From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id 8K5ZBx1DomCJGwAAgWs5BA (envelope-from ) for ; Mon, 17 May 2021 12:19:09 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id QL/9Ah1DomB9FwAAB5/wlQ (envelope-from ) for ; Mon, 17 May 2021 10:19:09 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 7E2A21C654 for ; Mon, 17 May 2021 12:19:08 +0200 (CEST) Received: from localhost ([::1]:40892 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1liaL5-0002oh-Lu for larch@yhetil.org; Mon, 17 May 2021 06:19:07 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:45136) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1liaCo-0002aS-Is for guix-devel@gnu.org; Mon, 17 May 2021 06:10:34 -0400 Received: from mail-ej1-x636.google.com ([2a00:1450:4864:20::636]:40846) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1liaCm-0004ea-Un for guix-devel@gnu.org; Mon, 17 May 2021 06:10:34 -0400 Received: by mail-ej1-x636.google.com with SMTP id n2so8321760ejy.7 for ; Mon, 17 May 2021 03:10:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:from:subject:message-id:date:user-agent:mime-version :content-language:content-transfer-encoding; bh=OC7KPFcTJcBQ1yXW2AcQ1R0n4jnsPMgf1HsMkoP3FJw=; b=DX/POlcTHA7YSHW6rh8sawEncCO2LB98er7q3oZYAUtWxoZafawaGaOH5jS1M4+HGF rBceWI5nSIJMBymRCcijQqkcxwWt6DYWJZiza90+wCFF/Z5Qgo1ocpFQX1euETw6HQ91 CLAU4Ts0quiJtQtARYWvv8MmgvcLu/RvD41H+caOOBTP62pqBgD1Je9tmJZze1APfBWl RorGo9goJXRrRv4SkGOXY/b2Hmvqr55iM1bhf79ODZDZuR5RyjCUaWEE2HdpVq1TTwuq 61BVDjKSpuKNlHCrbwUrDlPU6DF1XKLQBH4bFgbGxn3BrnC9xIxs2WkTjf3XnEq7bkrm dZUQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-language:content-transfer-encoding; bh=OC7KPFcTJcBQ1yXW2AcQ1R0n4jnsPMgf1HsMkoP3FJw=; b=H73wgqF8EKXBaK+1hRFlt5hnnIqINEFc5r4d/XilT3LryYucdlWm9qK+7Pu+7xQsfj UGM7iB6FKULelRj/k0912xuzwINMma83oIqS4SQSQ6VfdpN/4cW7/S3EIxF9nVPCU3iS NTFoUCmFmcvB8ELVxi57a97wVt37LFMFLwEm8Y+uPapCfHQkqQL97ycZPlA4te42OoHv F9gzPH3Habz2W0vGbEnHVFXJJ5dN4cNUmXOxV+Eac1pyi23f1BCbLK185hdpDMENDbJN 5Er0aN2SMIZFXbc0LvPMqyy3zskRdae0FRvosDgAVZaJLYGHCRQFxxCy7RnR1Q8rwFH4 rNOA== X-Gm-Message-State: AOAM532nVfNnnu3aIvDzItW46d391X3OVRdsyD1z3+vwGn6zRkulyT4M b1pKkAIdrJOIyL3xtFFZTt7NZH2viTg8Ug== X-Google-Smtp-Source: ABdhPJx6Png7Viy8MTiU9WoOZ+weXKiIzIXIxyWx55uwYWPWo4fuitalJab9kQsCCmA45qSfzv6zzw== X-Received: by 2002:a17:906:fcdc:: with SMTP id qx28mr29735004ejb.375.1621246230742; Mon, 17 May 2021 03:10:30 -0700 (PDT) Received: from [192.168.178.20] (b2b-109-90-125-150.unitymedia.biz. [109.90.125.150]) by smtp.gmail.com with ESMTPSA id u14sm70403edy.47.2021.05.17.03.10.30 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 17 May 2021 03:10:30 -0700 (PDT) To: Guix Devel From: Taylan Kammer Subject: Exim CVEs (21Nails) Message-ID: <167164ca-dd47-e1ea-4b5b-4ae973dca222@gmail.com> Date: Mon, 17 May 2021 12:10:26 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.10.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Received-SPF: pass client-ip=2a00:1450:4864:20::636; envelope-from=taylan.kammer@gmail.com; helo=mail-ej1-x636.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1621246748; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=OC7KPFcTJcBQ1yXW2AcQ1R0n4jnsPMgf1HsMkoP3FJw=; b=FTGkxlsEE16qXwES2pFNPRfcdeuFjUg5CpEHiYU7o7nhZDDjZrpdtgEakl8uuxqB9z8R2m Zwh2kUZjLQ/PI+a0UQHZT5q6YyqZE6AlhCamdPZJm/Dt7BK00pqRKFLH6CfZIgWXgdX2w8 Zqwj9Uz2gYwDCvqqTa0XrcHpHV8UJJ7wWG7TFrdP/mx0xrBiKtrmoyvveoK1p+fme9Usby R1Km323BikPUMKTbEdAJtdK+Dhxpk2wWA/3fxhi3W0vuo/BrTD8KiuAjOL3f+wyrpZWTPM ZzszaXOmAG2x1SnaEUIeRFE5+V3J/WEXOnmfTLFzMpvZXjHUxGyjr7bkDQO/2w== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1621246748; a=rsa-sha256; cv=none; b=OU98iRBl4zhLamMJMGCW9OA6NQ3/iJf0DSJPppwOpjnMYeUkZ4pKCEpmpzYJQ0J/PNkndj sefVWGXhMkeeWvH/ArG0SkxS35ME5aVHLbBwOAkR1SjZ/R6fMzkyLSuCwrCDnvpRgj7Bi9 7zUsUKHH3VvPOTt7DO/hIbZSalxjUhT0+kqG3uO2KJGygfBkN2fqyD10wDJVWPAOyajWdZ LmydicYZr5itqB1hgYB1EcTS/uGJH4NCNGT5VonaEXCDcsiFLnuTvvaQv1lWxfzWnKDlTc tp8PZokolJjVQ+WusPnkT2x9Wx4gK5GCJ+zQUlGuoZffrDt2YNr8opCTv1hJsw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20161025 header.b="DX/POlcT"; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -1.64 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20161025 header.b="DX/POlcT"; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 7E2A21C654 X-Spam-Score: -1.64 X-Migadu-Scanner: scn0.migadu.com X-TUID: 4Y5mIqLbR6I+ Hi Guix people, Just wanted to make sure everyone's aware, since we package Exim: https://blog.qualys.com/vulnerabilities-research/2021/05/04/21nails-multiple-vulnerabilities-in-exim-mail-server "Last fall, the Qualys Research Team engaged in a thorough code audit of Exim and discovered 21 unique vulnerabilities. Ten of these vulnerabilities can be exploited remotely. Some of them leading to provide root privileges on the remote system. And eleven can be exploited locally with most of them can be exploited in either default configuration or in a very common configuration. Some of the vulnerabilities can be chained together to obtain a full remote unauthenticated code execution and gain root privileges on the Exim Server. Most of the vulnerabilities discovered by the Qualys Research Team for e.g. CVE-2020-28017 affects all versions of Exim going back all the way to 2004 (going back to the beginning of its Git history 17 years ago)." -- Taylan