* Exim CVEs (21Nails)
@ 2021-05-17 10:10 Taylan Kammer
2021-05-17 14:44 ` Leo Famulari
0 siblings, 1 reply; 4+ messages in thread
From: Taylan Kammer @ 2021-05-17 10:10 UTC (permalink / raw)
To: Guix Devel
Hi Guix people,
Just wanted to make sure everyone's aware, since we package Exim:
https://blog.qualys.com/vulnerabilities-research/2021/05/04/21nails-multiple-vulnerabilities-in-exim-mail-server
"Last fall, the Qualys Research Team engaged in a thorough code audit of Exim
and discovered 21 unique vulnerabilities. Ten of these vulnerabilities can be
exploited remotely. Some of them leading to provide root privileges on the
remote system. And eleven can be exploited locally with most of them can be
exploited in either default configuration or in a very common configuration.
Some of the vulnerabilities can be chained together to obtain a full remote
unauthenticated code execution and gain root privileges on the Exim Server.
Most of the vulnerabilities discovered by the Qualys Research Team for e.g.
CVE-2020-28017 affects all versions of Exim going back all the way to 2004
(going back to the beginning of its Git history 17 years ago)."
--
Taylan
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Exim CVEs (21Nails)
2021-05-17 10:10 Exim CVEs (21Nails) Taylan Kammer
@ 2021-05-17 14:44 ` Leo Famulari
2021-05-17 15:26 ` Taylan Kammer
0 siblings, 1 reply; 4+ messages in thread
From: Leo Famulari @ 2021-05-17 14:44 UTC (permalink / raw)
To: Taylan Kammer; +Cc: Guix Devel
On Mon, May 17, 2021 at 12:10:26PM +0200, Taylan Kammer wrote:
> Hi Guix people,
>
> Just wanted to make sure everyone's aware, since we package Exim:
>
> https://blog.qualys.com/vulnerabilities-research/2021/05/04/21nails-multiple-vulnerabilities-in-exim-mail-server
>
> "Last fall, the Qualys Research Team engaged in a thorough code audit of Exim
> and discovered 21 unique vulnerabilities. Ten of these vulnerabilities can be
> exploited remotely. Some of them leading to provide root privileges on the
> remote system. And eleven can be exploited locally with most of them can be
> exploited in either default configuration or in a very common configuration.
> Some of the vulnerabilities can be chained together to obtain a full remote
> unauthenticated code execution and gain root privileges on the Exim Server.
> Most of the vulnerabilities discovered by the Qualys Research Team for e.g.
> CVE-2020-28017 affects all versions of Exim going back all the way to 2004
> (going back to the beginning of its Git history 17 years ago)."
Fixed in commit 4ca8a00263 (gnu: Exim: Update to 4.94.2 [security
fixes].)
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=4ca8a002633f5d5c88c689fd41a686b5cdff33ec
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Exim CVEs (21Nails)
2021-05-17 14:44 ` Leo Famulari
@ 2021-05-17 15:26 ` Taylan Kammer
2021-05-17 16:20 ` Leo Famulari
0 siblings, 1 reply; 4+ messages in thread
From: Taylan Kammer @ 2021-05-17 15:26 UTC (permalink / raw)
To: Leo Famulari; +Cc: Guix Devel
On 17.05.2021 16:44, Leo Famulari wrote:
> On Mon, May 17, 2021 at 12:10:26PM +0200, Taylan Kammer wrote:
>> Hi Guix people,
>>
>> Just wanted to make sure everyone's aware, since we package Exim:
>>
>> https://blog.qualys.com/vulnerabilities-research/2021/05/04/21nails-multiple-vulnerabilities-in-exim-mail-server
>>
>> "Last fall, the Qualys Research Team engaged in a thorough code audit of Exim
>> and discovered 21 unique vulnerabilities. Ten of these vulnerabilities can be
>> exploited remotely. Some of them leading to provide root privileges on the
>> remote system. And eleven can be exploited locally with most of them can be
>> exploited in either default configuration or in a very common configuration.
>> Some of the vulnerabilities can be chained together to obtain a full remote
>> unauthenticated code execution and gain root privileges on the Exim Server.
>> Most of the vulnerabilities discovered by the Qualys Research Team for e.g.
>> CVE-2020-28017 affects all versions of Exim going back all the way to 2004
>> (going back to the beginning of its Git history 17 years ago)."
>
> Fixed in commit 4ca8a00263 (gnu: Exim: Update to 4.94.2 [security
> fixes].)
>
> https://git.savannah.gnu.org/cgit/guix.git/commit/?id=4ca8a002633f5d5c88c689fd41a686b5cdff33ec
>
On the same day that article was published, neat! :-)
--
Taylan
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Exim CVEs (21Nails)
2021-05-17 15:26 ` Taylan Kammer
@ 2021-05-17 16:20 ` Leo Famulari
0 siblings, 0 replies; 4+ messages in thread
From: Leo Famulari @ 2021-05-17 16:20 UTC (permalink / raw)
To: Taylan Kammer; +Cc: Guix Devel
On Mon, May 17, 2021 at 05:26:36PM +0200, Taylan Kammer wrote:
> On the same day that article was published, neat! :-)
There was advance warning, so we were ready :)
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-05-17 16:49 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-05-17 10:10 Exim CVEs (21Nails) Taylan Kammer
2021-05-17 14:44 ` Leo Famulari
2021-05-17 15:26 ` Taylan Kammer
2021-05-17 16:20 ` Leo Famulari
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.