Mailing List Archive

On Wed, 15 Mar 2023, Andreas Metzler wrote:

> On 2022-08-24 17:49, Andrew C Aitchison wrote:
> [...]
>> www.exim.org/static/doc/security/CVE-2021-38371.txt
>> is advertised on a couple of CVE sites but does not exist.
>> Like CVE-2022-37452, CVE-2021-38371 was fixed in 4.95 (the fix in git
>> actually predates the NO STARTTLS announcement).
>
>> I wrote up some text for it but Jeremy didn't like the tone of it
>> - my page sounded as if we agreed that the bug was a security issue.
>> He clearly did not believe that CVE-2021-38371 is an insecurity;
>> I agree that there is no evidence that it is one, but lack of evidence is
>> not evidence of lack, and the fix has been applied.
>
>> Like you, I think that we should respond to each CVE, whether they
>> are security issues or not, but Jeremy gave me the impression that
>> he does not.
>
>> If you are happy to stick to your guns on this one, I will rewrite
>> mine and report it in the bugzilla, which is what Jeremy suggested.
>
>> Since Jeremy does most of the work on exim I am not keen
>> to make a fuss.
>
> Hello Andrew
>
> the CVE status is still marked as "applies to 4.94.2, might be fixed in
> later versions" in all security trackers. Could you point to the fixing
> GIT commit?

Took a bit of tracking down but here it is:

commit 1b9ab35f323121aabf029f0496c7227818efad14

https://lists.exim.org/lurker/message/20200802.111710.a42f3573.de.html

I have attached the text I wrote for
https://www.exim.org/static/doc/security/CVE-2021-38371.txt
This has the wrong date: when Jeremy wrote the patch, rather than when
it hit the exim git (Aug 2 11:10:35 2020 +0100).

Can you can see a way not to say that this is a security issue ?

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk

On 15/03/2023 20:00, Andrew C Aitchison via Exim-users wrote:

> > When exim acting as a mail client wishes to send a message,
> a Meddler-in-the-Middle (MitM) may respond to the STARTTLS command
> by also sending a response to the *next* command, which exim will
> erroneously treat as a trusted response.

Sigh. Nobody has *ever* shown any way that could have been exploited.--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Hi Andrew,
Andrew C Aitchison via Exim-users <exim-users@exim.org> (Mi 15 Mär 2023 21:00:11 CET):
> > > www.exim.org/static/doc/security/CVE-2021-38371.txt

I'll publish your announcement there. Thank you, Andrew, for
preparing it. *But*, as we do not see this as a practical security
issue, we'll place a notice there: "The Exim developers do not consider
this CVE as a security problem." (Suggestions on better wording are
welcome.)

Yesterday JGH and me had a short public IRC chat on this.

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -

Thanks to all the involved parties for clearing this up (and obviously
for handling the whole thing in the first place)!

cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Andreas Metzler via Exim-users <exim-users@exim.org> (Do 16 Mär 2023 18:28:49 CET):
> Thanks to all the involved parties for clearing this up (and obviously
> for handling the whole thing in the first place)!

The missing CVE text is online since yesterday.

https://www.exim.org/static/doc/security/CVE-2021-38371.txt

The website repo https://git.exim.org/exim-website.git

commit ba0da048589d0c808f3161ea03de19d3bb2adc17
Author: Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
Date: Mon Mar 20 11:14:19 2023 +0100

chg: add note about CVE-2021-38371 about not being a problem

commit 2fae8e2e6a9d5606ac7eb7c94003d59756a1281a
Author: Andrew Aitchison <exim@aitchison.me.uk>
Date: Mon Mar 20 11:13:22 2023 +0100

add: CVE-2021-38371



--
Heiko