multiple CVE's
Adi Kriegisch
adi at cg.tuwien.ac.at
Fri Sep 29 13:10:57 BST 2023
Dear maintainers,
you probably already noticed that ZDI published several CVEs related to
Exim:
* CVE-2023-42114 [CVSS 3.7]
* CVE-2023-42115 [CVSS 9.8]
* CVE-2023-42116 [CVSS 8.1]
* CVE-2023-42117 [CVSS 8.1]
* CVE-2023-42118 [CVSS 7.5]
* CVE-2023-42119 [CVSS 3.1]
There also seem to be issues in Exim's bug tracker related to those:
https://bugs.exim.org/show_bug.cgi?id=2999
https://bugs.exim.org/show_bug.cgi?id=3000
https://bugs.exim.org/show_bug.cgi?id=3001
https://bugs.exim.org/show_bug.cgi?id=3002
https://bugs.exim.org/show_bug.cgi?id=3003
of which only one (#3001) seems to be publicly viewable. The five issues
above seem to have been created around mid May 2023 which is in line
with what ZDI states in their advisories:
...
04/25/23 – The vendor asked us to re-send the reports.
05/10/23 – ZDI sent the vulnerability to the vendor.
...
According to ZDI the original reports were sent in June 2022.
My question are: is ZDI wrong with their CVSS, especially on the remote
command execution part? Two times 8.1 and one time 9.8 with no reaction
on the Exim side and plenty of time to push out a fix just seems
strange. I'd rather expect some "...security release ahead"[1] mail
upfront.
Can you comment on any timeline for fixes? Are there any mitigations?
-- Adi
[1] https://lists.exim.org/lurker/message/20210421.123632.08bb711a.en.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-exim4-users/attachments/20230929/8ec8570f/attachment.sig>
More information about the Pkg-exim4-users
mailing list