oss-security - Re: RCE in Exim reported

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Sun, 26 Nov 2017 15:37:49 -0500
From: Leo Famulari <leo@...ulari.name>
To: oss-security@...ts.openwall.com
Subject: Re: RCE in Exim reported

On Sat, Nov 25, 2017 at 06:50:31PM -0500, Phil Pennock wrote:
> bugs.exim.org/2199 :
>   Use-after-free remote-code-execution
>   CVE-2017-16943
> 
> bugs.exim.org/2201 :
>   stack-exhaustion remote DoS
>   CVE-2017-16944
> 
> Fix for the former has been confirmed by the reporter and is in git.
> 
> The `exim-4_89+fixes` branch used by various OS packagers for major
> bug-fixes on top of the 4.89 release has the UAF fix backported.  Work
> on the DoS is under way.
> 
>   https://git.exim.org/exim.git/shortlog/refs/heads/exim-4_89+fixes

FYI, clicking on the commits from this page just gives the error
message:

400 - Invalid hash parameter

But the commit in question can be viewed here:

https://git.exim.org/exim.git/commit/4090d62a4b25782129cc1643596dc2f6e8f63bde

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.