Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#63946 - [exim] <4.92.3 CVE-2019-16928 (RCE)
Attached to Project:
Community Packages
Opened by Pascal Ernster (hardfalcon) - Sunday, 29 September 2019, 05:36 GMT
Last edited by Ivy Foster (escondida) - Friday, 11 October 2019, 20:09 GMT
Opened by Pascal Ernster (hardfalcon) - Sunday, 29 September 2019, 05:36 GMT
Last edited by Ivy Foster (escondida) - Friday, 11 October 2019, 20:09 GMT
|
DetailsUpstream has released exim 4.92.3, which fixes CVE-2019-16928 (an RCE using a heap-based buffer overflow, exploited by using an extraordinarily long EHLO string):
https://bugs.exim.org/show_bug.cgi?id=2449 https://www.openwall.com/lists/oss-security/2019/09/28/1 https://www.openwall.com/lists/oss-security/2019/09/28/4 Since this is a critical security vulnerability, I've chosen to not just flag the package as "out of date", but to also file a security bug to alert the security team. |
This task depends upon
Closed by Ivy Foster (escondida)
Friday, 11 October 2019, 20:09 GMT
Reason for closing: Implemented
Additional comments about closing: antrhaxx uploaded 4.92.3.
Friday, 11 October 2019, 20:09 GMT
Reason for closing: Implemented
Additional comments about closing: antrhaxx uploaded 4.92.3.
Comment by Ivy Foster (escondida) -
Friday, 11 October 2019, 20:09 GMT
4.92.3 is in [community] now. Thanks, anthraxx!