From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bug-guix-bounces+larch=yhetil.org@gnu.org>
Received: from mp12.migadu.com ([2001:41d0:306:2d92::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms9.migadu.com with LMTPS
	id cALmOPKfGmXkSQAAauVa8A:P1
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Mon, 02 Oct 2023 12:48:19 +0200
Received: from aspmx1.migadu.com ([2001:41d0:306:2d92::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp12.migadu.com with LMTPS
	id cALmOPKfGmXkSQAAauVa8A
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Mon, 02 Oct 2023 12:48:19 +0200
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id AE0BF53074
	for <larch@yhetil.org>; Mon,  2 Oct 2023 12:48:18 +0200 (CEST)
Authentication-Results: aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=wmeyer.eu header.s=mail header.b=LhQ25Jc9;
	spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org";
	dmarc=fail reason="SPF not aligned (relaxed)" header.from=wmeyer.eu (policy=none)
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1696243698;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:resent-cc:resent-from:resent-sender:
	 resent-message-id:list-id:list-help:list-unsubscribe:list-subscribe:
	 list-post:dkim-signature; bh=D5UHfzwp561sP8LesMn6DIZdk7YIZ1tMInLrCV5v6pU=;
	b=KFzDqLJ1sRKMhNYSULRwVchDcl/e4iSC/JxcRQt8b1rgCClhsTqOk9+lP/CQFjZzwatheb
	NIc4bZpl+RduOTCbpmD3l0huw7DQEQMiz/IzTOuFoHhbwzP+QXZ50PBeAkdbSJf45OVk1z
	oOpV4G0Fr3XIGGsfzEYxsPLfm+BquitWjaACKZancJag8z7WGCHfCp1jkGaZRPqoAPc/RI
	ZXLwZUZmKTKIFgm+fxbpbt9H4SMmrGVWoAemF6dvTSggKItktWADGfUy6ywah5rOQU0Kiq
	ZZ6YZNLk61f0zdbSpoLcBjLDv/PkiF2H+N411wsa8WuKCG4nAk27aEOuLSMLQQ==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=wmeyer.eu header.s=mail header.b=LhQ25Jc9;
	spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org";
	dmarc=fail reason="SPF not aligned (relaxed)" header.from=wmeyer.eu (policy=none)
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1696243698; a=rsa-sha256; cv=none;
	b=W0RrtR+kV4/OY13ECy/zB7aqFIPnwjGSqUpgJ+Oitk9a9YaA3W9cokDnL8fbaMyESy02OZ
	pG9310fZuxtIk2o00AOIE0wGPrxoXzXKE/3HYoFRUMpbstwHHvM7bM5prpDSJzrHPPi/Ea
	3LDHInCESy263j+faMpvSeaYzuZ00uNUer1l2oTYHkE3Q2gFgCsTMUMCqxm3ILVdl2kZUn
	eMJuOOEVOjjpmNLcZgiRZYHSfloKfXlB6du3k2ASXRipebszO/0BA5bZqEONrbmCII+w8D
	0IO1y/5crM2rUVDBYRGLQ8AMK+RjRRkjEv2zlCWJfhVya6MO632TYpBhbgFUkw==
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-guix-bounces@gnu.org>)
	id 1qnGSr-0007Mt-5B; Mon, 02 Oct 2023 06:47:49 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1qnGSo-0007Mh-Tv
 for bug-guix@gnu.org; Mon, 02 Oct 2023 06:47:46 -0400
Received: from debbugs.gnu.org ([2001:470:142:5::43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1qnGSn-0005f4-MN
 for bug-guix@gnu.org; Mon, 02 Oct 2023 06:47:46 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1qnGT3-0006ye-QY
 for bug-guix@gnu.org; Mon, 02 Oct 2023 06:48:01 -0400
X-Loop: help-debbugs@gnu.org
Subject: bug#66304: exim vulnearable to CVE-2023-42115 et al
Resent-From: Wilko Meyer <w@wmeyer.eu>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Mon, 02 Oct 2023 10:48:01 +0000
Resent-Message-ID: <handler.66304.B.169624364326687@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 66304
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: 66304@debbugs.gnu.org
X-Debbugs-Original-To: bug-guix@gnu.org 
Received: via spool by submit@debbugs.gnu.org id=B.169624364326687
 (code B ref -1); Mon, 02 Oct 2023 10:48:01 +0000
Received: (at submit) by debbugs.gnu.org; 2 Oct 2023 10:47:23 +0000
Received: from localhost ([127.0.0.1]:36130 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1qnGSR-0006wN-6P
 for submit@debbugs.gnu.org; Mon, 02 Oct 2023 06:47:23 -0400
Received: from lists.gnu.org ([2001:470:142::17]:34260)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <w@wmeyer.eu>) id 1qnGSP-0006w7-64
 for submit@debbugs.gnu.org; Mon, 02 Oct 2023 06:47:21 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <w@wmeyer.eu>) id 1qnGRs-0007JU-7h
 for bug-guix@gnu.org; Mon, 02 Oct 2023 06:46:52 -0400
Received: from mail.wmeyer.eu ([95.216.196.112])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <w@wmeyer.eu>) id 1qnGRf-0005aJ-UZ
 for bug-guix@gnu.org; Mon, 02 Oct 2023 06:46:37 -0400
From: Wilko Meyer <w@wmeyer.eu>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wmeyer.eu; s=mail;
 t=1696243591; bh=D5UHfzwp561sP8LesMn6DIZdk7YIZ1tMInLrCV5v6pU=;
 h=From:To:Subject:Date;
 b=LhQ25Jc9PH65mhv9YsRvN/NCxbZqtBE555O7Z5g6yF1cCgQKy3DCTdnFyqu6Zf9H0
 MdwSMBY250jxxwHiZ2qjl8VsFK20tPnXt45k5UWpACxMwHSKb9buc57uNAs8xWghRm
 I2DjHotVpM0/JNjoWzEQQCe2D5UHxT7VvW/akb2k=
Date: Mon, 02 Oct 2023 12:35:20 +0200
Message-ID: <87leclmhdp.fsf@wmeyer.eu>
MIME-Version: 1.0
Content-Type: text/plain
Received-SPF: pass client-ip=95.216.196.112; envelope-from=w@wmeyer.eu;
 helo=mail.wmeyer.eu
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, 
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-guix@gnu.org
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org
Sender: bug-guix-bounces+larch=yhetil.org@gnu.org
X-Migadu-Flow: FLOW_IN
X-Migadu-Country: US
X-Migadu-Spam-Score: -1.79
X-Migadu-Scanner: mx2.migadu.com
X-Migadu-Queue-Id: AE0BF53074
X-Spam-Score: -1.79
X-TUID: HnAHgwrrvcRF


Hi Guix,

Exim currently has unpatched vulnearabilities regarding its EXTERNAL
Auth driver as well as its SPA/NTLM authenticator.

According to the project[0] prospective fixes seem to be around the
corner. We should probably bump the Exim version we ship to a
non-vulnearable version as soon as one is available.

[0]: https://www.exim.org/static/doc/security/CVE-2023-zdi.txt

-- 
Kind regards,

Wilko Meyer
w@wmeyer.eu