Incoming details.
CVE-2019-10149 Exim 4.87 to 4.91 ================================ We received a report of a possible remote exploit. Currently there is no evidenice of an active use of this exploit. A patch exists already, is being tested, and backported to all versions we released since (and including) 4.87. The severity depends on your configuration. It depends on how close to the standard configuration your Exim runtime configuration is. The closer the better. Exim 4.92 is not vulnerable. Next steps: * t0: Distros will get access to our non-public security Git repo (access is granted based on the SSH keys that are known to us) * t0+7d: Coordinated Release Date: Distros should push the patched version to their repos. The Exim maintainers will publish the fixed source to the official and public Git repo. t0 is expected to be 2019-06-04, 10:00 UTC t0+7d is expected to be 2019-06-04, 10:00 UTC Timeline -------- * 2019-05-27 Report from Qualys to exim-security list * 2019-05-27 Patch provided by Jeremy Harris * 2019-05-29 CVE-2019-10149 assigned from Qualys via RedHat * 2019-06-03 This announcement
To clarify this: Details of the vulnerability are not public yet (will be in ~1week), but it seems the latest version 4.92 is unaffected (which seems to be by coincidence, because this version is older than the discovery of the vuln). We already have 4.92 in the tree, so stabilizing that gives us an option to protect users without knowing the details of the vuln. @maintainers: Can we go on with stabilizing?
yes, 4.92 runs for a while on my servers, it's ready to go stable IMO.
Like discussed with maintainer, Gentoo will move to >=mail-mta/exim-4.92. @ Arches, please test and mark stable: =mail-mta/exim-4.92
x86 stable
ppc64 stable
amd64 stable
ppc stable
From Qualys Security Advisory: ======================================================================== Summary ======================================================================== During a code review of the latest changes in the Exim mail server (https://en.wikipedia.org/wiki/Exim), we discovered an RCE vulnerability in versions 4.87 to 4.91 (inclusive). In this particular case, RCE means Remote *Command* Execution, not Remote Code Execution: an attacker can execute arbitrary commands with execv(), as root; no memory corruption or ROP (Return-Oriented Programming) is involved. This vulnerability is exploitable instantly by a local attacker (and by a remote attacker in certain non-default configurations). To remotely exploit this vulnerability in the default configuration, an attacker must keep a connection to the vulnerable server open for 7 days (by transmitting one byte every few minutes). However, because of the extreme complexity of Exim's code, we cannot guarantee that this exploitation method is unique; faster methods may exist. Exim is vulnerable by default since version 4.87 (released on April 6, 2016), when #ifdef EXPERIMENTAL_EVENT became #ifndef DISABLE_EVENT; and older versions may also be vulnerable if EXPERIMENTAL_EVENT was enabled manually. Surprisingly, this vulnerability was fixed in version 4.92 (released on February 10, 2019): https://github.com/Exim/exim/commit/7ea1237c783e380d7bdb86c90b13d8203c7ecf26 https://bugs.exim.org/show_bug.cgi?id=2310 but was not identified as a security vulnerability, and most operating systems are therefore affected. For example, we exploit an up-to-date Debian distribution (9.9) in this advisory.
New GLSA request filed.
sparc stable
ia64 stable
This issue was resolved and addressed in GLSA 201906-01 at https://security.gentoo.org/glsa/201906-01 by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for remaining arches.
hppa stable
alpha stable
arm stable, all arches done.
very great post. http://www.winmilliongame.com http://www.gtagame100.com http://www.subway-game.com http://www.zumagame100.com
@maintainer(s), please clean.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e4104b9c4bd8cbaba4712e6a8d4e6c8d120ba5c0 commit e4104b9c4bd8cbaba4712e6a8d4e6c8d120ba5c0 Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2019-08-02 06:42:47 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2019-08-02 06:42:47 +0000 mail-mta/exim: cleanup vulnerable CVE-2019-10149 Bug: https://bugs.gentoo.org/687336 Package-Manager: Portage-2.3.66, Repoman-2.3.16 Signed-off-by: Fabian Groffen <grobian@gentoo.org> mail-mta/exim/Manifest | 2 - mail-mta/exim/exim-4.91-r2.ebuild | 561 --------------------- .../exim/files/exim-4.74-localscan_dlopen.patch | 262 ---------- 3 files changed, 825 deletions(-)
(spam)
(more spam)
(In reply to Larry the Git Cow from comment #20) > The bug has been referenced in the following commit(s): > > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > https://flappy-bird.io > ?id=e4104b9c4bd8cbaba4712e6a8d4e6c8d120ba5c0 > > commit e4104b9c4bd8cbaba4712e6a8d4e6c8d120ba5c0 > Author: Fabian Groffen <grobian@gentoo.org> > AuthorDate: 2019-08-02 06:42:47 +0000 > Commit: Fabian Groffen <grobian@gentoo.org> > CommitDate: 2019-08-02 06:42:47 +0000 > > mail-mta/exim: cleanup vulnerable CVE-2019-10149 > > Bug: https://bugs.gentoo.org/687336 > Package-Manager: Portage-2.3.66, Repoman-2.3.16 > Signed-off-by: Fabian Groffen <grobian@gentoo.org> > > mail-mta/exim/Manifest | 2 - > mail-mta/exim/exim-4.91-r2.ebuild | 561 > --------------------- > .../exim/files/exim-4.74-localscan_dlopen.patch | 262 ---------- > 3 files changed, 825 deletions(-) Thank you!
Try this styish novak jacket 23 The Novak Jacket 23 is a must-have for anyone looking to make a fashion statement. With its sleek design and comfortable fit, this jacket is perfect for any occasion. https://www.texasjackets.com/product/novak-djokovic-23-french-open-title-red-jacket/
very nice post https://tafsiran.com/
Thanks.
What do you mean by inserting this link: https://tafsiran.com/?
great post. http://www.hairvitamins6.com http://www.uaegoldpricetoday.com http://www.saudigoldpricetoday.com
Your assurance, our priority – unlocking global acceptance seamlessly. https://attestationuae.com
https://safe-your-home.com/roof-insulation-sharjah/
https://hollyclean.com/carpet-cleaning-company-in-jeddah/
This is definitely useful information if you want to keep your contacts update and organized. Thank you! https://lerenjack.com/product/freddy-horniman-the-gentlemen-fur-jacket/
