CVE-2018-6789
=============

There is a buffer overflow in an utility function, if some pre-conditions
are met.  Using a handcrafted message, remote code execution seems to be
possible.

A patch exists already and is being tested.

Currently we're unsure about the severity, we *believe*, an exploit
is difficult. A mitigation isn't known.

Next steps:

* t0:     Distros will get access to our non-public security git repo
          (based on the SSH keys known to us)

	  ssh://git@exim.org/exim.git		tag: exim-4_90_1
	  ssh://git@exim.org/exim-packages.git	tag: exim-4_90_1

* t0 +7d: Patch will be published on the official public git repo

UPDATE: Patch will be published 2018-02-10 18:00 UTC


Timeline (UTC)
--------

* 2018-02-05 Report from Meh Chang <meh@devco.re> via exim-security mailing list
* 2018-02-06 Request CVE on https://cveform.mitre.org/ (heiko)
             CVE-2018-6789
* 2018-02-07 Announcement to the public via exim-users, exim-maintainers
             mailing lists and on oss-security mailing list
* 2018-02-08 16:50 Grant restricted access to the security repo for
             distro maintainers
* 2018-02-09 One distro breaks the embargo

Scheduled:
* 2018-02-10 18:00 Grant public access to the our official git repo.