Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 4 Sep 2019 11:22:48 +0200
From: Heiko Schlittermann <hs@...marc.schlittermann.de>
To: oss-security <oss-security@...ts.openwall.com>,
	Exim Users <exim-users@...m.org>,
	Exim Announce <exim-announce@...m.org>
Subject: CVE-2019-15846: Exim - local or remote attacker can execute programs
 with root privileges.

*** Note: EMBARGO is still in effect!       ***
*** Distros must not publish any detail yet ***

Head up! Security release ahead!

CVE ID:     CVE-2019-15846
Version(s): up to and including 4.92.1
Issue:      A local or remote attacker can execute programs with root
            privileges.
Details:    Will be made public at CRD. Currently there is no known
            exploit, but a rudimentary POC exists.

Coordinated Release Date (CRD) for Exim 4.92.2:
            2019-09-06 10:00 UTC

Contact:    security@...m.org

Proposed Timeline
=================

2019-09-03:
    - initial notification to distros@...nwall.org and
      exim-maintainers@...m.org

2019-09-04: <-- NOW
    - This Heads-up notice to oss-security@...ts.openwall.com,
      exim-users@...m.org, and exim-announce@...m.org

2019-09-06 10:00 UTC:
    - Coordinated relase date
    - Notice to oss-security, exim-users, and exim-announce
    - Publish the patches in our official and public Git repositories
      and the packages on our FTP server.

Downloads available starting at CRD (not yet)
=============================================

The downloads are not yet available. They will be made available
at the above mentioned CRD.

Release tarballs (exim-4.92.2):

    https://ftp.exim.org/pub/exim/exim4/

The package files are signed with my GPG key.

The full Git repo:

    https://git.exim.org/exim.git
    https://github.com/Exim/exim    [mirror of the above]
    - tag    exim-4.92.2
    - branch exim-4.92.2+fixes

The tagged commit is the officially released version. The tag is signed
with my GPG key.  The +fixes branch isn't officially maintained, but
contains useful patches *and* the security fix. The relevant commit is
signed with my GPG key. The old exim-4.92.1+fixes branch is being functionally
replaced by the new exim-4.92.2+fixes branch.

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
--
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -

Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.