From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 32316 invoked by alias); 4 Oct 2019 08:16:05 -0000 Mailing-List: contact cygwin-apps-help@cygwin.com; run by ezmlm Precedence: bulk Sender: cygwin-apps-owner@cygwin.com List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Mail-Followup-To: cygwin-apps@cygwin.com Received: (qmail 32305 invoked by uid 89); 4 Oct 2019 08:16:05 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-1.5 required=5.0 tests=AWL,BAYES_00,KAM_SHORT,LIKELY_SPAM_BODY,RCVD_IN_DNSWL_NONE autolearn=no version=3.3.1 spammy=signing, urgently, controlled, HX-Languages-Length:4376 X-HELO: smtp-out-no.shaw.ca Received: from smtp-out-no.shaw.ca (HELO smtp-out-no.shaw.ca) (64.59.134.9) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Fri, 04 Oct 2019 08:15:58 +0000 Received: from [192.168.1.114] ([24.64.172.44]) by shaw.ca with ESMTP id GIkliz7iuUIS2GIkmijWHr; Fri, 04 Oct 2019 02:15:57 -0600 Reply-To: Brian.Inglis@SystematicSw.ab.ca Subject: Re: Exim upgrade to 4.92.3 needed for multiple CVEs To: cygwin-apps@cygwin.com References: <6711ad86-054a-1ab5-b43c-d59e94985bc3@SystematicSw.ab.ca> From: Brian Inglis Openpgp: preference=signencrypt Message-ID: Date: Fri, 04 Oct 2019 08:16:00 -0000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0 MIME-Version: 1.0 In-Reply-To: <6711ad86-054a-1ab5-b43c-d59e94985bc3@SystematicSw.ab.ca> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-IsSubscribed: yes X-SW-Source: 2019-10/txt/msg00000.txt.bz2 On 2019-09-20 11:10, Brian Inglis wrote: > Exim official upgrade to 4.92.2 urgently needed to include patch for published CVE: > https://securityboulevard.com/2019/09/sysadmins-scramble-to-secure-5m-exim-email-servers/ > https://exim.org/static/doc/security/CVE-2019-15846.txt https://access.redhat.com/security/security-updates/#/cve?q=exim&p=1&sort=cve_publicDate%20desc&rows=100&documentKind=Cve Since the "current" 4.86 release in 2015-10, another CVE another upgrade required: https://access.redhat.com/security/cve/cve-2019-16928 Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command. http://exim.org/static/doc/security/CVE-2019-16928.txt Also earlier this year: https://access.redhat.com/security/cve/cve-2019-15846 Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via a trailing backslash. https://exim.org/static/doc/security/CVE-2019-15846.txt https://access.redhat.com/security/cve/cve-2019-13917 Exim 4.85 through 4.92 (fixed in 4.92.1) allows remote code execution as root in some unusual configurations that use the ${sort} expansion for items that can be controlled by an attacker (e.g., $local_part or $domain). https://exim.org/static/doc/security/CVE-2019-13917.txt https://access.redhat.com/security/cve/cve-2019-10149 A flaw was found in the way exim validated recipient addresses. A remote attacker could use this flaw to execute arbitrary commands on the exim server with the permissions of the user running the application. https://exim.org/static/doc/security/CVE-2019-10149.txt and last: https://access.redhat.com/security/cve/cve-2018-6789 An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1. By sending a handcrafted message, a buffer overflow may happen. This can be used to execute code remotely. https://exim.org/static/doc/security/CVE-2018-6789.txt and: https://access.redhat.com/security/cve/cve-2017-16944 The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a '.' character signifying the end of the content, related to the bdat_getc function. https://access.redhat.com/security/cve/cve-2017-16943 The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands. Mitigation if you are running Exim 4.88 or newer, then in the main section of your Exim configuration, set: chunking_advertise_hosts = This disables advertising the ESMTP CHUNKING extension, making the BDAT verb unavailable and avoids letting an attacker apply the logic. https://access.redhat.com/security/cve/cve-2017-1000369 Exim supports the use of multiple "-p" command line arguments which are malloc()'ed and never free()'ed, used in conjunction with other issues allows attackers to cause arbitrary code execution. This affects exim version 4.89 and earlier. Please note that at this time upstream has released a patch, but it is not known if a new point release is available that addresses this issue at this time. Statement Exim itself is not vulnerable to privilege escalation, but this particular flaw in exim can be used by the stackguard vulnerability (https://access.redhat.com/security/vulnerabilities/stackguard) to achieve privilege escalation. https://access.redhat.com/security/cve/cve-2016-9963 It was found that Exim leaked DKIM signing private keys to the "mainlog" log file. As a result, an attacker with access to system log files could potentially access these leaked DKIM private keys. http://exim.org/static/doc/security/CVE-2016-9963.txt https://access.redhat.com/security/cve/cve-2016-1531 Exim before 4.86.2, when installed setuid root, allows local users to gain privileges via the perl_startup argument. http://exim.org/static/doc/security/CVE-2016-1531.txt -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised.