From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id MFxODL6DomBKqgAAgWs5BA (envelope-from ) for ; Mon, 17 May 2021 16:54:54 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id 8NLQB76DomAFVQAAbx9fmQ (envelope-from ) for ; Mon, 17 May 2021 14:54:54 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id D0C0A21489 for ; Mon, 17 May 2021 16:54:53 +0200 (CEST) Received: from localhost ([::1]:49616 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1liedx-0000t6-0A for larch@yhetil.org; Mon, 17 May 2021 10:54:53 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:60914) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lieU1-0004oR-BT for guix-devel@gnu.org; Mon, 17 May 2021 10:44:37 -0400 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:49047) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lieTx-0000M8-Cu for guix-devel@gnu.org; Mon, 17 May 2021 10:44:37 -0400 Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id E97BF5C00D1; Mon, 17 May 2021 10:44:32 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute1.internal (MEProxy); Mon, 17 May 2021 10:44:32 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=NkzSb+X+bXKRuIlMrEt6d7eG J929KkREBCvCdFb8wsg=; b=SELd9gsgguG0FSLHDH0pHrPL0AnNr6yuztR1yBge o7aO9QzCW+ifEDTCcVqBd9qs3Dm8I2tTCtnLQQMtNCHC4RJpzTKyA5daxTBRT9yN io5/cOzg4OUmaLFfxQCea6IpboJVy0+68TigzvxutQSW8pI8NWZb6OOJiqVfsOCg Fnw= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=NkzSb+ X+bXKRuIlMrEt6d7eGJ929KkREBCvCdFb8wsg=; b=TED1lxBaDdR8RqiqdBRnbr eABYfgZuCxjO7DLC31Nxnzxz05PHWjrG73UIAibUmWGnt/mW/3xS5hrQBlZrJtn6 kZD779a/oQHeNnLYfDalb98mC0jlPhVV4We7JIlnpSVnj/Rw2w8hCezo+1uPUSKb g4a96EmQlPCMfc4cY/XO2U1faWecGC5i0p9TZOkCP8jN7c9sd4jwGD71f+iAOGLv lFTQ+V5i+ZRMCVFtI6h7FinXvphitdlYlfGp1auXCDXtmN3j7PVtk1bjMB/ov2KZ 5Q70KsyPzlB3NG5DLrwgsfTyhkwqIUTIs4dLzkyiRBf481fM5XKVDVJBj+4HB7Ig == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvdeihedgkeduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvffukfhfgggtuggjsehttdertddttddvnecuhfhrohhmpefnvghoucfh rghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrihdrnhgrmhgvqeenucggtffrrghtth gvrhhnpeefheelleffgfeuhfeffeegieejfedthffgteejkeefgedvvddtvddvhfelveeh teenucffohhmrghinhepqhhurghlhihsrdgtohhmpdhgnhhurdhorhhgnecukfhppedutd dtrdduuddrudeiledruddukeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhep mhgrihhlfhhrohhmpehlvghosehfrghmuhhlrghrihdrnhgrmhgv X-ME-Proxy: Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 17 May 2021 10:44:32 -0400 (EDT) Date: Mon, 17 May 2021 10:44:31 -0400 From: Leo Famulari To: Taylan Kammer Subject: Re: Exim CVEs (21Nails) Message-ID: References: <167164ca-dd47-e1ea-4b5b-4ae973dca222@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <167164ca-dd47-e1ea-4b5b-4ae973dca222@gmail.com> Received-SPF: pass client-ip=66.111.4.26; envelope-from=leo@famulari.name; helo=out2-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Guix Devel Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1621263293; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=NkzSb+X+bXKRuIlMrEt6d7eGJ929KkREBCvCdFb8wsg=; b=UfhRFTtD9R8nbV9BTs9yjFLJZYOkNxHUIyQrXmX8jAaLTmccqPKrlJICIYZIyf/gmuxjQ5 kQaTjAd30i5DNsHXwP5R4sBqV0OYzzhohzzCuLsv2Bs9ZCGgRq7ItcL8xFAGz7Xq79K2wU u8mJI4/aTPL2cFFfMMsi9PNMxmnUy1XYnPMnBsBuYMiUNR2QcNRGVs3Uo3re/TTuISD3pt e2sP5ofgf1ThVPtbqg0n6im8T1Ak0VPii/qt35VzQ3TmuxJpA8UctyK0lQ9e9PEYYrFhNC rPZd74zql4LwCnuUOVQRkuTsnabkDYaOPzXEUaHmfohutciQjMA0klhzxtDPkA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1621263293; a=rsa-sha256; cv=none; b=cbrmF7R4x4hFg0ksd/tfDe8mHdzxLrxW/Ubr2pbRck3jDx+Ar2t8actVn/w0/2vw6Oi6sZ F84YJvu4rrSMg8P9JtinCvrbGckeRNfdszSwVL5K31FlwlrTLB7PNSUY6YyiuNyuxL9Jq4 T+br5DijFNcZATXCm1EOrT57L3cdSGxdOTZPmq97QBcELk9K/zK/d9RoQfY0d6Gnh8zIbd acRlCwi5ZDz+a41DY/k1wF7QD3UaLS0T8ViySZd4Kf3L5Fpeho/kRXhktGgcpRcPpAc1SG dz+xRFHS9f/1mFu8AXtu8+1sB6rwmYE2ixlgXAWKUUbyRBmIUoGmckXXnS+Arw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=famulari.name header.s=mesmtp header.b=SELd9gsg; dkim=pass header.d=messagingengine.com header.s=fm2 header.b=TED1lxBa; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -1.14 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=famulari.name header.s=mesmtp header.b=SELd9gsg; dkim=pass header.d=messagingengine.com header.s=fm2 header.b=TED1lxBa; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: D0C0A21489 X-Spam-Score: -1.14 X-Migadu-Scanner: scn0.migadu.com X-TUID: 4Fy0oP8jHZyW On Mon, May 17, 2021 at 12:10:26PM +0200, Taylan Kammer wrote: > Hi Guix people, > > Just wanted to make sure everyone's aware, since we package Exim: > > https://blog.qualys.com/vulnerabilities-research/2021/05/04/21nails-multiple-vulnerabilities-in-exim-mail-server > > "Last fall, the Qualys Research Team engaged in a thorough code audit of Exim > and discovered 21 unique vulnerabilities. Ten of these vulnerabilities can be > exploited remotely. Some of them leading to provide root privileges on the > remote system. And eleven can be exploited locally with most of them can be > exploited in either default configuration or in a very common configuration. > Some of the vulnerabilities can be chained together to obtain a full remote > unauthenticated code execution and gain root privileges on the Exim Server. > Most of the vulnerabilities discovered by the Qualys Research Team for e.g. > CVE-2020-28017 affects all versions of Exim going back all the way to 2004 > (going back to the beginning of its Git history 17 years ago)." Fixed in commit 4ca8a00263 (gnu: Exim: Update to 4.94.2 [security fixes].) https://git.savannah.gnu.org/cgit/guix.git/commit/?id=4ca8a002633f5d5c88c689fd41a686b5cdff33ec