CVE-2023-51766: Exim before 4.97.1 allows SMTP smuggling in certain PIPELINING/CHUNKING configurations. Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Exim supports <LF>.<CR><LF> but some other popular e-mail servers do not. Indeed fixed in 4.97.1. Please stabilize.
commit c11d2a7a9507bd2392e0c8c83e6719debbf18ab1 Author: Fabian Groffen <grobian@gentoo.org> Date: Fri Jan 12 12:56:22 2024 +0100 mail-mta/exim: cleanup vulnerable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=885ac7b1a9d8098a326b2e38010dda5ab6534a71 commit 885ac7b1a9d8098a326b2e38010dda5ab6534a71 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-02-18 09:29:14 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-02-18 09:29:37 +0000 [ GLSA 202402-18 ] Exim: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/914923 Bug: https://bugs.gentoo.org/921520 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202402-18.xml | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+)
