Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20190605151944.5z5b35kydy2yenvm@jumper.schlittermann.de>
Date: Wed, 5 Jun 2019 17:19:44 +0200
From: Heiko Schlittermann <hs@...marc.schlittermann.de>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2019-10149: Exim 4.87 to 4.91: possible
 remote exploit

The fix for CVE-2019-10149 is public now.

    https://git.exim.org/exim.git
    Branch exim-4_91+fixes.

Thank you to
    - Qualys for reporting it.
    - Jeremy for fixing it.
    - you for using Exim.

Sorry for confusion about the public release. We were forced to react,
as details leaked.

The patch should apply cleanly to all affected versions (4.87->4.91). We
do not do a security release, as the official Exim version is at 4.92
already and older releases are considered to be outdated and not
supported by the developers anymore.

Please do not hesitate to contact us if you need help backporting the
fix.

Details of the commit:

    |commit d740d2111f189760593a303124ff6b9b1f83453d
    |gpg: Signature made Di 04 Jun 2019 11:27:33 CEST
    |gpg:                using RSA key D0BFD6B9ECA5694A6F149DCEAF4CC676A6B6C142
    |gpg:                issuer "hs@...littermann.de"
    |gpg: Good signature from "Heiko Schlittermann (Dresden) <hs@...littermann.de>" [full]
    |gpg:                 aka "Heiko Schlittermann (HS12-RIPE) <hs@...littermann.de>" [full]
    |gpg:                 aka "[jpeg image of size 4759]" [full]
    |gpg:                 aka "Heiko Schlittermann (Exim MTA Maintainer) <heiko@...m.org>" [full]
    |gpg:                 aka "Heiko Schlittermann (HS12-RIPE) <hs@...marc.schlittermann.de>" [undefined]
    |Author: Jeremy Harris <jgh146exb@...mail.org>
    |Date:   Mon May 27 21:57:31 2019 +0100
    |
    |   Fix CVE-2019-10149


    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
--
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -

Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.