🚀 go-pugleaf

--===============0236381709==
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="8JAmzYDSl0Sjbh5d"
Content-Disposition: inline


--8JAmzYDSl0Sjbh5d
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Dear Exim-Users

(thanks to Tim Jackson, who pointed out that this announcement didn't
make it to Exim-announce)

Abstract
--------

Several exploitable vulnerabilities in Exim were reported to us and are
fixed.

We have prepared a security release, tagged as "exim-4.94.2".

This release contains all changes on the exim-4.94+fixes branch plus
security fixes.

You should update your Exim instances as soon as possible. (See below
for short upgrade notes.)


Distro users
------------

Several distros will provide updated packages: Just do the update.
If the update contains a version change from <4.94 to 4.94.2, you may
want to read the upgrade notes below.

Self-built Exim
---------------

Fetch the exim-4.94.2 from the known repositories, build and install
the fixed version. If you need to upgrade from versions <4.94 to 4.94.2,
you may want to read the upgrade notes below.


Schedule
--------

2021-05-04 13:30 UTC:   Publish the release on the public
                        repos/website/etc

Repositories
------------

The sources are available:

        tarballs: https://ftp.exim.org/pub/exim/exim4/
                  (the mirrors will follow with some delay)
        source:   https://git.exim.org/exim.git
                  tag: exim-4.94.2
                  branch: exim-4.94.2+fixes

The +fixes branch contains fixes for an issue, that we experienced
occasionally with outgoing SMTP (using DANE, TLS SNI and an unusual
certificate setup on the remote server. See
https://lists.exim.org/lurker/message/20210503.163324.f7021753.en.html)

In case you're running exim-4.92.3 currently and you do not see any
option in updating this to 4.94.2, you *can* try using the branch
exim-4.92.3+fixes. This branch contains the minimal set of backported
security patches, but isn't officially supported by the Exim project
and didn't get the same testing as the official release.

Details
-------

The current Exim versions (and likely older versions too) suffer from
several exploitable vulnerabilities. These vulnerabilities were reported
by Qualys via security@exim.org back in October 2020.

Due to several internal reasons it took more time than usual for the Exim
development team to work on these reported issues in a timely manner.

We explicitly thank Qualys for reporting *and* for providing patches for
most of the reported vulnerabilities.

The details about the vulnerabilities *will* be published in the near
future (on http://exim.org/static/doc/security/), but not today. This
should give you the chance to update your systems.

Another source of information *will* be on the reporter's site:
https://www.qualys.com/2021/05/04/21nails/21nails.txt

For further reference a list of related CVEs:

    Local vulnerabilities
    - CVE-2020-28007: Link attack in Exim's log directory
    - CVE-2020-28008: Assorted attacks in Exim's spool directory
    - CVE-2020-28014: Arbitrary PID file creation
    - CVE-2020-28011: Heap buffer overflow in queue_run()
    - CVE-2020-28010: Heap out-of-bounds write in main()
    - CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()
    - CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()
    - CVE-2020-28015: New-line injection into spool header file (local)
    - CVE-2020-28012: Missing close-on-exec flag for privileged pipe
    - CVE-2020-28009: Integer overflow in get_stdinput()
    Remote vulnerabilities
    - CVE-2020-28017: Integer overflow in receive_add_recipient()
    - CVE-2020-28020: Integer overflow in receive_msg()
    - CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()
    - CVE-2020-28021: New-line injection into spool header file (remote)
    - CVE-2020-28022: Heap out-of-bounds read and write in extract_option()
    - CVE-2020-28026: Line truncation and injection in spool_read_header()
    - CVE-2020-28019: Failure to reset function pointer after BDAT error
    - CVE-2020-28024: Heap buffer underflow in smtp_ungetc()
    - CVE-2020-28018: Use-after-free in tls-openssl.c
    - CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()


Upgrade notes
-------------

In case you need to upgrade from a version <4.94, you may encounter
issues with *tainted data*. This is a security measure which we
introduced with 4.94.

Your configuration needs to be reworked.

Alternatively you can use the exim-4.94.2+taintwarn branch. This branch
tracks exim-4.94.2+fixes and adds a new main config option (the option
is deprecated already today and will be ignored in a future release of
Exim): "allow_insecure_tainted_data". This option allows you to turn the
taint errors into warnings. (Debian is set to include this "taintwarn"
patch in its Exim 4.94.2 release).

Thank you for using Exim.
Thanks to Qualys for reporting the issues.

    Best regards from Dresden/Germany
    Viele Gr=C3=BC=C3=9Fe aus Dresden
    Heiko Schlittermann
--
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -

--8JAmzYDSl0Sjbh5d
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAABCgAdFiEE0L/WueylaUpvFJ3Or0zGdqa2wUIFAmCRznkACgkQr0zGdqa2
wUL2ZAf+N9uy+tirJdfEp1nt7DXfvziwURfuTsEorW5Q52BwGmDX8zU724GnQtjn
mXKhZgLRrJmiF3W+BdFbEqf11QUccafo6a2CIq04ym3AnNEWEYvXjOEpUP7t78Nq
M1aWTfS68WERXg3wxcQh+AbO4/yFl6rbsI6OYWrjURnFeXcmWJxwQSoqbVfvvVx+
FR7odye8GawAYf4Oc7N23+ipdNz8hgFf3bszJIVvaN386Z5aFwBQ62cgdt9nD0zb
OaTYC5Ol9l7TiRH1UlTQ04GEWgjasYo42B9SMV20THKukqttlY3Iw7+HxDM3hKLa
sZq77jQmlMugfCJb/IHlFAxyBJjdQQ==
=AdjM
-----END PGP SIGNATURE-----

--8JAmzYDSl0Sjbh5d--


--===============0236381709==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-announce Exim details at http://www.exim.org/ ##

--===============0236381709==--