resolver (which does validation of the data it receives), you're not
affected. We're working on a fix.
-Schedule
+Timeline
--------
-Currently we're in contact with the major distros and aim to release
-those fixes that are available as soon as possible. (Aiming Monday, Oct
-2nd.)
+- 2023-10-03 12:00 UTC
+ - The available fixes are published.
+ - A security release exim-4.96.1 is published.
+ - The major distributions follow.
+
+More patches will follow (coordinated with the major distros) as soon as
+they're available.
+
+Distribution points:
+--------------------
+- git://git.exim.org
+ branches:
+ - spa-auth-fixes (based on the current master) [commit IDs: 7bb5bc2c6 0519dcfb5 e17b8b0f1 04107e98d]
+ - exim-4.96+security (based on exim-4.96) [gpg signed]
+ - exim-4.96.1+fixes (based on exim-4.96.1 with the fixes from exim-4.96+fixes) [gpg signed]
+ tags:
+ - exim-4.96.1 [gpg signed]
+
+- tarballs for exim-4.96.1: https://ftp.exim.org/pub/exim/exim4/ [gpg signed]
+
+GPG signatures are made by me (hs@schlittermann.de, or Jeremy Harris
+jgh@wizmail.org).
More Details
CVSS Score: 7.5
Mitigation: Do not use the `spf` condition in your ACL
Subsystem: spf
-Remark: It is debatable if this should be filed against
- libspf2. There are hints (simon, #Exim IRC) that this
- is related to
- https://github.com/shevek/libspf2/pull/44
+Remark: This CVE should be filed against libspf2.
+ See: https://github.com/shevek/libspf2/issues/45
-ZDI-23-1473 | ZDI-CAN-17643 | CVE-2023-42219 | Exim Bug 3033
+ZDI-23-1473 | ZDI-CAN-17643 | CVE-2023-42119 | Exim Bug 3033
------------------------------------------------------------
Subject: dnsdb Out-Of-Bounds Read
CVSS Score: 3.1