To: exim-users@exim.org, exim-announce@exim.org, exim-maintainers@exim.org From: [ do not use a dmarc protected sender ] CVE ID: CVE-2019-15846 Credits: Zerons , Qualys Version(s): all versions up to and including 4.92.1 Issue: The SMTP Delivery process in all versions up to and including Exim 4.92.1 has a Buffer Overflow. In the default runtime configuration, this is exploitable with crafted Server Name Indication (SNI) data during a TLS negotiation. In other configurations, it is exploitable with a crafted client TLS certificate. Details: doc/doc-txt/cve-2019-15846 in the downloaded source tree Coordinated Release Date (CRD) for Exim 4.92.2: 2019-09-06 10:00 UTC Contact: security@exim.org We released Exim 4.92.2. This is a security update based on 4.92.1. Downloads ========= Starting at CRD the downloads will be available from the following sources: Release tarballs (exim-4.92.2): https://ftp.exim.org/pub/exim/exim4/ The package files are signed with my GPG key. The full Git repo: https://git.exim.org/exim.git https://github.com/Exim/exim [mirror of the above] - tag exim-4.92.2 - branch exim-4.92.2+fixes The tagged commit is the officially released version. The tag is signed with my GPG key. The +fixes branch isn't officially maintained, but contains useful patches *and* the security fix. The relevant commit is signed with my GPG key. The old exim-4.92.1+fixes branch is being functionally replaced by the new exim-4.92.2+fixes branch.