Incoming details.
From $URL: CVE ID: CVE-2019-15846 Version(s): up to and including 4.92.1 Issue: A local or remote attacker can execute programs with root privileges. Details: Will be made public at CRD. Currently there is no known exploit, but a rudimentary POC exists. Coordinated Release Date (CRD) for Exim 4.92.2: 2019-09-06 10:00 UTC Proposed Timeline ================= 2019-09-03: - initial notification to distros@...nwall.org and exim-maintainers@...m.org 2019-09-04: <-- NOW - This Heads-up notice to oss-security@...ts.openwall.com, exim-users@...m.org, and exim-announce@...m.org 2019-09-06 10:00 UTC: - Coordinated relase date - Notice to oss-security, exim-users, and exim-announce - Publish the patches in our official and public Git repositories and the packages on our FTP server. Downloads available starting at CRD (not yet) ============================================= The downloads are not yet available. They will be made available at the above mentioned CRD.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5c1968d993330fcd3d593e014de4d7eccfd05872 commit 5c1968d993330fcd3d593e014de4d7eccfd05872 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2019-09-06 13:16:23 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-09-06 13:17:49 +0000 mail-mta/exim: bump to v4.92.2 (CVE-2019-15846) Ebuild changes: - EAPI bumped to EAPI=7 Bug: https://bugs.gentoo.org/693494 Package-Manager: Portage-2.3.75, Repoman-2.3.17 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> mail-mta/exim/Manifest | 2 + mail-mta/exim/exim-4.92.2.ebuild | 582 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 584 insertions(+)
Added to an existing GLSA.
x86 stable
This issue was resolved and addressed in GLSA 201909-06 at https://security.gentoo.org/glsa/201909-06 by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for remaining architectures.
ppc/ppc64 stable
amd64 stable
sparc stable
arm stable
ia64 stable
hppa stable
I cannot find an issue for CVE-2019-16928. Is it hidden or doesn't exist at all?
the CVE isn't this bug, but here's the email I copied it's number from for 4.92.3: https://lists.exim.org/lurker/message/20190928.232024.589b2ef5.nl.html
alpha stable all arches done
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=090c2b8964bdab171450acfbe10a585c23064118 commit 090c2b8964bdab171450acfbe10a585c23064118 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2019-10-26 18:15:52 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-10-26 18:15:52 +0000 mail-mta/exim: security cleanup (#693494) Bug: https://bugs.gentoo.org/693494 Package-Manager: Portage-2.3.78, Repoman-2.3.17 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> mail-mta/exim/Manifest | 4 - mail-mta/exim/exim-4.92-r3.ebuild | 563 ----------------------------------- mail-mta/exim/exim-4.92-r4.ebuild | 578 ------------------------------------ mail-mta/exim/exim-4.92.1-r1.ebuild | 578 ------------------------------------ 4 files changed, 1723 deletions(-)
All done, repository is clean!