Bug#1053310: Fixes for stable/oldstable?
On Tue, 31 Oct 2023, Andreas Metzler wrote: On 2023-10-31 Tomas Pospisek wrote: [...] PS: I'd prefer this bugreport to be open as long as the stable and oldstable packages are still vulnerable... Hello Thomas, The Debian BTS does not use a simple open/close logic, it tracks which specific versions a bug applies to. If you look at https://bugs.debian.org/cgi-bin/1053310 there is both textual info ("Found in version exim4/4.94.2-7 Fixed in version exim4/4.97~RC2-2") and a nice graph in red and green to display this and the overview pages can also show bugs applying to specific distributions. (Menu items at the bottom of the page.) e.g. https://bugs.debian.org/cgi-bin/pkgreport.cgi?dist=stable;package=exim4-base does not show this bug under "Resolved bugs". Alright, thank you. Every time I see those "found in"/"fixed in" bugreport pages I'm at a loss to be 100% clear in what precise state those bugsreport are. Oh well. Many, many thanks for the explanations! *t
Bug#1053310: Fixes for stable/oldstable?
On 2023-10-31 Tomas Pospisek wrote: [...] > PS: I'd prefer this bugreport to be open as long as the stable and > oldstable packages are still vulnerable... Hello Thomas, The Debian BTS does not use a simple open/close logic, it tracks which specific versions a bug applies to. If you look at https://bugs.debian.org/cgi-bin/1053310 there is both textual info ("Found in version exim4/4.94.2-7 Fixed in version exim4/4.97~RC2-2") and a nice graph in red and green to display this and the overview pages can also show bugs applying to specific distributions. (Menu items at the bottom of the page.) e.g. https://bugs.debian.org/cgi-bin/pkgreport.cgi?dist=stable;package=exim4-base does not show this bug under "Resolved bugs". cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Bug#1053310: Fixes for stable/oldstable?
On 2023-10-31 Tomas Pospisek wrote: > On Tue, 31 Oct 2023, Salvatore Bonaccorso wrote: [...] >> Fixes for CVE-2023-42117 and CVE-2023-42119 are right now considered >> no-dsa (see comment on the security-tracker about it), and are going >> to be fixed in the next point releases. > The notes say: > *** > [bookworm] - exim4 (Only an issue if Exim4 run behind an > untrusted proxy-protocol proxy) [...] > So I think I can parse from those that CVE-2023-42117 is only critical when > exim is run behind a "untrusted proxy-protocol proxy". > Questions if you will: > * what does "no-dsa" mean? DSA seems to mean Debian Security Announce. > Does it mean there is no DSA for that problem yet? What does it mean > when a CVE is considered "no-dsa" then? That no DSA will be released for > it? Hello Thomas, Exactly. The severity was judged to be very low, not "worth" the effort of a DSA. > * what is a "untrusted proxy-protocol proxy" in the context of a mail > transport agent? So exim shouldn't be used behind an untrusted socks > proxy? Well I have no real control who connects how to a public MTA... > anybody can connect to it to try his luck sending me email. That > includes untrusted socks proxies... This https://www.exim.org/exim-html-current/doc/html/spec_html/ch-proxies.html or more precisely part "1. Inbound proxies". You need to explicitely configure exim to tell it that specific hosts are acting as load-balancing proxy sitting in front of exim. I cannot think of a szenario where these load-balancing proxies would not be trusted machines. The issue is about weakening the chain a little bit - take over the proxy first and then do something to the exim machines behind. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Bug#1053310: Fixes for stable/oldstable?
Hi Salvatore, thanks a lot for your reply (more below): On Tue, 31 Oct 2023, Salvatore Bonaccorso wrote: Hi Tomas, On Tue, Oct 31, 2023 at 11:07:06AM +0100, Tomas Pospisek wrote: Hello Exim maintainers, this ticket, asking for packages with fixes for CVE-2023-42117 and other security relavant issues is closed. However only a package for unstable has been released: https://security-tracker.debian.org/tracker/CVE-2023-42117 all other Debian releases (stable, oldstable) still seem to be carrying the vulnerable Exim4 version. What is the status of releasing fixed Exims for Debian stable, oldstable? Is anybody working on it? Is help needed? Fixes for CVE-2023-42117 and CVE-2023-42119 are right now considered no-dsa (see comment on the security-tracker about it), and are going to be fixed in the next point releases. The notes say: *** [bookworm] - exim4 (Only an issue if Exim4 run behind an untrusted proxy-protocol proxy) [bullseye] - exim4 (Only an issue if Exim4 run behind an untrusted proxy-protocol proxy) [buster] - exim4 (Only an issue if Exim4 run behind an untrusted proxy-protocol proxy) https://www.zerodayinitiative.com/advisories/ZDI-23-1471/ https://bugs.exim.org/show_bug.cgi?id=3031 https://www.openwall.com/lists/oss-security/2023/09/29/5 https://www.openwall.com/lists/oss-security/2023/10/01/4 https://exim.org/static/doc/security/CVE-2023-zdi.txt *** So I think I can parse from those that CVE-2023-42117 is only critical when exim is run behind a "untrusted proxy-protocol proxy". Questions if you will: * what does "no-dsa" mean? DSA seems to mean Debian Security Announce. Does it mean there is no DSA for that problem yet? What does it mean when a CVE is considered "no-dsa" then? That no DSA will be released for it? * what is a "untrusted proxy-protocol proxy" in the context of a mail transport agent? So exim shouldn't be used behind an untrusted socks proxy? Well I have no real control who connects how to a public MTA... anybody can connect to it to try his luck sending me email. That includes untrusted socks proxies... So to wrap I it /seems/ that I'm probably fine, however the details are so terse that my assessement seems to be rather shaky... Does this help? A bit. Thanks a lot Best greetings! *t
Bug#1053310: Fixes for stable/oldstable?
Hi Tomas, On Tue, Oct 31, 2023 at 11:07:06AM +0100, Tomas Pospisek wrote: > Hello Exim maintainers, > > this ticket, asking for packages with fixes for CVE-2023-42117 and other > security relavant issues is closed. > > However only a package for unstable has been released: > > https://security-tracker.debian.org/tracker/CVE-2023-42117 > > all other Debian releases (stable, oldstable) still seem to be carrying the > vulnerable Exim4 version. > > What is the status of releasing fixed Exims for Debian stable, oldstable? Is > anybody working on it? Is help needed? Fixes for CVE-2023-42117 and CVE-2023-42119 are right now considered no-dsa (see comment on the security-tracker about it), and are going to be fixed in the next point releases. Does this help? Regards, Salvatore
Bug#1053310: Fixes for stable/oldstable?
Hello Exim maintainers, this ticket, asking for packages with fixes for CVE-2023-42117 and other security relavant issues is closed. However only a package for unstable has been released: https://security-tracker.debian.org/tracker/CVE-2023-42117 all other Debian releases (stable, oldstable) still seem to be carrying the vulnerable Exim4 version. What is the status of releasing fixed Exims for Debian stable, oldstable? Is anybody working on it? Is help needed? *t PS: I'd prefer this bugreport to be open as long as the stable and oldstable packages are still vulnerable...