Docs: Security release. Bug 3063

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 97468abe776ebdbdc6958bb0e1d707585d8aadab..c88454c1e2ea0be01f03b671d4acc57d4ab3bfae 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -2,67 +2,13 @@ This document describes *changes* to previous versions, that might
 affect Exim's operation, with an unchanged configuration file.  For new
 options, and new features, see the NewStuff file next to this ChangeLog.
 
 affect Exim's operation, with an unchanged configuration file.  For new
 options, and new features, see the NewStuff file next to this ChangeLog.
 

-Exim version 4.98
------------------
-
-JH/01 Support list of dkim results in the dkim_status ACL condition, making
-      it more usable in the data ACL.
-
-JH/02 Bug 3040: Handle error on close of the spool data file during reception. 
-      Previously This was only logged, on the assumption that errors would be
-      seen for a previous fflush().  However, a fuse filesystem has been
-      reported as showing this an error for the fclose().  The spool is now in
-      an uncertain state, and we have logged and responded acceptance.  Change
-      this to respond with a temp-reject, wipe spoolfiles, and log the error
-      detail.
-
-JH/03 Bug 3030: Fix handling of DNS servfail respons for DANE TLSA.  When hit
-      during a recipient verify callout, a QUIT command was attempted on the
-      now-closed callout channel, causing a paniclog entry.
-
-JH/04 Bug 3039: Fix handling of of an empty log_reject_target, with
-      a connection_reject log_selector, under tls_on_connect.  Previously
-      with this combination, when the connect ACL rejected, a spurious
-      paniclog entry was made.
-
-JH/05 Fix TLS resumption for TLS-on-connect.  This was broken by the advent
-      of loadbalancer-detection for resumption, in 4.96 - which tries to
-      use the EHLO response. SMTPS does not have one at the time it is starting
-      TLS.  Change the default for the smtp transport host_name_extract option
-      to be a static string, for TLS-on-connect cases; meaning that resumption
-      will always be attempted (unless deliberately overriden).
-
-JH/06 Bug 3054: Fix dnsdb lookup for a TXT record with multiple chunks, with a
-      chunk-separator specification.  This was broken by hardening introduced
-      for Bug 3031.
-
-JH/07 Bug 3050: Fix -bp for old message_id format spoolfiles.  Previously it
-      included the -H with the id; this also messed up exiqgrep.
-
-JH/08 Bug 3056: Tighten up parsing of DKIM DNS records.  Previously, whitespace
-      was not properly skipped and empty elements would cause mis-parsing.
-      Tighten parsing of DKIM header records.  Previously, all but lowercase
-      alpha chars would be ignored in potential tag names.
-
-JH/09 Bug 3057: Add heuristic for spotting mistyped IPv6 addresses in lists
-      being searched.  Previously we only had one for IPv4 addresses. Per the
-      documentation, the error results by default in a no-match result for the
-      list.  It is logged if the unknown_in_list log_selector is used.
-
-JH/10 Bug 3058: Ensure that a failing expansion in a router "set" option defers
-      the routing operation.  Previously it would silently stop routing the
-      message.
+Since Exim version 4.97
+-----------------------

 
 

-JH/11 Bug 3046: Fix queue-runs.  Previously, the arrivel of a notification or
-      info-request event close in time to a scheduled run timer could result in
-      the latter being missed, and no further queue scheduled runs being
-      initiated.  This ouwld be more likely on high-load systems.
-
-JH/12 Refuse to accept a line "dot, LF" as end-of-DATA unless operating in
+JH/s1 Refuse to accept a line "dot, LF" as end-of-DATA unless operating in

       LF-only mode (as detected from the first header line).  Previously we did
       accept that in (normal) CRLF mode; this has been raised as a possible
       LF-only mode (as detected from the first header line).  Previously we did
       accept that in (normal) CRLF mode; this has been raised as a possible

-      attack scenario (under the name "smtp smuggling").
-
+      attack scenario (under the name "smtp smuggling", CVE-2023-51766).

 
 
 Exim version 4.97
 
 
 Exim version 4.97

diff --git a/doc/doc-txt/cve-2023-51766 b/doc/doc-txt/cve-2023-51766
new file mode 100644 (file)
index 0000000..d066d87
--- /dev/null
+++ b/doc/doc-txt/cve-2023-51766
@@ -0,0 +1,69 @@
+CVE ID:     CVE-2023-51766
+Date:       2016-12-15
+Credits:    https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
+Version(s): all up to 4.97 inclusive
+Issue:      Given a buggy relay, Exim can be induced to accept a second message embedded
+            as part of the body of a first message
+
+Conditions
+==========
+
+If *all* the following conditions are met
+
+    Runtime options
+    ---------------
+
+    * Exim offers PIPELINING on incoming connections
+
+    * Exim offers CHUNKING on incoming connections
+
+    Operation
+    ---------
+
+    * DATA (as opposed to BDAT) is used for a message reception
+
+    * The relay host sends to the Exim MTA message data including
+      one of "LF . LF" or "CR LF . LF" or "LF . CR LF".
+
+    * Exim interprets the sequence as signalling the end of data for
+      the SMTP DATA command, and hence a first message.
+
+    * Exim interprets further input which the relay had as message body
+      data, as SMTP commands and data. This could include a MAIL, RCPT,
+      BDAT (etc) sequence, resulting in a further message acceptance.
+
+Impact
+======
+
+One or more messages can be accepted by Exim that have not been
+properly validated by the buggy relay.
+
+Fix
+===
+
+Install a fixed Exim version:
+
+    4.98 (once available)
+    4.97.1
+
+If you can't install one of the above versions, ask your package
+maintainer for a version containing the backported fix. On request and
+depending on our resources we will support you in backporting the fix.
+(Please note, that Exim project officially doesn't support versions
+prior the current stable version.)
+
+
+Workaround
+==========
+
+  Disable CHUNKING advertisement for incoming connections.
+
+  An attempt to "smuggle" a DATA command will trip a syncronisation
+  check.
+
+*or*
+
+  Disable PIPELINING advertisement for incoming connections.
+
+  The "smuggled" MAIL FROM command will then trip a syncronisation
+  check.