 lines
2455 bytes
2455 bytes
--===============0134990761==
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature"; boundary="bhd53rmoljssqqyr"
Content-Disposition: inline
--bhd53rmoljssqqyr
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hello,
in case you didn't notice on oss-security or exim-users.
We published a CVE:
http://exim.org/static/doc/security/CVE-2019-10149.txt
You should fetch the fix and re-package your Exim packages.
The non-public security Git repo is
ssh://git@git.exim.org/exim.git
Access is granted to the known and trusted SSH keys we have.
The branch fix-CVE-2019-10149 contains the fix. It is one commit ahead
of the exim-4_91+fixes branch and we'll eventuelly merge it into the
+fixes branch.
The relevant commit is d740d2111f189760593a303124ff6b9b1f83453d and is
signed with my GPG key, the same key that signed this message.
If you need help backporting it to older releases, please do not
hesitate to contact us.
The planned CRD (coordinated release date) is 2019-06-11 10.00 UTC.
Please do not publish any package or source until this date.
Best regards from Dresden/Germany
Viele Gr=C3=BC=C3=9Fe aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
--bhd53rmoljssqqyr
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEE0L/WueylaUpvFJ3Or0zGdqa2wUIFAlz2eK4ACgkQr0zGdqa2
wUJdEQgAhCblW9o465Z8i936ttlFhehLQTVb/ZfYRm7nbnji4fRmYKxFUW/ZKgCh
giHSDqVC5XfOWO1/fZ3ZSt87Y6gxTfLAbV9D4HOgJSCvdELfM00Tqkq9Z8h3eDy6
NZZoNPTfz93JJqTuPAMBtrC4cA9tOPzYgVesZBnYDoK6uQpNMS1yy8zsej7nDS3t
8MOLALCP+IERn+5m8/f2sugRKcjiPXqS8UqlH8MxLZvb+xwDmA00mDcDOyxZn3IY
S8ikokU1kHs20moeOYgnYcRp8NgBhyh8n9b7EyBWWbVGTiEXvwTxl+3271fQmsJq
vSYr5+pxwHxHWvGNzWs9fozaJ51kYA==
=KRdt
-----END PGP SIGNATURE-----
--bhd53rmoljssqqyr--
--===============0134990761==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
--
## List details at https://lists.exim.org/mailman/listinfo/exim-announce Exim details at http://www.exim.org/ ##
--===============0134990761==--
Re: CVE-2019-10149
Author: Heiko Schlitterm
Date: Wed, 05 Jun 2019 17:04
Date: Wed, 05 Jun 2019 17:04
57 lines
1806 bytes
1806 bytes
--===============0281637971==
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature"; boundary="id3lkqbhxdcdebhp"
Content-Disposition: inline
--id3lkqbhxdcdebhp
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
We will publish the fix today 2019-06-05 15:15 UTC on the
exim-4_91+fixes branch of our public Git repo git.exim.org.
Distros can release their packages by that date.
Sorry for the inconveniences.
Best regards from Dresden/Germany
Viele Gr=C3=BC=C3=9Fe aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
--id3lkqbhxdcdebhp
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEE0L/WueylaUpvFJ3Or0zGdqa2wUIFAlz32d8ACgkQr0zGdqa2
wUIhawf+K4VePVU63D8Fbx2yywk8Zz/6kJWOt6e1IOf4FxSHmK/ojurRB7aDU7cA
fopFHmuxerXo6AXK7MTMN8a6A7nLopIPvrokz/BRccrb/9cVkg+WqOTB0/+reVA5
pADH6IDYPSYVVWm8D2pxQxKi0q5cvvdnRSV34vhYgjqZ45WQVjYReB0Ma2LZUIVo
GTEvXGOcT1V/uJlFfdKUVWHIAKy91Fs8/RoxGzYg6oq0YcAMpbQg4du4edCq2doj
pa3n2WvA5Kf3KhlTZrkyMEtPBnmMpTMZ8eznZlbrnmeX0UPOdJrOZRWObgTtCopi
bAds7U+FdN/GCvUunTvfFIxQyvoyqA==
=ZucX
-----END PGP SIGNATURE-----
--id3lkqbhxdcdebhp--
--===============0281637971==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
--
## List details at https://lists.exim.org/mailman/listinfo/exim-announce Exim details at http://www.exim.org/ ##
--===============0281637971==--
Re: CVE-2019-10149
Author: Heiko Schlitterm
Date: Wed, 05 Jun 2019 17:18
Date: Wed, 05 Jun 2019 17:18
93 lines
3082 bytes
3082 bytes
--===============0749788289==
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature"; boundary="ud6z54mzeh4cexyv"
Content-Disposition: inline
--ud6z54mzeh4cexyv
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
The fix for CVE-2019-10149 is public now.
