Mailing List Archive: CVE-2019-10149

CVE-2019-10149

Jun 4, 2019, 6:57 AM

Post #1 of 3 (1048 views)

Hello,

in case you didn't notice on oss-security or exim-users.
We published a CVE:

http://exim.org/static/doc/security/CVE-2019-10149.txt

You should fetch the fix and re-package your Exim packages.
The non-public security Git repo is

ssh://git@git.exim.org/exim.git

Access is granted to the known and trusted SSH keys we have.

The branch fix-CVE-2019-10149 contains the fix. It is one commit ahead
of the exim-4_91+fixes branch and we'll eventuelly merge it into the
+fixes branch.

The relevant commit is d740d2111f189760593a303124ff6b9b1f83453d and is
signed with my GPG key, the same key that signed this message.

If you need help backporting it to older releases, please do not
hesitate to contact us.

The planned CRD (coordinated release date) is 2019-06-11 10.00 UTC.
Please do not publish any package or source until this date.

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -

Re: CVE-2019-10149 [ In reply to ]

exim-announce at exim

Jun 5, 2019, 8:04 AM

Post #2 of 3 (1047 views)

Permalink

We will publish the fix today 2019-06-05 15:15 UTC on the
exim-4_91+fixes branch of our public Git repo git.exim.org.

Distros can release their packages by that date.

Sorry for the inconveniences.

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -

Re: CVE-2019-10149 [ In reply to ]

exim-announce at exim

Jun 5, 2019, 8:18 AM

Post #3 of 3 (1047 views)

Permalink

The fix for CVE-2019-10149 is public now.

https://git.exim.org/exim.git
Branch exim-4_91+fixes.

Thank you to
- Qualys for reporting it.
- Jeremy for fixing it.
- you for using Exim.

Sorry for confusion about the public release. We were forced to react,
as details leaked.

The patch should apply cleanly to all affected versions (4.87->4.91). We
do not do a security release, as the official Exim version is at 4.92
already and older releases are considered to be outdated and not
supported by the developers anymore.

Please do not hesitate to contact us if you need help backporting the
fix.

Details of the commit:

|commit d740d2111f189760593a303124ff6b9b1f83453d
|gpg: Signature made Di 04 Jun 2019 11:27:33 CEST
|gpg: using RSA key D0BFD6B9ECA5694A6F149DCEAF4CC676A6B6C142
|gpg: issuer "hs@schlittermann.de"
|gpg: Good signature from "Heiko Schlittermann (Dresden) <hs@schlittermann.de>" [full]
|gpg: aka "Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>" [full]
|gpg: aka "[jpeg image of size 4759]" [full]
|gpg: aka "Heiko Schlittermann (Exim MTA Maintainer) <heiko@exim.org>" [full]
|gpg: aka "Heiko Schlittermann (HS12-RIPE) <hs@nodmarc.schlittermann.de>" [undefined]
|Author: Jeremy Harris <jgh146exb@wizmail.org>
|Date: Mon May 27 21:57:31 2019 +0100
|
| Fix CVE-2019-10149

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -

Mailing List Archive

Attached Files:

Attached Files:

Attached Files: