Mailing List Archive

D?a 2. októbra 2023 17:38:02 UTC používate? Christof Meerwald via Exim-users <exim-users@lists.exim.org> napísal:

>So I was asking if these details were indeed available somewhere
>before Sunday evening.

Yes, it was.

I don't remember exactly where, because (as here was silence
officially) i tried various sources. Perhaps it was mentioned on IRC
by Jeremy... I remember only, that i know that on saturday and thus
i was more interested in other two issues. I got important details
on IRC about them at sunday afternoon from Jeremy and Heiko.

When official response was published, it was only confirmation
(for me) that i collected proper info + some more details.

regards


--
Slavko
https://www.slavino.sk/

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Mon, 2 Oct 2023 20:54:56 +0200, Cyborg via Exim-users wrote:
> That slowed it down massively and now, with the public advisories from
> ZDI, the pressure was immense to find it in time and develope a working fix.

But my understanding here is that fixes were actually already done in
May 2023, see
https://git.exim.org/exim.git/commit/7bb5bc2c6592e062bf0b514cc71afd2d93e2e0dd

Auths: fix possible OOB write in external authenticator. Bug 2999
author Jeremy Harris <jgh146exb@wizmail.org>
Thu, 11 May 2023 19:02:43 +0200 (18:02 +0100)
committer Jeremy Harris <jgh146exb@wizmail.org>
Tue, 26 Sep 2023 20:07:46 +0200 (19:07 +0100)

similar for the other fixes that were made available today.


Christof

--

https://cmeerw.org sip:cmeerw at cmeerw.org
mailto:cmeerw at cmeerw.org xmpp:cmeerw at cmeerw.org

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Am 02.10.23 um 21:53 schrieb Christof Meerwald via Exim-users:
> But my understanding here is that fixes were actually already done in
> May 2023, see
> https://git.exim.org/exim.git/commit/7bb5bc2c6592e062bf0b514cc71afd2d93e2e0dd
>
> Auths: fix possible OOB write in external authenticator. Bug 2999
> author Jeremy Harris <jgh146exb@wizmail.org>
> Thu, 11 May 2023 19:02:43 +0200 (18:02 +0100)
> committer Jeremy Harris <jgh146exb@wizmail.org>
> Tue, 26 Sep 2023 20:07:46 +0200 (19:07 +0100)
>
> similar for the other fixes that were made available today.
>
>
> Christof
>

Of course, any issue that was fixed when they knew about it, but not
made public, because of the pending ZDI publication with 3 additional
unpatched issues.
it's normal that the entire report is handled as one package, even if
you have 6 or 21Nails.

If you put each patch in the public repo without informing the distros
about the security bug, what happens?  Right, a few hours later, all
unpatched exims getting attacked. The process to inform distros about a
security issue and having an embargo repo ready with TESTED fixes needs
a lot of effort. It's not surprising, that a team waits for all bugs to
be fixed, before releasing the info, as the reporter usually confirms
the working fix first.

In this case, there was not enough info for a fix, so no fix to test and
therefore, no reporter to confirm it. The entire process was stalled.
Now you sit on half of the fixes, but do not get the needed additional
infos... what do you do?

If you waited long enough, you decide to release the available fixes and
bugger the reporter for the missing exploits. The only questions are:
How long is "long enough" and how much buggering you can/have to do?

Before you answere, keep in mind, anyone member of the exim team has a
rl job and life.

Best regards,
Marius

Cyborg via Exim-users <exim-users@lists.exim.org> (Di 03 Okt 2023 09:52:24 CEST):
…

I'm not repeating Cyborg here, but he's right. Thank you.

And I'd like to stress that we do *not* think "ha, it is open source, they
may help themselves.". But, sometimes we might be pissed if the
questions are too demanding or even turn into accusations.

This doesn't mean that there where too many accusations, or demands. We
even got several "thank you for your work, we appreciate it", which
helps a log, especially in such troubled times.

--
Heiko

Hello all,

It is possible to update GitHub?
- https://github.com/Exim/exim

Releases 2
4.95 (Latest)
on Oct 8, 2021
+ 1 release

When I look https://github.com/Exim/exim/releases :
Latest builds are:
- 4.95 (2021-10-08): https://github.com/Exim/exim/releases/tag/exim-4.95
- Stabilisation (Bad name, must to be changed too, it is 4.89) (2017-03-16): https://github.com/Exim/exim/releases/tag/exim-4_89

Maybe the solution is to remove the cited releases.

Thanks in advance.

Regards,

Neustradamus

________________________________________
From: Heiko Schlittermann via Exim-users <exim-users@lists.exim.org>
Sent: Tuesday, October 3, 2023 12:17
To: exim-users@lists.exim.org
Subject: [exim] Re: Exim Zero Day?

Cyborg via Exim-users <exim-users@lists.exim.org> (Di 03 Okt 2023 09:52:24 CEST):
?

I'm not repeating Cyborg here, but he's right. Thank you.

And I'd like to stress that we do *not* think "ha, it is open source, they
may help themselves.". But, sometimes we might be pissed if the
questions are too demanding or even turn into accusations.

This doesn't mean that there where too many accusations, or demands. We
even got several "thank you for your work, we appreciate it", which
helps a log, especially in such troubled times.

--
Heiko

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

* Neustradamus * <neustradamus@hotmail.com> (Di 03 Okt 2023 12:57:35 CEST):
> It is possible to update GitHub?
> - https://github.com/Exim/exim
> Maybe the solution is to remove the cited releases.
Done so and put there 4.91.1. Will be forgotten next time too, I'm
afraid. Wo do not activly maintain the Github copy.

--
Heiko