|
Message-ID: <ZSwP3jgBH4u2pkBV@jumper.schlittermann.de>
Date: Sun, 15 Oct 2023 18:14:22 +0200
From: Heiko Schlittermann <hs@...marc.schlittermann.de>
To: oss-security@...ts.openwall.com
Subject: New Exim security release 4.96.2 (was: Exim4 MTA CVEs assigned from
ZDI)
Dear Exim Users,
today we released 2 more fixes for the issues mentioned in the recent
CVEs.
The current latest official release is now: exim-4.96.2
- We fixed issues with the proxy protocol.
- We fixed issues in the `dnsdb` lookup subsystem.
- The remaining issue with `libspf2`, raised as CVE against Exim, can't
be addressed by us, as it seems to happen inside the library's code.
Library fixes are available.
@Users: Please update your installations.
@Distros: We don't provide a grace period for you now, as we consider
the issues quite public already and thus we do not want to put the fixes
under embargo for additional days.
See this link for a summary: https://exim.org/static/doc/security/CVE-2023-zdi.txt
Distribution points:
--------------------
- git://git.exim.org
tags:
- exim-4.96.2 [gpg signed]
branches:
- exim-4.96+security (based on exim-4.96) [gpg signed]
- exim-4.96.2+fixes (based on exim-4.96.2 with the fixes from exim-4.96+fixes) [gpg signed]
- tarballs for exim-4.96.2: https://ftp.exim.org/pub/exim/exim4/ [gpg signed]
GPG signatures are made by me (hs@...littermann.de, or Jeremy Harris
jgh@...mail.org).
For cross-verification the SHAX sums follow:
SHA256 (exim-4.96.2.tar.bz2) = a7b9c247a8dcdf72b37ef4a6db0a744f6d34f65b40ef376265ddeb35610bb432
SHA256 (exim-4.96.2.tar.gz) = a0e5fb9510d4e07704d1f7ca8b432ae069d3c522b31ce7ef5f7b4998ae777a53
SHA256 (exim-4.96.2.tar.xz) = 038e327e8d1e93d005bac9bb06fd22aec44d5028930d6dbe8817ad44bbfc1de6
SHA256 (exim-html-4.96.2.tar.bz2) = cbe648c98986be31e3f89c9546b4cf28e78443c7a2af3acf6a67fa2aaa990ae6
SHA256 (exim-html-4.96.2.tar.gz) = 34ea64215a6587b65493833b8bb710ff3aec59e3ea0c260902f4bbbda74d26b9
SHA256 (exim-html-4.96.2.tar.xz) = b7bc81cc30b4815f2dcb552c381e039eb5f9c97a357d1cb1dfa6f9814a933023
SHA256 (exim-pdf-4.96.2.tar.bz2) = d0dba21931958a9bbc31d08633db4b15424ef8b9dd601364ded240cda9ecf6f9
SHA256 (exim-pdf-4.96.2.tar.gz) = 9229b71e1bb123ed802d4c046896728f717a6e5aa24091fb71760dc603932de0
SHA256 (exim-pdf-4.96.2.tar.xz) = ff97856b90aa9653d5e46d2e93aa994009c4c7180ee1fbc9f95ea44b0e9adcaa
SHA256 (exim-postscript-4.96.2.tar.bz2) = 23f8ae976a13cdae8eb041af589255a730881035b63158d112e14a268c9b0c31
SHA256 (exim-postscript-4.96.2.tar.gz) = 9fa21bee7f9ecd8052301b1061f9a3b2e7d7b4452a5fe5826835f1f8566721e0
SHA256 (exim-postscript-4.96.2.tar.xz) = c35d4888d2cccc1e32561376d81f0592cf2309ed2ca23aae4d171169ee57522b
SHA512 (exim-4.96.2.tar.bz2) = 97041a51dae3f0840bc4b225bc63dbbe47924abcf400edd751545b687b608bedc8ebabf5ee6ae60d03ee93c74697cd58710fa48940d4df0cd96c0683b1f29da0
SHA512 (exim-4.96.2.tar.gz) = 4ff50a595936030e0ed070307f1e45bdc7316a1adce9a29554f60490e292b14332945d7b5b3c7bd0e2293873973eda6dd9b9f5b5cdfcf6c020c4ac1a07caa999
SHA512 (exim-4.96.2.tar.xz) = dc9f6a114e64ac826489edff88d50a24195b64714428e691c10a7bfb119b3ebb6455bf80cbb34dfd0a4e2e44cbde72effb009357a8e0a6065e512fe32092e3ed
SHA512 (exim-html-4.96.2.tar.bz2) = 2a70b8ab5d690dfa70bbd780200eb6e37e59e14ee00a39958f4ba4c498da8957692483e404bd3303272141bce2342e579f2ef41a40b943167792dfdb7f0818fa
SHA512 (exim-html-4.96.2.tar.gz) = 9265a4f7e9a5adc635f5e16be49af57eb50dfc911f8dc73e511d438cdc02d2ba9ab95ef2b2eb7b786b04ac301a905bab6b3ae9acf692f9e35a577d70938852bc
SHA512 (exim-html-4.96.2.tar.xz) = 081b146a8d570edba9ffb41f927aead7237ca9228766a824328d11c06fd9765f554a2e1bad81d910a52d111dc8781a003bb8e3c404bffe8839c19bb6a3c9f95a
SHA512 (exim-pdf-4.96.2.tar.bz2) = c9a997f206a9b9d0ca60da355a87de2e234e59e2442d915fd3823d1e50fbb69af9f91503a8eafead37c110d217fdf4b4a5c6c314c3f02b8915c082d6cdb7130b
SHA512 (exim-pdf-4.96.2.tar.gz) = f4c4e59ffbe4b6a353144bee97fd1890826739fba5aad5978eb5d4555534977c78dd3cfc6b3ad87880308a0faffc36df0ffb4f8a97583b89747f33500f89335d
SHA512 (exim-pdf-4.96.2.tar.xz) = c35eea4ab5510bba50d22813b28c9d2f5e4e2fed76993693b997f2090024dde674d58dffe044cb64642bf57b83fcae3bfc3dbcae43288fae11692ee49374df74
SHA512 (exim-postscript-4.96.2.tar.bz2) = 40f191190f8e5d459dd777f8a46f1e247f65e9b2d416ff951197756f2272178b8e533c26141f4190e41a4d91c6696a084a2f0136cf34b1a0fb2f904f978f942f
SHA512 (exim-postscript-4.96.2.tar.gz) = 88df4712df5447ed3d5e2fd9b752e4d80ec5a03a3c1dbe2ca7ea88ce90dbed8e07d9116ce0d58219de4f99c3b025f1a42b9780bc03b8b548acc8e5f0c83de21c
SHA512 (exim-postscript-4.96.2.tar.xz) = 64182092b7e9bd59270ce88131cd3853def5ccfb3cb3a5384c4d88761b16795ca209a22200f28b21e4d9ecc0b3767ca4284279c75d49f9829fcc4f51cba9bc1f
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.