Current File : //proc/thread-self/root/kunden/usr/share/doc/exim/doc/cve-2019-15846/posting-0.txt

To: distros@vs.openwall.org, exim-maintainers@exim.org
From: [ do not use a dmarc protected sender ]

** EMBARGO *** This information is not public yet.

CVE ID:     CVE-2019-15846
Credits:    Zerons <sironhide0null@gmail.com>, Qualys
Version(s): all versions up to and including 4.92.1
Issue:      The SMTP Delivery process in all versions up to and
            including Exim 4.92.1 has a Buffer Overflow.  In the default
            runtime configuration, this is exploitable with crafted Server
            Name Indication (SNI) data during a TLS negotiation. In other
            configurations, it is exploitable with a crafted client TLS certificate.
Details:    doc/doc-txt/cve-2019-15846 in the downloaded source tree

Contact:    security@exim.org

Proposed Timeline
=================

2019-09-03:
    - This notice to distros@vs.openwall.org and exim-maintainers@exim.org
    - Open limited access to our security Git repo. See below.

2019-09-04:
    - Heads-up notice to oss-security@lists.openwall.com,
      exim-users@exim.org, and exim-announce@exim.org
      about the upcoming security release

2019-09-06 10:00 UTC:
    - Coordinated relase date
    - Publish the patches in our official and public Git repositories
      and the packages on our FTP/HTTP(S) server.

Downloads
=========

The downloads mentioned below are accessible only for a limited set of SSH
keys. At CRD they will be mirrored to the public repositories.
(Note: the repo names changed from the recently used ones.)

For release tarballs (exim-4.92.2):

    git clone --depth 1 ssh://git@git.exim.org/exim-packages-security

The package files are signed with my GPG key.

For the full Git repo:

    git clone ssh://git@exim.org/exim-security
    - tag    exim-4.92.2
    - branch exim-4.92.2+fixes

The tagged commit is the officially maintained version. The tag is signed
with my GPG key.  The +fixes branch isn't officially maintained, but
contains useful patches *and* the security fix. The relevant commit
is signed with my GPG key.

If you need help backporting the patch, please contact us directly.