Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 25 Nov 2017 18:50:31 -0500
From: Phil Pennock <>
Subject: Re: RCE in Exim reported

On 2017-11-24 at 22:59 -0500, Phil Pennock wrote:
> In Post-Thanksgiving mail-catchup, I see that the Exim Project was
> gifted with a couple of surprises in our public bugtracker on Thursday
> morning.  Complete with proof-of-concept small Python script.
> I've requested CVEs, don't have them yet. :
  Use-after-free remote-code-execution
  CVE-2017-16943 :
  stack-exhaustion remote DoS

Fix for the former has been confirmed by the reporter and is in git.

The `exim-4_89+fixes` branch used by various OS packagers for major
bug-fixes on top of the 4.89 release has the UAF fix backported.  Work
on the DoS is under way.

Jeremy has created a `` branch with work for 4.91, which includes
re-working the API for the allocator which allowed the use-after-free to
creep in.


Download attachment "signature.asc" of type "application/pgp-signature" (997 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