From unknown Tue Jun 24 05:13:16 2025 X-Loop: help-debbugs@gnu.org Subject: bug#66304: exim vulnearable to CVE-2023-42115 et al Resent-From: Wilko Meyer Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Mon, 02 Oct 2023 10:48:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 66304 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 66304@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.169624364326687 (code B ref -1); Mon, 02 Oct 2023 10:48:01 +0000 Received: (at submit) by debbugs.gnu.org; 2 Oct 2023 10:47:23 +0000 Received: from localhost ([127.0.0.1]:36130 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qnGSR-0006wN-6P for submit@debbugs.gnu.org; Mon, 02 Oct 2023 06:47:23 -0400 Received: from lists.gnu.org ([2001:470:142::17]:34260) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qnGSP-0006w7-64 for submit@debbugs.gnu.org; Mon, 02 Oct 2023 06:47:21 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qnGRs-0007JU-7h for bug-guix@gnu.org; Mon, 02 Oct 2023 06:46:52 -0400 Received: from mail.wmeyer.eu ([95.216.196.112]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qnGRf-0005aJ-UZ for bug-guix@gnu.org; Mon, 02 Oct 2023 06:46:37 -0400 From: Wilko Meyer DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wmeyer.eu; s=mail; t=1696243591; bh=D5UHfzwp561sP8LesMn6DIZdk7YIZ1tMInLrCV5v6pU=; h=From:To:Subject:Date; b=LhQ25Jc9PH65mhv9YsRvN/NCxbZqtBE555O7Z5g6yF1cCgQKy3DCTdnFyqu6Zf9H0 MdwSMBY250jxxwHiZ2qjl8VsFK20tPnXt45k5UWpACxMwHSKb9buc57uNAs8xWghRm I2DjHotVpM0/JNjoWzEQQCe2D5UHxT7VvW/akb2k= Date: Mon, 02 Oct 2023 12:35:20 +0200 Message-ID: <87leclmhdp.fsf@wmeyer.eu> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=95.216.196.112; envelope-from=w@wmeyer.eu; helo=mail.wmeyer.eu X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 0.9 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.1 (/) Hi Guix, Exim currently has unpatched vulnearabilities regarding its EXTERNAL Auth driver as well as its SPA/NTLM authenticator. According to the project[0] prospective fixes seem to be around the corner. We should probably bump the Exim version we ship to a non-vulnearable version as soon as one is available. [0]: https://www.exim.org/static/doc/security/CVE-2023-zdi.txt -- Kind regards, Wilko Meyer w@wmeyer.eu From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 04 12:06:44 2023 Received: (at control) by debbugs.gnu.org; 4 Oct 2023 16:06:45 +0000 Received: from localhost ([127.0.0.1]:45157 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qo4Oa-0001R8-Ny for submit@debbugs.gnu.org; Wed, 04 Oct 2023 12:06:44 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:45280) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qo4OQ-0001QJ-PA for control@debbugs.gnu.org; Wed, 04 Oct 2023 12:06:43 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qo4O3-0000aY-Pj for control@debbugs.gnu.org; Wed, 04 Oct 2023 12:06:11 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-version:Subject:From:To:Date:in-reply-to: references; bh=W1HhyC412pZ8m0N6NLjoLabj67DmYXcikRZzmZIZ5kA=; b=W4v7ffxs9zx6qO MoCNkwD18b5F5E+aIN9DJ98Z34qGucesV2R1+qCGH18zDtljrXeFNRQSCYcBySiTyPFYIRoaAyVPv pmrB+09FaJgr+6c5O0PFFkW4I5kxHZPbabJx4yYkWE5kckj293a204+UVeDnD6tMW18AUahW7Euhn S4vS8WkEPpiL/Tc9ClSAVSbG/26CfUU4jU2LekvthqQBjmEhKWmLBQ3nperOhljEVGvaSJ19MDZCT adQ+B0NGvCTbg90j1SdTr22Ljwe9ewAUqjQGdPq/ZMJlncJDW+lYSH21vkIEM8hpvZ5aST9RxIJ2b MVAfNQTm+sqHZGrcQONA==; Date: Wed, 04 Oct 2023 18:06:08 +0200 Message-Id: <87lecibcen.fsf@gnu.org> To: control@debbugs.gnu.org From: =?utf-8?Q?Ludovic_Court=C3=A8s?