Dear Exim users,
while the recent CVEs addressed some issues that existed in Exim, there
seems to be at least one issue that is related to a library we
potentially use.
ZDI-23-1472 | ZDI-CAN-17578 | CVE-2023-42118 | Exim Bug 3032
- https://bugs.exim.org/show_bug.cgi?id=3032
- https://www.zerodayinitiative.com/advisories/ZDI-23-1472/
Unfortunately we do not have any further details. But the libspf2 repo
on Github https://github.com/shevek/libspf2 contains at least one pull
request that potentially addresses the issue: https://github.com/shevek/libspf2/pull/44
IMHO a CVE should be created for that issue. Or the CVE-2023-42118
should be re-assigned to the libspf2.
So, if you do not want to disable the `spf` condition and `spf`
lookups in your Exim configuration, you could try to use a patched
version of the libspf2 library.
Dear Debian users: currently it doesn't seem as Debian provides a
patched version (because of the above mentioned uncertainty).
To patch my own systems built a libspf2 package containing the patch.
This package is *not officially supported*! Use it on your own risk. And
I do not promise any maintenance, updates, functionality, compatibility.
You're on your own using it. Please do not complain, if it breaks your
systems. But I'm happy about feedback.
- Git repo for `gbp`: https://gitea.schlittermann.de/DEB/libspf2
- Packages: https://apt.schlittermann.de/pool/main/libs/libspf2/
Hopefully this private hotfix will be outdated by official packages as soon as
possible.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
while the recent CVEs addressed some issues that existed in Exim, there
seems to be at least one issue that is related to a library we
potentially use.
ZDI-23-1472 | ZDI-CAN-17578 | CVE-2023-42118 | Exim Bug 3032
- https://bugs.exim.org/show_bug.cgi?id=3032
- https://www.zerodayinitiative.com/advisories/ZDI-23-1472/
Unfortunately we do not have any further details. But the libspf2 repo
on Github https://github.com/shevek/libspf2 contains at least one pull
request that potentially addresses the issue: https://github.com/shevek/libspf2/pull/44
IMHO a CVE should be created for that issue. Or the CVE-2023-42118
should be re-assigned to the libspf2.
So, if you do not want to disable the `spf` condition and `spf`
lookups in your Exim configuration, you could try to use a patched
version of the libspf2 library.
Dear Debian users: currently it doesn't seem as Debian provides a
patched version (because of the above mentioned uncertainty).
To patch my own systems built a libspf2 package containing the patch.
This package is *not officially supported*! Use it on your own risk. And
I do not promise any maintenance, updates, functionality, compatibility.
You're on your own using it. Please do not complain, if it breaks your
systems. But I'm happy about feedback.
- Git repo for `gbp`: https://gitea.schlittermann.de/DEB/libspf2
- Packages: https://apt.schlittermann.de/pool/main/libs/libspf2/
Hopefully this private hotfix will be outdated by official packages as soon as
possible.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -