Bug#1053310: Fixes for stable/oldstable?

Tue, 31 Oct 2023 05:09:14 -0700 

Hi Salvatore,

thanks a lot for your reply (more below):

On Tue, 31 Oct 2023, Salvatore Bonaccorso wrote:


Hi Tomas,

On Tue, Oct 31, 2023 at 11:07:06AM +0100, Tomas Pospisek wrote:

Hello Exim maintainers,

this ticket, asking for packages with fixes for CVE-2023-42117 and other
security relavant issues is closed.

However only a package for unstable has been released:

https://security-tracker.debian.org/tracker/CVE-2023-42117

all other Debian releases (stable, oldstable) still seem to be carrying the
vulnerable Exim4 version.

What is the status of releasing fixed Exims for Debian stable, oldstable? Is
anybody working on it? Is help needed?


Fixes for CVE-2023-42117 and CVE-2023-42119 are right now considered
no-dsa (see comment on the security-tracker about it), and are going
to be fixed in the next point releases.


The notes say:

***
[bookworm] - exim4 <no-dsa> (Only an issue if Exim4 run behind an
             untrusted proxy-protocol proxy)
[bullseye] - exim4 <no-dsa> (Only an issue if Exim4 run behind an
             untrusted proxy-protocol proxy)
[buster] - exim4 <no-dsa> (Only an issue if Exim4 run behind an untrusted
           proxy-protocol proxy)
https://www.zerodayinitiative.com/advisories/ZDI-23-1471/
https://bugs.exim.org/show_bug.cgi?id=3031
https://www.openwall.com/lists/oss-security/2023/09/29/5
https://www.openwall.com/lists/oss-security/2023/10/01/4
https://exim.org/static/doc/security/CVE-2023-zdi.txt
***
So I think I can parse from those that CVE-2023-42117 is only critical when exim is run behind a "untrusted proxy-protocol proxy". 

Questions if you will:

* what does "no-dsa" mean? DSA seems to mean Debian Security Announce.
  Does it mean there is no DSA for that problem yet? What does it mean
  when a CVE is considered "no-dsa" then? That no DSA will be released for
  it?
* what is a "untrusted proxy-protocol proxy" in the context of a mail
  transport agent? So exim shouldn't be used behind an untrusted socks
  proxy? Well I have no real control who connects how to a public MTA...
  anybody can connect to it to try his luck sending me email. That
  includes untrusted socks proxies...
So to wrap I it /seems/ that I'm probably fine, however the details are so terse that my assessement seems to be rather shaky... 


Does this help?


A bit. Thanks a lot!!!!

Best greetings!
*t

Reply via email to