Re: CVE-2019-10149: Exim 4.87 to 4.91: possible remote exploit

[Heiko Schlittermann <hs () nodmarc schlittermann de>]

The fix for CVE-2019-10149 is public now.

    https://git.exim.org/exim.git
    Branch exim-4_91+fixes.

Thank you to
    - Qualys for reporting it.
    - Jeremy for fixing it.
    - you for using Exim.

Sorry for confusion about the public release. We were forced to react,
as details leaked.

The patch should apply cleanly to all affected versions (4.87->4.91). We
do not do a security release, as the official Exim version is at 4.92
already and older releases are considered to be outdated and not
supported by the developers anymore.

Please do not hesitate to contact us if you need help backporting the
fix.

Details of the commit:

    |commit d740d2111f189760593a303124ff6b9b1f83453d
    |gpg: Signature made Di 04 Jun 2019 11:27:33 CEST
    |gpg:                using RSA key D0BFD6B9ECA5694A6F149DCEAF4CC676A6B6C142
    |gpg:                issuer "hs () schlittermann de"
    |gpg: Good signature from "Heiko Schlittermann (Dresden) <hs () schlittermann de>" [full]
    |gpg:                 aka "Heiko Schlittermann (HS12-RIPE) <hs () schlittermann de>" [full]
    |gpg:                 aka "[jpeg image of size 4759]" [full]
    |gpg:                 aka "Heiko Schlittermann (Exim MTA Maintainer) <heiko () exim org>" [full]
    |gpg:                 aka "Heiko Schlittermann (HS12-RIPE) <hs () nodmarc schlittermann de>" [undefined]
    |Author: Jeremy Harris <jgh146exb () wizmail org>
    |Date:   Mon May 27 21:57:31 2019 +0100
    |
    |   Fix CVE-2019-10149


    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
--
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -

Attachment: signature.asc
Description: