602814 – (CVE-2016-9963) <mail-mta/exim-4.88: disclosure of private information (CVE-2016-9963)

Bug 602814 (CVE-2016-9963) - <mail-mta/exim-4.88: disclosure of private information (CVE-2016-9963)

Summary: <mail-mta/exim-4.88: disclosure of private information (CVE-2016-9963)

Status:	RESOLVED FIXED

Alias:	CVE-2016-9963

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://exim.org/static/doc/CVE-2016-...
Whiteboard:	A4 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2016-12-16 11:55 UTC by Thomas Deutschmann (RETIRED)
Modified:	2017-01-30 09:17 UTC (History)
CC List:	3 users (show)

See Also:
Package list:	=mail-mta/exim-4.88
Runtime testing required:	---

Flags:	kensington: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Deutschmann (RETIRED) gentoo-dev

2016-12-16 11:55:13 UTC

From $URL:

Product:    Exim
Versions:   4.69 -> 4.87
Impact:     Possible leak of private information to a remote attacker
Reference:  https://bugs.exim.org/show_bug.cgi?id=1996 (placeholder currently)
Requester:  Heiko Schlittermann <hs@schlittermann.de> (Exim Developer)
Credits:    Bjoern Jacke <bjoern@j3e.de>

If several conditions are met, Exim leaks private information to
a remote attacker.

A patch exists and is under testing already.
Backports to older versions are under development.

As soon as the tests are passed we'll send an announcement
to the "Operating system distribution security contacts list" and
ask for packaging fixed versions.

Comment 1 Fabian Groffen gentoo-dev

2016-12-18 20:35:18 UTC

Upstream announced they released 4.88, but will make it public on the 25th, so no way for us to test/prepare.  I hope we can bump ASAP given this inconvenient time planning.

Comment 2 Fabian Groffen gentoo-dev

2016-12-25 11:57:37 UTC

exim-4.88 is now in the tree.

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2016-12-25 13:12:36 UTC

@ Arches,

please test and mark stable: =mail-mta/exim-4.88

Comment 4 Aaron Bauman (RETIRED) gentoo-dev

2016-12-27 22:55:14 UTC

amd64 stable

Comment 5 Sven E. 2016-12-28 04:30:07 UTC

There's also exim-4.87.1 which has no feature changes but only the CVE patched.

Comment 6 Agostino Sarubbo gentoo-dev

2016-12-29 10:59:17 UTC

x86 stable

Comment 7 Agostino Sarubbo gentoo-dev

2016-12-30 09:50:09 UTC

sparc stable

Comment 8 Agostino Sarubbo gentoo-dev

2016-12-30 11:21:45 UTC

ia64 stable

Comment 9 Agostino Sarubbo gentoo-dev

2017-01-01 13:10:27 UTC

ppc stable

Comment 10 Agostino Sarubbo gentoo-dev

2017-01-03 10:50:18 UTC

ppc64 stable

Comment 11 Tobias Klausmann (RETIRED) gentoo-dev

2017-01-05 12:36:40 UTC

Stable on alpha.

Comment 12 Jeroen Roovers (RETIRED) gentoo-dev

2017-01-29 10:43:23 UTC

Stable for HPPA.

Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev

2017-01-30 00:07:28 UTC

GLSA Vote: No

@ Maintainer(s): Please cleanup and drop <mail-mta/exim-4.88!

Comment 14 Fabian Groffen gentoo-dev

2017-01-30 07:46:39 UTC

done!