= Subject: control message for bug #66304 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) tags 66304 + security quit From unknown Tue Jun 24 05:13:16 2025 X-Loop: help-debbugs@gnu.org Subject: bug#66304: [PATCH] gnu: exim: Update to 4.96.1 References: <87leclmhdp.fsf@wmeyer.eu> In-Reply-To: <87leclmhdp.fsf@wmeyer.eu> Resent-From: Wilko Meyer Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 05 Oct 2023 15:27:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 66304 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: 66304@debbugs.gnu.org Cc: Wilko Meyer Received: via spool by 66304-submit@debbugs.gnu.org id=B66304.169651958016461 (code B ref 66304); Thu, 05 Oct 2023 15:27:02 +0000 Received: (at 66304) by debbugs.gnu.org; 5 Oct 2023 15:26:20 +0000 Received: from localhost ([127.0.0.1]:48266 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qoQF2-0004HR-6J for submit@debbugs.gnu.org; Thu, 05 Oct 2023 11:26:20 -0400 Received: from mail.wmeyer.eu ([95.216.196.112]:44176) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qoQEy-0004HE-TX for 66304@debbugs.gnu.org; Thu, 05 Oct 2023 11:26:19 -0400 From: Wilko Meyer DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wmeyer.eu; s=mail; t=1696519551; bh=g+PXxxjxAxdru+v3IhKNnJaiz7iS7+VqQzaa2bn/nCI=; h=From:To:Cc:Subject:Date; b=mE0/d0NABwm+qql+VMWNYhkdVCxQYg/+Xp3YVWaJ4Kcjdqn46sX3R/DZcNH2mT/CL OkGI3afrrvyXAwK0t1FaYm4Z0FPafSrL+iRcb6nIJp6X7GXmvSNQnPrZpPnAGFHysq RuVvR8jJYuFCoEndBSeEamueDPC8kxGSjlgR7ga4= Date: Thu, 5 Oct 2023 17:25:18 +0200 Message-Id: <7c2c42679e0ec8205ce3718d988e17868e06169e.1696519379.git.w@wmeyer.eu> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * gnu/packages/mail.scm (exim): Update to 4.96.1. --- gnu/packages/mail.scm | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm index 72d971eb77..e6923627f4 100644 --- a/gnu/packages/mail.scm +++ b/gnu/packages/mail.scm @@ -52,6 +52,7 @@ ;;; Copyright © 2022 jgart ;;; Copyright © 2022 ( ;;; Copyright © 2023 Timo Wilken +;;; Copyright © 2023 Wilko Meyer ;;; ;;; This file is part of GNU Guix. ;;; @@ -1895,7 +1896,7 @@ (define-public msmtp (define-public exim (package (name "exim") - (version "4.96") + (version "4.96.1") (source (origin (method url-fetch) @@ -1909,7 +1910,7 @@ (define-public exim (string-append "https://ftp.exim.org/pub/exim/exim4/old/" file-name)))) (sha256 - (base32 "18ziihkpa23lybm7m2l9wp2farxw0bd5ng7xm9ylgcrfgf95d6i9")))) + (base32 "0g83cxkq3znh5b3r2a3990qxysw7d2l71jwcxaxzvq8pqdahgb4k")))) (build-system gnu-build-system) (arguments (list #:phases base-commit: ad5e4fe54a66c725dc03dedebf8e5c65723ccb74 prerequisite-patch-id: 5bde835de1e0f7e9cd752986da0585463713d745 prerequisite-patch-id: cda50d13de497f5c74c87b2def4ae6a7d5807305 prerequisite-patch-id: 7024afc52961b5947429f925c55265f29607c801 prerequisite-patch-id: 10a4f92340880065a5210c983cc878c98c075855 prerequisite-patch-id: e6610085f98fb881bada0bb27b59def23c3d7cc3 -- 2.41.0 From unknown Tue Jun 24 05:13:16 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Wilko Meyer Subject: bug#66304: closed (Re: bug#66304: exim vulnearable to CVE-2023-42115 et al) Message-ID: References: <87wmvz8ne9.fsf_-_@protonmail.com> <87leclmhdp.fsf@wmeyer.eu> X-Gnu-PR-Message: they-closed 66304 X-Gnu-PR-Package: guix X-Gnu-PR-Keywords: security Reply-To: 66304@debbugs.gnu.org Date: Fri, 06 Oct 2023 21:15:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1696626902-2841-1" This is a multi-part message in MIME format... ------------=_1696626902-2841-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #66304: exim vulnearable to CVE-2023-42115 et al which was filed against the guix package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 66304@debbugs.gnu.org. --=20 66304: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D66304 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1696626902-2841-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 66304-done) by debbugs.gnu.org; 6 Oct 2023 21:14:42 +0000 Received: from localhost ([127.0.0.1]:52786 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qos9h-0000jE-S2 for submit@debbugs.gnu.org; Fri, 06 Oct 2023 17:14:42 -0400 Received: from mail-40131.protonmail.ch ([185.70.40.131]:12813) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qos9e-0000ix-Ih for 66304-done@debbugs.gnu.org; Fri, 06 Oct 2023 17:14:40 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1696626852; x=1696886052; bh=yR1kXMeVdZ46EY3QNg6Hx44qdg+bZDdwP0dZW0U9NHw=; h=Date:To:From:Cc:Subject:Message-ID:Feedback-ID:From:To:Cc:Date: Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector; b=sgQ6jrakKe9qTaCvxC7dZSqZRO7SXouhEq4vqk1iHepX7Qsje5m2AF6Sjm3gBaW43 JoMgIibFJWU9BzCzGv/U8InQYrXrLQ5Y7ZcLuc3a0h6Gy0sAwgNrjYbBph97atOflt