--- /dev/null
+CVE ID: CVE-2023-51766
+Date: 2016-12-15
+Credits: https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
+Version(s): all up to 4.97 inclusive
+Issue: Given a buggy relay, Exim can be induced to accept a second message embedded
+ as part of the body of a first message
+
+Conditions
+==========
+
+If *all* the following conditions are met
+
+ Runtime options
+ ---------------
+
+ * Exim offers PIPELINING on incoming connections
+
+ * Exim offers CHUNKING on incoming connections
+
+ Operation
+ ---------
+
+ * DATA (as opposed to BDAT) is used for a message reception
+
+ * The relay host sends to the Exim MTA message data including
+ one of "LF . LF" or "CR LF . LF" or "LF . CR LF".
+
+ * Exim interprets the sequence as signalling the end of data for
+ the SMTP DATA command, and hence a first message.
+
+ * Exim interprets further input which the relay had as message body
+ data, as SMTP commands and data. This could include a MAIL, RCPT,
+ BDAT (etc) sequence, resulting in a further message acceptance.
+
+Impact
+======
+
+One or more messages can be accepted by Exim that have not been
+properly validated by the buggy relay.
+
+Fix
+===
+
+Install a fixed Exim version:
+
+ 4.98 (once available)
+ 4.97.1
+
+If you can't install one of the above versions, ask your package
+maintainer for a version containing the backported fix. On request and
+depending on our resources we will support you in backporting the fix.
+(Please note, that Exim project officially doesn't support versions
+prior the current stable version.)
+
+
+Workaround
+==========
+
+ Disable CHUNKING advertisement for incoming connections.
+
+ An attempt to "smuggle" a DATA command will trip a syncronisation
+ check.
+
+*or*
+
+ Disable PIPELINING advertisement for incoming connections.
+
+ The "smuggled" MAIL FROM command will then trip a syncronisation
+ check.
git://git.exim.org / exim.git / commitdiff