To: exim-users@exim.org, exim-announce@exim.org, exim-maintainers@exim.org From: [ do not use a dmarc protected sender ] CVE ID: CVE-2019-13917 OVE ID: OVE-20190718-0006 Date: 2019-07-18 Credits: Jeremy Harris Version(s): 4.85 up to and including 4.92 Issue: A local or remote attacker can execute programs with root privileges - if you've an unusual configuration. For details see below. Coordinated Release Date (CRD) for Exim 4.92.1: Thu Jul 25 10:00:00 UTC 2019 Contact: exim-security@exim.org We released Exim 4.92.1. This is a security update based on 4.92. Conditions to be vulnerable =========================== If your configuration uses the ${sort } expansion for items that can be controlled by an attacker (e.g. $local_part, $domain). The default config, as shipped by the Exim developers, does not contain ${sort }. Details ======= The vulnerability is exploitable either remotely or locally and could be used to execute other programs with root privilege. The ${sort } expansion re-evaluates its items. Mitigation ========== Do not use ${sort } in your configuration. Fix === Install a fixed package supplied by your distribution. or download and build a fixed version: For release tarballs (exim-4.92.1): http://ftp.exim.org/pub/exim/exim4/ The package files are signed with a key from the developers key set: https://ftp.exim.org/pub/exim/Exim-Maintainers-Keyring.asc For the full Git repo: https://git.exim.org/exim.git https://github.com/Exim/exim [mirror of the above] - tag exim-4.92.1 - branch exim-4.92.1+fixes The tagged commit is the officially released version. The tag is signed with a key from the developers keyset. The +fixes branch isn't officially maintained, but contains the security fix *and* useful patches. The relevant commit is signed with a key from the developers keyset. The old exim-4.92+fixes branch is being functionally replaced by the new exim-4.92.1+fixes branch. If you can't install the above versions, ask your package maintainer for a version containing the backported fix. On request and depending on our resources we will support you in backporting the fix. (Please note, that Exim project officially doesn't support versions prior the current stable version.) Timeline ======== t0: Thu Jul 18 2019 - this notice to distros@vs.openwall.org and exim-maintainers@exim.org - open limited access to our security Git repo. See below. t0+~4d: Mon Jul 22 10:00:00 UTC 2019 [NOW] - heads-up notice to oss-security@lists.openwall.com, exim-users@exim.org, and exim-announce@exim.org t0+~7d: Thu Jul 25 10:00:00 UTC 2019 [NOW] - Coordinated relase date - publish the patches in our official and public Git repositories and the packages on our FTP server.