VCfLqbU7OMTlJynht5uos2vlygcvBHNeetfdMEP7Zfr0jqgIFUMd9vYH7hG8A8ryfp sTQogHgNNLLcDTcLo3Alm9JtsdEAmTdJVsJ35STG9EoLSSXkVvUx6hleGkoMKY3uYv k5JqYx0sf1QAKTiiYayF+A7LgemPoKI8JExHnBupN+hut6nHNYcqlMAKG83zvc35yl rRLX4Tf7QK2mg== Date: Fri, 06 Oct 2023 21:14:05 +0000 To: Wilko Meyer From: John Kehayias Subject: Re: bug#66304: exim vulnearable to CVE-2023-42115 et al Message-ID: <87wmvz8ne9.fsf_-_@protonmail.com> Feedback-ID: 7805494:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 66304-done Cc: 66304-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hello, On Thu, Oct 05, 2023 at 05:25 PM, Wilko Meyer wrote: > * gnu/packages/mail.scm (exim): Update to 4.96.1. > --- > gnu/packages/mail.scm | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm > index 72d971eb77..e6923627f4 100644 > --- a/gnu/packages/mail.scm > +++ b/gnu/packages/mail.scm > @@ -52,6 +52,7 @@ > ;;; Copyright =C2=A9 2022 jgart > ;;; Copyright =C2=A9 2022 ( > ;;; Copyright =C2=A9 2023 Timo Wilken > +;;; Copyright =C2=A9 2023 Wilko Meyer > ;;; > ;;; This file is part of GNU Guix. > ;;; > @@ -1895,7 +1896,7 @@ (define-public msmtp > (define-public exim > (package > (name "exim") > - (version "4.96") > + (version "4.96.1") > (source > (origin > (method url-fetch) > @@ -1909,7 +1910,7 @@ (define-public exim > (string-append "https://ftp.exim.org/pub/exim/exim4/= old/" > file-name)))) > (sha256 > - (base32 "18ziihkpa23lybm7m2l9wp2farxw0bd5ng7xm9ylgcrfgf95d6i9"))= )) > + (base32 "0g83cxkq3znh5b3r2a3990qxysw7d2l71jwcxaxzvq8pqdahgb4k"))= )) > (build-system gnu-build-system) > (arguments > (list #:phases > > base-commit: ad5e4fe54a66c725dc03dedebf8e5c65723ccb74 > prerequisite-patch-id: 5bde835de1e0f7e9cd752986da0585463713d745 > prerequisite-patch-id: cda50d13de497f5c74c87b2def4ae6a7d5807305 > prerequisite-patch-id: 7024afc52961b5947429f925c55265f29607c801 > prerequisite-patch-id: 10a4f92340880065a5210c983cc878c98c075855 > prerequisite-patch-id: e6610085f98fb881bada0bb27b59def23c3d7cc3 Thanks for the patch and quickly noticing the security issues! Pushed as add2a22ad7bcca2521432e3f486460138401d5a5 with some added detail to the commit message. I tested that exim and a dependent builds. John ------------=_1696626902-2841-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 2 Oct 2023 10:47:23 +0000 Received: from localhost ([127.0.0.1]:36130 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qnGSR-0006wN-6P for submit@debbugs.gnu.org; Mon, 02 Oct 2023 06:47:23 -0400 Received: from lists.gnu.org ([2001:470:142::17]:34260) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qnGSP-0006w7-64 for submit@debbugs.gnu.org; Mon, 02 Oct 2023 06:47:21 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qnGRs-0007JU-7h for bug-guix@gnu.org; Mon, 02 Oct 2023 06:46:52 -0400 Received: from mail.wmeyer.eu ([95.216.196.112]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qnGRf-0005aJ-UZ for bug-guix@gnu.org; Mon, 02 Oct 2023 06:46:37 -0400 From: Wilko Meyer DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wmeyer.eu; s=mail; t=1696243591; bh=D5UHfzwp561sP8LesMn6DIZdk7YIZ1tMInLrCV5v6pU=; h=From:To:Subject:Date; b=LhQ25Jc9PH65mhv9YsRvN/NCxbZqtBE555O7Z5g6yF1cCgQKy3DCTdnFyqu6Zf9H0 MdwSMBY250jxxwHiZ2qjl8VsFK20tPnXt45k5UWpACxMwHSKb9buc57uNAs8xWghRm I2DjHotVpM0/JNjoWzEQQCe2D5UHxT7VvW/akb2k= To: bug-guix@gnu.org Subject: exim vulnearable to CVE-2023-42115 et al Date: Mon, 02 Oct 2023 12:35:20 +0200 Message-ID: <87leclmhdp.fsf@wmeyer.eu> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=95.216.196.112; envelope-from=w@wmeyer.eu; helo=mail.wmeyer.eu X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 0.9 (/) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.1 (/) Hi Guix, Exim currently has unpatched vulnearabilities regarding its EXTERNAL Auth driver as well as its SPA/NTLM authenticator. According to the project[0] prospective fixes seem to be around the corner. We should probably bump the Exim version we ship to a non-vulnearable version as soon as one is available. [0]: https://www.exim.org/static/doc/security/CVE-2023-zdi.txt -- Kind regards, Wilko Meyer w@wmeyer.eu ------------=_1696626902-2841-1--