Date: Mon, 9 Sep 2019 14:50:52 -0400 From: Phil Pennock <pdp@...m.org> To: exim-users@...m.org, oss-security@...ts.openwall.com Subject: Re: Sv: [exim] CVE-2019-15846: Exim - local or remote attacker can execute programs with root privileges On 2019-09-07 at 08:23 +0200, Heiko Schlittermann wrote: > Phil Pennock <pdp@...m.org> (Sa 07 Sep 2019 02:52:56 CEST): > > The connect ACL won't protect you against STARTTLS usage, which is far > > more common for email than TLS-on-connect. > > > > I myself use the HELO ACL. > > This doesn't seem to be sufficient, you can start "submitting" a message to > a remote Exim with the following sequence Yeah sorry folks, that was a little embarrassing: my setup, and various common configurations (including apparently RedHat's) enforce EHLO-after-STARTTLS. But that's Exim configuration, not hard-enforced in the code. "Be lenient in what you accept" ... bah humbug. Exim's default configuration has included this check, at RCPT time (which still works for our purposes) since commit 731c6a9043 in 2016, included in releases 4.87 onwards. So I use the HELO ACL and it's safe in "many" configurations, but we have to be more cautious in recommending mitigating workarounds. -Phil
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.