X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/2e860c7601c03eb8b1f02a5035deb1ca966f9cc0..c3aefacc72991f4960486052775ab47cd83c5fae:/doc/doc-txt/cve-2019-15846/posting-0.txt diff --git a/doc/doc-txt/cve-2019-15846/posting-0.txt b/doc/doc-txt/cve-2019-15846/posting-0.txt new file mode 100644 index 000000000..90d754d3f --- /dev/null +++ b/doc/doc-txt/cve-2019-15846/posting-0.txt @@ -0,0 +1,59 @@ +To: distros@vs.openwall.org, exim-maintainers@exim.org +From: [ do not use a dmarc protected sender ] + +** EMBARGO *** This information is not public yet. + +CVE ID: CVE-2019-15846 +Credits: Zerons , Qualys +Version(s): all versions up to and including 4.92.1 +Issue: The SMTP Delivery process in all versions up to and + including Exim 4.92.1 has a Buffer Overflow. In the default + runtime configuration, this is exploitable with crafted Server + Name Indication (SNI) data during a TLS negotiation. In other + configurations, it is exploitable with a crafted client TLS certificate. +Details: doc/doc-txt/cve-2019-15846 in the downloaded source tree + +Contact: security@exim.org + +Proposed Timeline +================= + +2019-09-03: + - This notice to distros@vs.openwall.org and exim-maintainers@exim.org + - Open limited access to our security Git repo. See below. + +2019-09-04: + - Heads-up notice to oss-security@lists.openwall.com, + exim-users@exim.org, and exim-announce@exim.org + about the upcoming security release + +2019-09-06 10:00 UTC: + - Coordinated relase date + - Publish the patches in our official and public Git repositories + and the packages on our FTP/HTTP(S) server. + +Downloads +========= + +The downloads mentioned below are accessible only for a limited set of SSH +keys. At CRD they will be mirrored to the public repositories. +(Note: the repo names changed from the recently used ones.) + +For release tarballs (exim-4.92.2): + + git clone --depth 1 ssh://git@git.exim.org/exim-packages-security + +The package files are signed with my GPG key. + +For the full Git repo: + + git clone ssh://git@exim.org/exim-security + - tag exim-4.92.2 + - branch exim-4.92.2+fixes + +The tagged commit is the officially maintained version. The tag is signed +with my GPG key. The +fixes branch isn't officially maintained, but +contains useful patches *and* the security fix. The relevant commit +is signed with my GPG key. + +If you need help backporting the patch, please contact us directly.