git://git.exim.org / exim-website.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
clear statement on CVE-2023-42118
[exim-website.git] / templates / static / doc / security / CVE-2023-zdi.txt
diff --git a/templates/static/doc/security/CVE-2023-zdi.txt b/templates/static/doc/security/CVE-2023-zdi.txt
index 5edb2ec0bbf7c3c8fb864e85d03e502955589872..3b45efd74aef496f368e82dcd8bd5245a936fd3e 100644 (file)
--- a/templates/static/doc/security/CVE-2023-zdi.txt
+++ b/templates/static/doc/security/CVE-2023-zdi.txt
@@ -20,11 +20,30 @@ on or off.
   resolver (which does validation of the data it receives), you're not
   affected. We're working on a fix.
 
   resolver (which does validation of the data it receives), you're not
   affected. We're working on a fix.
 
-Schedule
+Timeline
 --------
 --------
-Currently we're in contact with the major distros and aim to release
-those fixes that are available as soon as possible. (Aiming Monday, Oct
-2nd.)
+- 2023-10-03 12:00 UTC 
+  - The available fixes are published.
+  - A security release exim-4.96.1 is published.
+  - The major distributions follow.
+
+More patches will follow (coordinated with the major distros) as soon as
+they're available.
+
+Distribution points:
+--------------------
+- git://git.exim.org
+  branches:
+  - spa-auth-fixes (based on the current master) [commit IDs: 7bb5bc2c6 0519dcfb5 e17b8b0f1 04107e98d]
+  - exim-4.96+security (based on exim-4.96) [gpg signed]
+  - exim-4.96.1+fixes (based on exim-4.96.1 with the fixes from exim-4.96+fixes) [gpg signed]
+  tags:
+  - exim-4.96.1 [gpg signed]
+
+- tarballs for exim-4.96.1: https://ftp.exim.org/pub/exim/exim4/ [gpg signed]
+
+GPG signatures are made by me (hs@schlittermann.de, or Jeremy Harris
+jgh@wizmail.org).
 
 
 More Details
 
 
 More Details
@@ -68,12 +87,10 @@ Subject:    libspf2 Integer Underflow
 CVSS Score: 7.5
 Mitigation: Do not use the `spf` condition in your ACL
 Subsystem:  spf
 CVSS Score: 7.5
 Mitigation: Do not use the `spf` condition in your ACL
 Subsystem:  spf
-Remark:     It is debatable if this should be filed against
-            libspf2. There are hints (simon, #Exim IRC) that this
-           is related to
-           https://github.com/shevek/libspf2/pull/44
+Remark:     This CVE should be filed against libspf2.
+            See: https://github.com/shevek/libspf2/issues/45
 
 
-ZDI-23-1473 | ZDI-CAN-17643 | CVE-2023-42219 | Exim Bug 3033
+ZDI-23-1473 | ZDI-CAN-17643 | CVE-2023-42119 | Exim Bug 3033
 ------------------------------------------------------------
 Subject:    dnsdb Out-Of-Bounds Read
 CVSS Score: 3.1
 ------------------------------------------------------------
 Subject:    dnsdb Out-Of-Bounds Read
 CVSS Score: 3.1
Exim website sources and generation scripts