Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 7 Feb 2018 11:39:43 +0100
From: Heiko Schlittermann <>
Subject: CVE-2018-6789 Exim 4.90 and earlier: buffer overflow

CVE-2018-6789 Exim 4.90 and earlier

There is a buffer overflow in an utility function, if some pre-conditions
are met.  Using a handcrafted message, remote code execution seems to be

A patch exists already and is being tested.

Currently we're unsure about the severity, we *believe*, an exploit
is difficult. A mitigation isn't known.

Next steps:

* t0:     Distros will get access to our "security" non-public git repo
          (based on the SSH keys known to us)
* t0 +7d: Patch will be published on the official public git repo

t0 will be around 2018-02-08.


* 2018-02-05 Report from Meh Chang <> via exim-security mailing list
* 2018-02-06 Request CVE on (heiko)
* 2018-02-07 Announcement to the public via exim-users, exim-maintainers
             mailing lists and on oss-security mailing list

Updates will follow. Here and on
(Link will start to exist around 11.00 UTC).

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -

Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.