Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 5 Oct 2023 18:02:43 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: zdi@...ndmicro.com
Subject: Re: Exim4 MTA CVEs assigned from ZDI

On Thu, Oct 05, 2023 at 10:17:41AM +0200, Heiko Schlittermann wrote:
> Hi ZDI,

If we want to talk to ZDI, we need to CC them explicitly - added.

ZDI - please let us all know if you have any comments on the below.

Also to ZDI, I think at this point it'd work best if you make all of
the available detail on these bugs public.  Will you, please?  The
advisories you published so far are non-specific to the point of being
almost useless beyond an initial heads-up.  Sorry for being so direct.

> zdi@...ndmicro.com <zdi@...ndmicro.com> (Mi 04 Okt 2023 23:01:37 CEST):
> > We have received a notification from the developers that these issues have been patched. We will be happy to update our advisories once they do so.
> 
> https://exim.org/static/doc/security/CVE-2023-zdi.txt
> 
> As publicly advertised, we patched only *a subset* of the issues.  And
> those patches are available to the public.  Unfortunately there is no
> confirmation from your side, whether those fixes really fix the issues.
> 
> One of the open issues is related to libspf2, which is Exim a user of,
> but not responsible for.
> 
>  ZDI-23-1472 | ZDI-CAN-17578 | CVE-2023-42118 | Exim Bug 3032
> 
> And about exactly *this libspf2* issue Salvatore asked you for information.
> 
> (As I did on Oct 1st already, along with the request for additional information on one of
> the other unfixed issues (DNSDB)). I didn't receive any response yet.
> 
>     Best regards from Dresden/Germany
>     Viele Gr????e aus Dresden
>     Heiko Schlittermann
> --
>  SCHLITTERMANN.de ---------------------------- internet & unix support -
>  Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
>  gnupg encrypted messages are welcome --------------- key ID: F69376CE -

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.