Add CVE-2018-6789 to security/

author Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>

Wed, 7 Feb 2018 10:20:15 +0000 (11:20 +0100)

committer Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>

Wed, 7 Feb 2018 10:24:52 +0000 (11:24 +0100)
author Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
Wed, 7 Feb 2018 10:20:15 +0000 (11:20 +0100)
committer Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
Wed, 7 Feb 2018 10:24:52 +0000 (11:24 +0100)
diff --git a/templates/static/doc/security/CVE-2018-6789.txt b/templates/static/doc/security/CVE-2018-6789.txt

new file mode 100644 (file)

index 0000000..d883939
--- /dev/null
+++ b/templates/static/doc/security/CVE-2018-6789.txt
@@ -0,0 +1,28 @@
+CVE-2018-6789
+=============
+
+There is a buffer overflow in an utility function, if some pre-conditions
+are met.  Using a handcrafted message, remote code execution seems to be
+possible.
+
+A patch exists already and is being tested.
+
+Currently we're unsure about the severity, we *believe*, an exploit
+is difficult. A mitigation isn't known.
+
+Next steps:
+
+* t0:     Distros will get access to our "security" non-public git repo
+          (based on the SSH keys known to us)
+* t0 +7d: Patch will be published on the official public git repo
+
+t0 will be around 2018-02-08.
+
+Timeline
+--------
+
+* 2018-02-05 Report from Meh Chang <meh@devco.re> via exim-security mailing list
+* 2018-02-06 Request CVE on https://cveform.mitre.org/ (heiko)
+             CVE-2018-6789
+* 2018-02-07 Announcement to the public via exim-users, exim-maintainers
+             mailing lists and on oss-security mailing list
author	Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
	Wed, 7 Feb 2018 10:20:15 +0000 (11:20 +0100)
committer	Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
	Wed, 7 Feb 2018 10:24:52 +0000 (11:24 +0100)