Current File : //proc/thread-self/root/kunden/usr/share/doc/exim/doc/cve-2019-15846/posting-2.txt

To: exim-users@exim.org, exim-announce@exim.org, exim-maintainers@exim.org
From: [ do not use a dmarc protected sender ]

CVE ID:     CVE-2019-15846
Credits:    Zerons <sironhide0null@gmail.com>, Qualys
Version(s): all versions up to and including 4.92.1
Issue:      The SMTP Delivery process in all versions up to and
            including Exim 4.92.1 has a Buffer Overflow.  In the default
            runtime configuration, this is exploitable with crafted Server
            Name Indication (SNI) data during a TLS negotiation. In other
            configurations, it is exploitable with a crafted client TLS certificate.
Details:    doc/doc-txt/cve-2019-15846 in the downloaded source tree

Coordinated Release Date (CRD) for Exim 4.92.2:
            2019-09-06 10:00 UTC

Contact:    security@exim.org

We released Exim 4.92.2. This is a security update based on 4.92.1.

Downloads
=========

Starting at CRD the downloads will be available from the following
sources:

Release tarballs (exim-4.92.2):

    https://ftp.exim.org/pub/exim/exim4/

The package files are signed with my GPG key.

The full Git repo:

    https://git.exim.org/exim.git
    https://github.com/Exim/exim    [mirror of the above]
    - tag    exim-4.92.2
    - branch exim-4.92.2+fixes

The tagged commit is the officially released version. The tag is signed
with my GPG key.  The +fixes branch isn't officially maintained, but
contains useful patches *and* the security fix. The relevant commit is
signed with my GPG key. The old exim-4.92.1+fixes branch is being functionally
replaced by the new exim-4.92.2+fixes branch.