GNU bug report logs -
#66304
exim vulnearable to CVE-2023-42115 et al
Previous Next
Reported by: Wilko Meyer <w <at> wmeyer.eu>
Date: Mon, 2 Oct 2023 10:48:01 UTC
Severity: normal
Tags: security
Done: John Kehayias <john.kehayias <at> protonmail.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 66304 in the body.
You can then email your comments to 66304 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#66304; Package
guix.
(Mon, 02 Oct 2023 10:48:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Wilko Meyer <w <at> wmeyer.eu>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Mon, 02 Oct 2023 10:48:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Hi Guix,
Exim currently has unpatched vulnearabilities regarding its EXTERNAL
Auth driver as well as its SPA/NTLM authenticator.
According to the project[0] prospective fixes seem to be around the
corner. We should probably bump the Exim version we ship to a
non-vulnearable version as soon as one is available.
[0]: https://www.exim.org/static/doc/security/CVE-2023-zdi.txt
--
Kind regards,
Wilko Meyer
w <at> wmeyer.eu
Added tag(s) security.
Request was from
Ludovic Courtès <ludo <at> gnu.org>
to
control <at> debbugs.gnu.org.
(Wed, 04 Oct 2023 16:07:03 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org:
bug#66304; Package
guix.
(Thu, 05 Oct 2023 15:27:02 GMT)
Full text and
rfc822 format available.
Message #10 received at 66304 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/mail.scm (exim): Update to 4.96.1.
---
gnu/packages/mail.scm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm
index 72d971eb77..e6923627f4 100644
--- a/gnu/packages/mail.scm
+++ b/gnu/packages/mail.scm
@@ -52,6 +52,7 @@
;;; Copyright © 2022 jgart <jgart <at> dismail.de>
;;; Copyright © 2022 ( <paren <at> disroot.org>
;;; Copyright © 2023 Timo Wilken <guix <at> twilken.net>
+;;; Copyright © 2023 Wilko Meyer <w <at> wmeyer.eu>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -1895,7 +1896,7 @@ (define-public msmtp
(define-public exim
(package
(name "exim")
- (version "4.96")
+ (version "4.96.1")
(source
(origin
(method url-fetch)
@@ -1909,7 +1910,7 @@ (define-public exim
(string-append "https://ftp.exim.org/pub/exim/exim4/old/"
file-name))))
(sha256
- (base32 "18ziihkpa23lybm7m2l9wp2farxw0bd5ng7xm9ylgcrfgf95d6i9"))))
+ (base32 "0g83cxkq3znh5b3r2a3990qxysw7d2l71jwcxaxzvq8pqdahgb4k"))))
(build-system gnu-build-system)
(arguments
(list #:phases
base-commit: ad5e4fe54a66c725dc03dedebf8e5c65723ccb74
prerequisite-patch-id: 5bde835de1e0f7e9cd752986da0585463713d745
prerequisite-patch-id: cda50d13de497f5c74c87b2def4ae6a7d5807305
prerequisite-patch-id: 7024afc52961b5947429f925c55265f29607c801
prerequisite-patch-id: 10a4f92340880065a5210c983cc878c98c075855
prerequisite-patch-id: e6610085f98fb881bada0bb27b59def23c3d7cc3
--
2.41.0
Reply sent
to
John Kehayias <john.kehayias <at> protonmail.com>:
You have taken responsibility.
(Fri, 06 Oct 2023 21:15:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Wilko Meyer <w <at> wmeyer.eu>:
bug acknowledged by developer.
(Fri, 06 Oct 2023 21:15:02 GMT)
Full text and
rfc822 format available.
Message #15 received at 66304-done <at> debbugs.gnu.org (full text, mbox):
Hello,
On Thu, Oct 05, 2023 at 05:25 PM, Wilko Meyer wrote:
> * gnu/packages/mail.scm (exim): Update to 4.96.1.
> ---
> gnu/packages/mail.scm | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm
> index 72d971eb77..e6923627f4 100644
> --- a/gnu/packages/mail.scm
> +++ b/gnu/packages/mail.scm
> @@ -52,6 +52,7 @@
> ;;; Copyright © 2022 jgart <jgart <at> dismail.de>
> ;;; Copyright © 2022 ( <paren <at> disroot.org>
> ;;; Copyright © 2023 Timo Wilken <guix <at> twilken.net>
> +;;; Copyright © 2023 Wilko Meyer <w <at> wmeyer.eu>
> ;;;
> ;;; This file is part of GNU Guix.
> ;;;
> @@ -1895,7 +1896,7 @@ (define-public msmtp
> (define-public exim
> (package
> (name "exim")
> - (version "4.96")
> + (version "4.96.1")
> (source
> (origin
> (method url-fetch)
> @@ -1909,7 +1910,7 @@ (define-public exim
> (string-append "https://ftp.exim.org/pub/exim/exim4/old/"
> file-name))))
> (sha256
> - (base32 "18ziihkpa23lybm7m2l9wp2farxw0bd5ng7xm9ylgcrfgf95d6i9"))))
> + (base32 "0g83cxkq3znh5b3r2a3990qxysw7d2l71jwcxaxzvq8pqdahgb4k"))))
> (build-system gnu-build-system)
> (arguments
> (list #:phases
>
> base-commit: ad5e4fe54a66c725dc03dedebf8e5c65723ccb74
> prerequisite-patch-id: 5bde835de1e0f7e9cd752986da0585463713d745
> prerequisite-patch-id: cda50d13de497f5c74c87b2def4ae6a7d5807305
> prerequisite-patch-id: 7024afc52961b5947429f925c55265f29607c801
> prerequisite-patch-id: 10a4f92340880065a5210c983cc878c98c075855
> prerequisite-patch-id: e6610085f98fb881bada0bb27b59def23c3d7cc3
Thanks for the patch and quickly noticing the security issues!
Pushed as add2a22ad7bcca2521432e3f486460138401d5a5 with some added
detail to the commit message. I tested that exim and a dependent builds.
John
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Sat, 04 Nov 2023 11:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 1 year and 232 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.