exim vulnearable to CVE-2023-42115 et al

Done

Details

3 participants

John Kehayias
Ludovic Courtès
Wilko Meyer

Owner: unassigned

Submitted by: Wilko Meyer

Severity: normal

Wilko Meyer wrote on 2 Oct 2023 12:35

Recipients:(address . bug-guix@gnu.org)

Message-ID:87leclmhdp.fsf@wmeyer.eu

Hi Guix,

Exim currently has unpatched vulnearabilities regarding its EXTERNAL

Auth driver as well as its SPA/NTLM authenticator.

According to the project[0] prospective fixes seem to be around the

corner. We should probably bump the Exim version we ship to a

non-vulnearable version as soon as one is available.

[0]: https://www.exim.org/static/doc/security/CVE-2023-zdi.txt

Kind regards,

Wilko Meyer

w@wmeyer.eu

Ludovic Courtès wrote on 4 Oct 2023 18:06

control message for bug #66304

Recipients:(address . control@debbugs.gnu.org)

Message-ID:87lecibcen.fsf@gnu.org

tags 66304 + security

quit

Wilko Meyer wrote on 5 Oct 2023 17:25

[PATCH] gnu: exim: Update to 4.96.1

Recipients:(address . 66304@debbugs.gnu.org)(name . Wilko Meyer)(address . w@wmeyer.eu)

Message-ID:7c2c42679e0ec8205ce3718d988e17868e06169e.1696519379.git.w@wmeyer.eu

* gnu/packages/mail.scm (exim): Update to 4.96.1.

---

gnu/packages/mail.scm | 5 +++--

1 file changed, 3 insertions(+), 2 deletions(-)

Toggle diff (39 lines)diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm
index 72d971eb77..e6923627f4 100644
--- a/gnu/packages/mail.scm
+++ b/gnu/packages/mail.scm
@@ -52,6 +52,7 @@
 ;;; Copyright © 2022 jgart <jgart@dismail.de>
 ;;; Copyright © 2022 ( <paren@disroot.org>
 ;;; Copyright © 2023 Timo Wilken <guix@twilken.net>
+;;; Copyright © 2023 Wilko Meyer <w@wmeyer.eu>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -1895,7 +1896,7 @@ (define-public msmtp
 (define-public exim
   (package
     (name "exim")
-    (version "4.96")
+    (version "4.96.1")
     (source
      (origin
        (method url-fetch)
@@ -1909,7 +1910,7 @@ (define-public exim
                     (string-append "https://ftp.exim.org/pub/exim/exim4/old/"
                                    file-name))))
        (sha256
-        (base32 "18ziihkpa23lybm7m2l9wp2farxw0bd5ng7xm9ylgcrfgf95d6i9"))))
+        (base32 "0g83cxkq3znh5b3r2a3990qxysw7d2l71jwcxaxzvq8pqdahgb4k"))))
     (build-system gnu-build-system)
     (arguments
      (list #:phases

base-commit: ad5e4fe54a66c725dc03dedebf8e5c65723ccb74
prerequisite-patch-id: 5bde835de1e0f7e9cd752986da0585463713d745
prerequisite-patch-id: cda50d13de497f5c74c87b2def4ae6a7d5807305
prerequisite-patch-id: 7024afc52961b5947429f925c55265f29607c801
prerequisite-patch-id: 10a4f92340880065a5210c983cc878c98c075855
prerequisite-patch-id: e6610085f98fb881bada0bb27b59def23c3d7cc3
-- 
2.41.0

John Kehayias wrote on 6 Oct 2023 23:14

Re: bug#66304: exim vulnearable to CVE-2023-42115 et al

Recipients:(name . Wilko Meyer)(address . w@wmeyer.eu)(address . 66304-done@debbugs.gnu.org)

Message-ID:87wmvz8ne9.fsf_-_@protonmail.com

Hello,

On Thu, Oct 05, 2023 at 05:25 PM, Wilko Meyer wrote:

Toggle quote (43 lines)>     * gnu/packages/mail.scm (exim): Update to 4.96.1.
> ---
>  gnu/packages/mail.scm | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm
> index 72d971eb77..e6923627f4 100644
> --- a/gnu/packages/mail.scm
> +++ b/gnu/packages/mail.scm
> @@ -52,6 +52,7 @@
>  ;;; Copyright © 2022 jgart <jgart@dismail.de>
>  ;;; Copyright © 2022 ( <paren@disroot.org>
>  ;;; Copyright © 2023 Timo Wilken <guix@twilken.net>
> +;;; Copyright © 2023 Wilko Meyer <w@wmeyer.eu>
>  ;;;
>  ;;; This file is part of GNU Guix.
>  ;;;
> @@ -1895,7 +1896,7 @@ (define-public msmtp
>  (define-public exim
>    (package
>      (name "exim")
> -    (version "4.96")
> +    (version "4.96.1")
>      (source
>       (origin
>         (method url-fetch)
> @@ -1909,7 +1910,7 @@ (define-public exim
>                      (string-append "https://ftp.exim.org/pub/exim/exim4/old/"
>                                     file-name))))
>         (sha256
> -        (base32 "18ziihkpa23lybm7m2l9wp2farxw0bd5ng7xm9ylgcrfgf95d6i9"))))
> +        (base32 "0g83cxkq3znh5b3r2a3990qxysw7d2l71jwcxaxzvq8pqdahgb4k"))))
>      (build-system gnu-build-system)
>      (arguments
>       (list #:phases
>
> base-commit: ad5e4fe54a66c725dc03dedebf8e5c65723ccb74
> prerequisite-patch-id: 5bde835de1e0f7e9cd752986da0585463713d745
> prerequisite-patch-id: cda50d13de497f5c74c87b2def4ae6a7d5807305
> prerequisite-patch-id: 7024afc52961b5947429f925c55265f29607c801
> prerequisite-patch-id: 10a4f92340880065a5210c983cc878c98c075855
> prerequisite-patch-id: e6610085f98fb881bada0bb27b59def23c3d7cc3

Thanks for the patch and quickly noticing the security issues!

Pushed as add2a22ad7bcca2521432e3f486460138401d5a5 with some added

detail to the commit message. I tested that exim and a dependent builds.

John

Closed

Your comment

This issue is archived.

To comment on this conversation send an email to 66304@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 66304

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date