![]() |
|
Message-ID: <20231005160242.GA4750@openwall.com> Date: Thu, 5 Oct 2023 18:02:43 +0200 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Cc: zdi@...ndmicro.com Subject: Re: Exim4 MTA CVEs assigned from ZDI On Thu, Oct 05, 2023 at 10:17:41AM +0200, Heiko Schlittermann wrote: > Hi ZDI, If we want to talk to ZDI, we need to CC them explicitly - added. ZDI - please let us all know if you have any comments on the below. Also to ZDI, I think at this point it'd work best if you make all of the available detail on these bugs public. Will you, please? The advisories you published so far are non-specific to the point of being almost useless beyond an initial heads-up. Sorry for being so direct. > zdi@...ndmicro.com <zdi@...ndmicro.com> (Mi 04 Okt 2023 23:01:37 CEST): > > We have received a notification from the developers that these issues have been patched. We will be happy to update our advisories once they do so. > > https://exim.org/static/doc/security/CVE-2023-zdi.txt > > As publicly advertised, we patched only *a subset* of the issues. And > those patches are available to the public. Unfortunately there is no > confirmation from your side, whether those fixes really fix the issues. > > One of the open issues is related to libspf2, which is Exim a user of, > but not responsible for. > > ZDI-23-1472 | ZDI-CAN-17578 | CVE-2023-42118 | Exim Bug 3032 > > And about exactly *this libspf2* issue Salvatore asked you for information. > > (As I did on Oct 1st already, along with the request for additional information on one of > the other unfixed issues (DNSDB)). I didn't receive any response yet. > > Best regards from Dresden/Germany > Viele Gr????e aus Dresden > Heiko Schlittermann > -- > SCHLITTERMANN.de ---------------------------- internet & unix support - > Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - > gnupg encrypted messages are welcome --------------- key ID: F69376CE - Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.