GNU bug report logs - #66304
exim vulnearable to CVE-2023-42115 et al

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Wilko Meyer <w <at> wmeyer.eu>
Subject: bug#66304: closed (Re: bug#66304: exim vulnearable to
 CVE-2023-42115 et al)
Date: Fri, 06 Oct 2023 21:15:02 +0000

[Message part 1 (text/plain, inline)]

Your bug report

#66304: exim vulnearable to CVE-2023-42115 et al

which was filed against the guix package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 66304 <at> debbugs.gnu.org.

-- 
66304: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=66304
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: John Kehayias <john.kehayias <at> protonmail.com>
To: Wilko Meyer <w <at> wmeyer.eu>
Cc: 66304-done <at> debbugs.gnu.org
Subject: Re: bug#66304: exim vulnearable to CVE-2023-42115 et al
Date: Fri, 06 Oct 2023 21:14:05 +0000

Hello,

On Thu, Oct 05, 2023 at 05:25 PM, Wilko Meyer wrote:

>     * gnu/packages/mail.scm (exim): Update to 4.96.1.
> ---
>  gnu/packages/mail.scm | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm
> index 72d971eb77..e6923627f4 100644
> --- a/gnu/packages/mail.scm
> +++ b/gnu/packages/mail.scm
> @@ -52,6 +52,7 @@
>  ;;; Copyright © 2022 jgart <jgart <at> dismail.de>
>  ;;; Copyright © 2022 ( <paren <at> disroot.org>
>  ;;; Copyright © 2023 Timo Wilken <guix <at> twilken.net>
> +;;; Copyright © 2023 Wilko Meyer <w <at> wmeyer.eu>
>  ;;;
>  ;;; This file is part of GNU Guix.
>  ;;;
> @@ -1895,7 +1896,7 @@ (define-public msmtp
>  (define-public exim
>    (package
>      (name "exim")
> -    (version "4.96")
> +    (version "4.96.1")
>      (source
>       (origin
>         (method url-fetch)
> @@ -1909,7 +1910,7 @@ (define-public exim
>                      (string-append "https://ftp.exim.org/pub/exim/exim4/old/"
>                                     file-name))))
>         (sha256
> -        (base32 "18ziihkpa23lybm7m2l9wp2farxw0bd5ng7xm9ylgcrfgf95d6i9"))))
> +        (base32 "0g83cxkq3znh5b3r2a3990qxysw7d2l71jwcxaxzvq8pqdahgb4k"))))
>      (build-system gnu-build-system)
>      (arguments
>       (list #:phases
>
> base-commit: ad5e4fe54a66c725dc03dedebf8e5c65723ccb74
> prerequisite-patch-id: 5bde835de1e0f7e9cd752986da0585463713d745
> prerequisite-patch-id: cda50d13de497f5c74c87b2def4ae6a7d5807305
> prerequisite-patch-id: 7024afc52961b5947429f925c55265f29607c801
> prerequisite-patch-id: 10a4f92340880065a5210c983cc878c98c075855
> prerequisite-patch-id: e6610085f98fb881bada0bb27b59def23c3d7cc3

Thanks for the patch and quickly noticing the security issues!

Pushed as add2a22ad7bcca2521432e3f486460138401d5a5 with some added
detail to the commit message. I tested that exim and a dependent builds.

John

[Message part 3 (message/rfc822, inline)]

From: Wilko Meyer <w <at> wmeyer.eu>
To: bug-guix <at> gnu.org 
Subject: exim vulnearable to CVE-2023-42115 et al
Date: Mon, 02 Oct 2023 12:35:20 +0200

Hi Guix,

Exim currently has unpatched vulnearabilities regarding its EXTERNAL
Auth driver as well as its SPA/NTLM authenticator.

According to the project[0] prospective fixes seem to be around the
corner. We should probably bump the Exim version we ship to a
non-vulnearable version as soon as one is available.

[0]: https://www.exim.org/static/doc/security/CVE-2023-zdi.txt

-- 
Kind regards,

Wilko Meyer
w <at> wmeyer.eu

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.