Date: Sun, 26 Nov 2017 15:37:49 -0500 From: Leo Famulari <leo@...ulari.name> To: oss-security@...ts.openwall.com Subject: Re: RCE in Exim reported On Sat, Nov 25, 2017 at 06:50:31PM -0500, Phil Pennock wrote: > bugs.exim.org/2199 : > Use-after-free remote-code-execution > CVE-2017-16943 > > bugs.exim.org/2201 : > stack-exhaustion remote DoS > CVE-2017-16944 > > Fix for the former has been confirmed by the reporter and is in git. > > The `exim-4_89+fixes` branch used by various OS packagers for major > bug-fixes on top of the 4.89 release has the UAF fix backported. Work > on the DoS is under way. > > https://git.exim.org/exim.git/shortlog/refs/heads/exim-4_89+fixes FYI, clicking on the commits from this page just gives the error message: 400 - Invalid hash parameter But the commit in question can be viewed here: https://git.exim.org/exim.git/commit/4090d62a4b25782129cc1643596dc2f6e8f63bde Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.