From: Heiko Schlittermann (HS12-RIPE) Date: Sat, 20 Jul 2019 09:43:49 +0000 (+0200) Subject: Add security postings for future reference X-Git-Tag: exim-4.92.2~2 X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/57a4741ff7c55e97d2afff526c74d2cbeeb50a0e Add security postings for future reference --- diff --git a/doc/doc-txt/cve-2019-13917 b/doc/doc-txt/cve-2019-13917 deleted file mode 100644 index fd94da8a4..000000000 --- a/doc/doc-txt/cve-2019-13917 +++ /dev/null @@ -1,46 +0,0 @@ -CVE ID: CVE-2019-13917 -OVE ID: OVE-20190718-0006 -Date: 2019-07-18 -Credits: Jeremy Harris -Version(s): 4.85 up to and including 4.92 -Issue: A local or remote attacker can execute programs with root - privileges - if you've an unusual configuration. See below. - -Conditions to be vulnerable -=========================== - -If your configuration uses the ${sort } expansion for items that can be -controlled by an attacker (e.g. $local_part, $domain). The default -config, as shipped by the Exim developers, does not contain ${sort }. - -Details -======= - -The vulnerability is exploitable either remotely or locally and could -be used to execute other programs with root privilege. The ${sort } -expansion re-evaluates its items. - -Mitigation -========== - -Do not use ${sort } in your configuration. - -Fix -=== - -Download and build a fixed version: - - Tarballs: http://ftp.exim.org/pub/exim/exim4/ - Git: https://github.com/Exim/exim.git - - tag exim-4.92.1 - - branch exim-4.92+fixes - -The tagged commit is the officially released version. The +fixes branch -isn't officially maintained, but contains useful patches *and* the -security fix. - -If you can't install the above versions, ask your package maintainer for -a version containing the backported fix. On request and depending on our -resources we will support you in backporting the fix. (Please note, -that Exim project officially doesn't support versions prior the current -stable version.) diff --git a/doc/doc-txt/cve-2019-13917/initial-writeup b/doc/doc-txt/cve-2019-13917/initial-writeup new file mode 100644 index 000000000..fd94da8a4 --- /dev/null +++ b/doc/doc-txt/cve-2019-13917/initial-writeup @@ -0,0 +1,46 @@ +CVE ID: CVE-2019-13917 +OVE ID: OVE-20190718-0006 +Date: 2019-07-18 +Credits: Jeremy Harris +Version(s): 4.85 up to and including 4.92 +Issue: A local or remote attacker can execute programs with root + privileges - if you've an unusual configuration. See below. + +Conditions to be vulnerable +=========================== + +If your configuration uses the ${sort } expansion for items that can be +controlled by an attacker (e.g. $local_part, $domain). The default +config, as shipped by the Exim developers, does not contain ${sort }. + +Details +======= + +The vulnerability is exploitable either remotely or locally and could +be used to execute other programs with root privilege. The ${sort } +expansion re-evaluates its items. + +Mitigation +========== + +Do not use ${sort } in your configuration. + +Fix +=== + +Download and build a fixed version: + + Tarballs: http://ftp.exim.org/pub/exim/exim4/ + Git: https://github.com/Exim/exim.git + - tag exim-4.92.1 + - branch exim-4.92+fixes + +The tagged commit is the officially released version. The +fixes branch +isn't officially maintained, but contains useful patches *and* the +security fix. + +If you can't install the above versions, ask your package maintainer for +a version containing the backported fix. On request and depending on our +resources we will support you in backporting the fix. (Please note, +that Exim project officially doesn't support versions prior the current +stable version.) diff --git a/doc/doc-txt/cve-2019-13917/posting-2019-07-18.txt b/doc/doc-txt/cve-2019-13917/posting-2019-07-18.txt new file mode 100644 index 000000000..56ca10fa0 --- /dev/null +++ b/doc/doc-txt/cve-2019-13917/posting-2019-07-18.txt @@ -0,0 +1,72 @@ +To: distros@vs.openwall.org, exim-maintainers@exim.org +From: [ do not use a dmarc protected