The "spam" ACL condition code contained a sscanf() call with a %s

[exim.git] / doc / doc-txt / ChangeLog

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index b21876ec80d01d590d7c15b6d8d9bc7e93185405..4272704997bcbf174be14ab17cd38656de1cb265 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -1,4 +1,4 @@
-$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.506 2007/05/08 13:08:22 ph10 Exp $
+$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.508 2007/05/14 18:56:25 magnus Exp $
 
 Change log file for Exim from version 4.21
 -------------------------------------------
@@ -25,6 +25,16 @@ PH/02 When an IPv6 address is converted to a string for single-key lookup
       ordinary lsearch keys. However, making the change in all cases is
       incompatible and would probably break a number of configurations.
 
+TK/01 Change PRVS address formatting scheme to reflect latests BATV draft
+      version.
+
+MH/01 The "spam" ACL condition code contained a sscanf() call with a %s
+      conversion specification without a maximum field width, thereby enabling
+      a rogue spamd server to cause a buffer overflow. While nobody in their
+      right mind would setup Exim to query an untrusted spamd server, an
+      attacker that gains access to a server running spamd could potentially
+      exploit this vulnerability to run arbitrary code as the Exim user.
+
 
 Exim version 4.67
 -----------------