Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 8 Feb 2018 17:57:00 +0100
From: Heiko Schlittermann <>
Subject: Re: CVE-2018-6789 Exim 4.90 and earlier: buffer overflow

Heiko Schlittermann <> (Mi 07 Feb 2018 11:39:43 CET):
> CVE-2018-6789 Exim 4.90 and earlier
> ===================================
> There is a buffer overflow in an utility function, if some pre-conditions
> are met.  Using a handcrafted message, remote code execution seems to be
> possible.
> Next steps:
> * t0:     Distros will get access to our "security" non-public git repo
>           (based on the SSH keys known to us)
> * t0 +7d: Patch will be published on the official public git repo
> t0 will be around 2018-02-08.

t0 is now. Distro maintainers please use the following repo URLs:

The full git repo:

    tag: exim-4_90_1

The tarballs git repo:

    tag: exim-4_90_1

The tags are signed with my key¹, as are the tarballs and my own

¹) If you get a warning about my key being expired, please refresh it
from the keyservers or from

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -

Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.