[exim 0005317]: EXIM CVE-2018-6789
Mantis Bug Tracker
noreply at opencsw.org
Mon Dec 17 13:42:43 CET 2018
A NOTE has been added to this issue.
======================================================================
https://www.opencsw.org/mantis/view.php?id=5317
======================================================================
Reported By: barlavento
Assigned To:
======================================================================
Project: exim
Issue ID: 5317
Category: upgrade
Reproducibility: unable to reproduce
Severity: major
Priority: normal
Status: new
======================================================================
Date Submitted: 2018-03-09 16:32 CET
Last Modified: 2018-12-17 13:42 CET
======================================================================
Summary: EXIM CVE-2018-6789
Description:
CVE-2018-6789
=============
There is a buffer overflow in base64d(), if some pre-conditions are met.
Using a handcrafted message, remote code execution seems to be possible.
A patch exists already and is being tested.
Currently we're unsure about the severity, we *believe*, an exploit
is difficult. A mitigation isn't known.
Timeline (UTC)
--------------
* 2018-02-05 Report from Meh Chang <meh at devco.re> via exim-security mailing
list
* 2018-02-06 Request CVE on https://cveform.mitre.org/ (heiko)
CVE-2018-6789
* 2018-02-07 Announcement to the public via exim-users, exim-maintainers
mailing lists and on oss-security mailing list
* 2018-02-08 16:50 Grant restricted access to the security repo for
distro maintainers
* 2018-02-09 One distro breaks the embargo
* 2018-02-10 18:00 Grant public access to the our official git repo.
======================================================================
----------------------------------------------------------------------
(0011288) barlavento (reporter) - 2018-12-17 13:42
https://www.opencsw.org/mantis/view.php?id=5317#c11288
----------------------------------------------------------------------
It is unfortunate I cannot create a new (Solaris 10 or newer) package. I do
not have any experience with the build environment.
More information about the bug-notifications
mailing list