sender ] + +** EMBARGO *** This information is not public yet. + +CVE ID: CVE-2019-13917 +OVE ID: OVE-20190718-0006 +Date: 2019-07-18 +Credits: Jeremy Harris +Version(s): 4.85 up to and including 4.92 +Issue: A local or remote attacker can execute programs with root + privileges - if you've an unusual configuration. For details + see below. + +Contact: exim-security@exim.org + +Proposed Timeline +================= + +t0: NOW + - this notice to distros@vs.openwall.org and exim-maintainers@exim.org + - open limited access to our security Git repo. See below. + +t0+~4d: Mon Jul 22 10:00:00 UTC 2019 + - head-up notice to oss-security@lists.openwall.com, + exim-users@exim.org, and exim-announce@exim.org + +t0+~7d: Thu Jul 25 10:00:00 UTC 2019 + - Coordinated relase date + - publish the patches in our official and public Git repositories + and the packages on our FTP server. + +Downloads +========= + +For release tarballs (exim-4.92.1): + + git clone --depth 1 ssh://git@exim.org/exim-packages + +The package files are signed with my GPG key. + +For the full Git repo: + + git clone ssh://git@exim.org/exim + - tag exim-4.92.1 + - branch exim-4.92+fixes + +The tagged commit is the officially released version. The tag is signed +with my GPG key. The +fixes branch isn't officially maintained, but +contains useful patches *and* the security fix. The relevant commit +is signed with my GPG key. + +If you need help backporting the patch, please contact us directly. + +Conditions to be vulnerable +=========================== + +If your configuration uses the ${sort } expansion for items that can be +controlled by an attacker (e.g. $local_part, $domain). The default +config, as shipped by the Exim developers, does not contain ${sort }. + +Details +======= + +The vulnerability is exploitable either remotely or locally and could +be used to execute other programs with root privilege. The ${sort } +expansion re-evaluates its items. + +Mitigation +========== + +Do not use ${sort } in your configuration. diff --git a/doc/doc-txt/cve-2019-13917/posting-2019-07-22.txt b/doc/doc-txt/cve-2019-13917/posting-2019-07-22.txt new file mode 100644 index 000000000..78da9905c --- /dev/null +++ b/doc/doc-txt/cve-2019-13917/posting-2019-07-22.txt @@ -0,0 +1,77 @@ +To: oss-security@lists.openwall.com, exim-users@exim.org, + exim-announce@exim.org +From: [ do not use a dmarc protected sender ] + +*** Note: EMBARGO is still in effect until July 25th, 10:00 UTC. *** +*** Distros must not publish any detail nor release updates yet. *** + +CVE ID: CVE-2019-13917 +OVE ID: OVE-20190718-0006 +Date: 2019-07-18 +Credits: Jeremy Harris +Version(s): 4.85 up to and including 4.92 +Issue: A local or remote attacker can execute programs with root + privileges - if you've an unusual configuration. For details + see below. + +Coordinated Release Date (CRD) for Exim 4.92.1: + Thu Jul 25 10:00:00 UTC 2019 + +Contact: exim-security@exim.org + +This is a *heads-up* notice about the upcoming release. +You may plan your availability and schedule an update of the Exim +packages supplied by your distribution or build the new release from the +source, once the release goes public on CRD. + +Details +======= + +We discovered a vulnerability. We consider the risk of an exploit as +low, you need to have a fairly unusual runtime configuration. Neither +our default runtime configuration nor the runtime configuration shipped +by the Debian distribution is vulnerable. + +The vulnerability is exploitable either remotely or locally and could +be used to execute other programs with root privilege. + +More details and fixes are not yet public, but will be made public on +CRD, July 25th. + +Timeline +======== + +t0: Thu Jul 18 2019 + - this notice to distros@vs.openwall.org and exim-maintainers@exim.org + - open limited access to our security Git repo. See below. + +t0+~4d: Mon Jul 22 10:00:00 UTC 2019 [NOW] + - heads-up notice to oss-security@lists.openwall.com, + exim-users@exim.org, and