multiple CVE's
u34 at net9.cf
u34 at net9.cf
Fri Sep 29 22:15:50 BST 2023
Adi Kriegisch <adi at cg.tuwien.ac.at> wrote:
> Dear maintainers,
>
> you probably already noticed that ZDI published several CVEs related to
> Exim:
> * CVE-2023-42114 [CVSS 3.7]
> * CVE-2023-42115 [CVSS 9.8]
> * CVE-2023-42116 [CVSS 8.1]
> * CVE-2023-42117 [CVSS 8.1]
> * CVE-2023-42118 [CVSS 7.5]
> * CVE-2023-42119 [CVSS 3.1]
>
> There also seem to be issues in Exim's bug tracker related to those:
> https://bugs.exim.org/show_bug.cgi?id=2999
> https://bugs.exim.org/show_bug.cgi?id=3000
> https://bugs.exim.org/show_bug.cgi?id=3001
> https://bugs.exim.org/show_bug.cgi?id=3002
> https://bugs.exim.org/show_bug.cgi?id=3003
> of which only one (#3001) seems to be publicly viewable. The five issues
> above seem to have been created around mid May 2023 which is in line
> with what ZDI states in their advisories:
> ...
> 04/25/23 – The vendor asked us to re-send the reports.
> 05/10/23 – ZDI sent the vulnerability to the vendor.
> ...
> According to ZDI the original reports were sent in June 2022.
>
> My question are: is ZDI wrong with their CVSS, especially on the remote
> command execution part? Two times 8.1 and one time 9.8 with no reaction
> on the Exim side and plenty of time to push out a fix just seems
> strange. I'd rather expect some "...security release ahead"[1] mail
> upfront.
>
> Can you comment on any timeline for fixes? Are there any mitigations?
Hello,
I am not affiliated with the maintainers. Nor with debian. Nor with Exim.
Nor with any one other then myself.
Your questions seems to me discussed at
https://www.openwall.com/lists/oss-security/2023/09/29/5 . Which is
mentioned at https://security-tracker.debian.org/tracker/CVE-2023-42114 .
--
u34
>
> -- Adi
>
> [1] https://lists.exim.org/lurker/message/20210421.123632.08bb711a.en.html
More information about the Pkg-exim4-users
mailing list