https://git.exim.org/exim.git
Branch exim-4_91+fixes.
Thank you to
- Qualys for reporting it.
- Jeremy for fixing it.
- you for using Exim.
Sorry for confusion about the public release. We were forced to react,
as details leaked.
The patch should apply cleanly to all affected versions (4.87->4.91). We
do not do a security release, as the official Exim version is at 4.92
already and older releases are considered to be outdated and not
supported by the developers anymore.
Please do not hesitate to contact us if you need help backporting the
fix.
Details of the commit:
|commit d740d2111f189760593a303124ff6b9b1f83453d
|gpg: Signature made Di 04 Jun 2019 11:27:33 CEST
|gpg: using RSA key D0BFD6B9ECA5694A6F149DCEAF4CC676A6B6=
C142
|gpg: issuer "hs@schlittermann.de"
|gpg: Good signature from "Heiko Schlittermann (Dresden) <hs@schlitterm=
ann.de>" [full]
|gpg: aka "Heiko Schlittermann (HS12-RIPE) <hs@schlitte=
rmann.de>" [full]
|gpg: aka "[jpeg image of size 4759]" [full]
|gpg: aka "Heiko Schlittermann (Exim MTA Maintainer) <h=
eiko@exim.org>" [full]
|gpg: aka "Heiko Schlittermann (HS12-RIPE) <hs@nodmarc.=
schlittermann.de>" [undefined]
|Author: Jeremy Harris <jgh146exb@wizmail.org>
|Date: Mon May 27 21:57:31 2019 +0100
|
| Fix CVE-2019-10149
Best regards from Dresden/Germany
Viele Gr=C3=BC=C3=9Fe aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
--ud6z54mzeh4cexyv
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEE0L/WueylaUpvFJ3Or0zGdqa2wUIFAlz33V0ACgkQr0zGdqa2
wUL71Qf/SDtpvo41s9O4J9hHqXmfAGHGXYqf9dcL5jKk9UKYkdPsJvvZKSd9YAgp
u5sP3XWeHUVBykKqd+edN7F7vhvR4Y6WI4twL9Mhw2n7VIvKuP2Ab3F8VlVj07Tw
XjK2bBXbvCwt0LRuUgLtc9CTd3aNjqEs6aW67YILQFfdxZu1bh1Lfdad9WZ1YMvg
kKVdR36EyQk70CfBK8Cluaqwu2ZWJThOsdVaabfFYuA4yAgoK+2Oe5woF4mDcRVo
MqfEkmhvWGsfOwDMkeWDoUthwF+jfCJ/N57M84U9+OkUd1OzBuGzojrOy1nbvHtA
Vv36BpMZYzMGJ9rJNgV+LYL6YrO1ow==
=GRl1
-----END PGP SIGNATURE-----
--ud6z54mzeh4cexyv--
--===============0749788289==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
--
## List details at https://lists.exim.org/mailman/listinfo/exim-announce Exim details at http://www.exim.org/ ##
--===============0749788289==--
Thread Navigation
This is a paginated view of messages in the thread with full content displayed inline.
Messages are displayed in chronological order, with the original post highlighted in green.
Use pagination controls to navigate through all messages in large threads.
Back to All Threads