Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 5 Oct 2023 10:17:41 +0200
From: Heiko Schlittermann <>
Subject: Re: Exim4 MTA CVEs assigned from ZDI

Hi ZDI, <> (Mi 04 Okt 2023 23:01:37 CEST):
> We have received a notification from the developers that these issues have been patched. We will be happy to update our advisories once they do so.

As publicly advertised, we patched only *a subset* of the issues.  And
those patches are available to the public.  Unfortunately there is no
confirmation from your side, whether those fixes really fix the issues.

One of the open issues is related to libspf2, which is Exim a user of,
but not responsible for.

 ZDI-23-1472 | ZDI-CAN-17578 | CVE-2023-42118 | Exim Bug 3032

And about exactly *this libspf2* issue Salvatore asked you for information.

(As I did on Oct 1st already, along with the request for additional information on one of
the other unfixed issues (DNSDB)). I didn't receive any response yet.

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -

Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.