exim-announce@exim.org + +t0+~7d: Thu Jul 25 10:00:00 UTC 2019 + - Coordinated relase date + - publish the patches in our official and public Git repositories + and the packages on our FTP server. + +Downloads available starting at CRD +==================================== + +For release tarballs (exim-4.92.1): + + http://ftp.exim.org/pub/exim/exim4/ + +The package files are signed with my GPG key. + +For the full Git repo: + + https://git.exim.org/exim.git + https://github.com/Exim/exim [mirror of the above] + - tag exim-4.92.1 + - branch exim-4.92.1+fixes + +The tagged commit is the officially released version. The tag is signed +with my GPG key. The +fixes branch isn't officially maintained, but +contains useful patches *and* the security fix. The relevant commit is +signed with my GPG key. The old exim-4.92+fixes branch is being functionally +replaced by the new exim-4.92.1+fixes branch. diff --git a/doc/doc-txt/cve-2019-13917/posting-2019-07-25.txt b/doc/doc-txt/cve-2019-13917/posting-2019-07-25.txt new file mode 100644 index 000000000..65a756bcc --- /dev/null +++ b/doc/doc-txt/cve-2019-13917/posting-2019-07-25.txt @@ -0,0 +1,86 @@ +To: exim-users@exim.org, exim-announce@exim.org, exim-maintainers@exim.org +From: [ do not use a dmarc protected sender ] + +CVE ID: CVE-2019-13917 +OVE ID: OVE-20190718-0006 +Date: 2019-07-18 +Credits: Jeremy Harris +Version(s): 4.85 up to and including 4.92 +Issue: A local or remote attacker can execute programs with root + privileges - if you've an unusual configuration. For details + see below. + +Coordinated Release Date (CRD) for Exim 4.92.1: + Thu Jul 25 10:00:00 UTC 2019 + +Contact: exim-security@exim.org + +We released Exim 4.92.1. This is a security update based on 4.92. + +Conditions to be vulnerable +=========================== + +If your configuration uses the ${sort } expansion for items that can be +controlled by an attacker (e.g. $local_part, $domain). The default +config, as shipped by the Exim developers, does not contain ${sort }. + +Details +======= + +The vulnerability is exploitable either remotely or locally and could +be used to execute other programs with root privilege. The ${sort } +expansion re-evaluates its items. + +Mitigation +========== + +Do not use ${sort } in your configuration. + +Fix +=== + +Install a fixed package supplied by your distribution. +or download and build a fixed version: + +For release tarballs (exim-4.92.1): + + http://ftp.exim.org/pub/exim/exim4/ + +The package files are signed with a key from the developers +key set: https://ftp.exim.org/pub/exim/Exim-Maintainers-Keyring.asc + +For the full Git repo: + + https://git.exim.org/exim.git + https://github.com/Exim/exim [mirror of the above] + - tag exim-4.92.1 + - branch exim-4.92.1+fixes + +The tagged commit is the officially released version. The tag is signed +with a key from the developers keyset. The +fixes branch isn't +officially maintained, but contains the security fix *and* useful +patches. The relevant commit is signed with a key from the developers +keyset. The old exim-4.92+fixes branch is being functionally replaced by +the new exim-4.92.1+fixes branch. + +If you can't install the above versions, ask your package maintainer for +a version containing the backported fix. On request and depending on our +resources we will support you in backporting the fix. (Please note, +that Exim project officially doesn't support versions prior the current +stable version.) + +Timeline +======== + +t0: Thu Jul 18 2019 + - this notice to distros@vs.openwall.org and exim-maintainers@exim.org + - open limited access to our security Git repo. See below. + +t0+~4d: Mon Jul 22 10:00:00 UTC 2019 [NOW] + - heads-up notice to oss-security@lists.openwall.com, + exim-users@exim.org, and exim-announce@exim.org + +t0+~7d: Thu Jul 25 10:00:00 UTC 2019 [NOW] + - Coordinated relase date + - publish the patches in our official and public Git repositories + and the packages on our FTP server.