Summary: | <mail-mta/exim-4.92.3: remotely triggerable buffer overflow in string_vformat() (CVE-2019-16928) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | psp <gentoo-bugzilla> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | grobian |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugs.exim.org/show_bug.cgi?id=2449 | ||
Whiteboard: | B2 [glsa+ cve] | ||
Package list: |
mail-mta/exim-4.92.3
|
Runtime testing required: | --- |
Description
psp
2019-11-26 23:02:38 UTC
CVE: CVE-2019-16928 amd64 stable arm stable sparc stable x86 stable ppc64 stable ppc stable ia64 stable Why aren't version 4.92.2 and 4.92.3 removed from portage yet? I see that "Gentoo Security" is assigned so I would also expect a GLSA. Maybe the security team is overloaded/uderstaffed? (In reply to Hans F. Nordhaug from comment #9) > Why aren't version 4.92.2 and 4.92.3 removed from portage yet? > > I see that "Gentoo Security" is assigned so I would also expect a GLSA. > Maybe the security team is overloaded/uderstaffed? Our process is: 1) Stabilise a patched version first; 2) Cleanup; 3) GLSA if applicable (may go to vote or immediate no GLSA if unstable) Here, we are waiting on an arch team (HPPA). After an amount of time, we can poke arch times though, but some are smaller/busier than others. We are always happy to have new volunteers. I recently joined as a security padawan when only 1 person was active really, a few have now returned, but definitely need more help. This bug in particular as you can see had a poke and then ago was able to move on the bug. Feel free to clean up, it's fine that exim is ~hppa only. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ab06f843318c1b0b73d403e074b9ea75ac1f396c commit ab06f843318c1b0b73d403e074b9ea75ac1f396c Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2020-03-20 08:50:12 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2020-03-20 08:50:12 +0000 mail-mta/exim-4.92.2: drop vulnerable version (dropping hppa stable) hppa expressed to be ok with Exim dropped to ~hppa for them https://bugs.gentoo.org/701282#c11 Bug: https://bugs.gentoo.org/701282 Package-Manager: Portage-2.3.89, Repoman-2.3.20 Signed-off-by: Fabian Groffen <grobian@gentoo.org> mail-mta/exim/Manifest | 2 - mail-mta/exim/exim-4.92.2.ebuild | 581 --------------------------------------- 2 files changed, 583 deletions(-) New GLSA request filed. This issue was resolved and addressed in GLSA 202003-47 at https://security.gentoo.org/glsa/202003-47 by GLSA coordinator Thomas Deutschmann (whissi). |