146 lines
9.3 KiB
XML
146 lines
9.3 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<cvrfdoc xmlns="http://www.icasi.org/CVRF/schema/cvrf/1.1" xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1">
|
|
<DocumentTitle xml:lang="en">An update for exim is now available for openEuler-22.03-LTS-SP4</DocumentTitle>
|
|
<DocumentType>Security Advisory</DocumentType>
|
|
<DocumentPublisher Type="Vendor">
|
|
<ContactDetails>openeuler-security@openeuler.org</ContactDetails>
|
|
<IssuingAuthority>openEuler security committee</IssuingAuthority>
|
|
</DocumentPublisher>
|
|
<DocumentTracking>
|
|
<Identification>
|
|
<ID>openEuler-SA-2024-1927</ID>
|
|
</Identification>
|
|
<Status>Final</Status>
|
|
<Version>1.0</Version>
|
|
<RevisionHistory>
|
|
<Revision>
|
|
<Number>1.0</Number>
|
|
<Date>2024-08-02</Date>
|
|
<Description>Initial</Description>
|
|
</Revision>
|
|
</RevisionHistory>
|
|
<InitialReleaseDate>2024-08-02</InitialReleaseDate>
|
|
<CurrentReleaseDate>2024-08-02</CurrentReleaseDate>
|
|
<Generator>
|
|
<Engine>openEuler SA Tool V1.0</Engine>
|
|
<Date>2024-08-02</Date>
|
|
</Generator>
|
|
</DocumentTracking>
|
|
<DocumentNotes>
|
|
<Note Title="Synopsis" Type="General" Ordinal="1" xml:lang="en">exim security update</Note>
|
|
<Note Title="Summary" Type="General" Ordinal="2" xml:lang="en">An update for exim is now available for openEuler-22.03-LTS-SP4.</Note>
|
|
<Note Title="Description" Type="General" Ordinal="3" xml:lang="en">Exim is a message transfer agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. It is freely available under the terms of the GNU General Public Licence. In style it is similar to Smail 3, but its facilities are more general. There is a great deal of flexibility in the way mail can be routed, and there are extensive facilities for checking incoming mail. Exim can be installed in place of sendmail, although the configuration of exim is quite different to that of sendmail.
|
|
|
|
Security Fix(es):
|
|
|
|
A vulnerability was found in Exim and classified as problematic. This issue affects some unknown processing of the component Regex Handler. The manipulation leads to use after free. The name of the patch is 4e9ed49f8f12eb331b29bd5b6dc3693c520fddc2. It is recommended to apply a patch to fix this issue. The identifier VDB-211073 was assigned to this vulnerability.(CVE-2022-3559)
|
|
|
|
Exim before 4.97.1 allows SMTP smuggling in certain PIPELINING/CHUNKING configurations. Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Exim supports <LF>.<CR><LF> but some other popular e-mail servers do not.(CVE-2023-51766)</Note>
|
|
<Note Title="Topic" Type="General" Ordinal="4" xml:lang="en">An update for exim is now available for openEuler-22.03-LTS-SP4.
|
|
|
|
openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.</Note>
|
|
<Note Title="Severity" Type="General" Ordinal="5" xml:lang="en">High</Note>
|
|
<Note Title="Affected Component" Type="General" Ordinal="6" xml:lang="en">exim</Note>
|
|
</DocumentNotes>
|
|
<DocumentReferences>
|
|
<Reference Type="Self">
|
|
<URL>https://www.openeuler.org/en/security/security-bulletins/detail?id=openEuler-SA-2024-1927</URL>
|
|
</Reference>
|
|
<Reference Type="openEuler CVE">
|
|
<URL>https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2022-3559</URL>
|
|
<URL>https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2023-51766</URL>
|
|
</Reference>
|
|
<Reference Type="Other">
|
|
<URL>https://nvd.nist.gov/vuln/detail/CVE-2022-3559</URL>
|
|
<URL>https://nvd.nist.gov/vuln/detail/CVE-2023-51766</URL>
|
|
</Reference>
|
|
</DocumentReferences>
|
|
<ProductTree xmlns="http://www.icasi.org/CVRF/schema/prod/1.1">
|
|
<Branch Type="Product Name" Name="openEuler">
|
|
<FullProductName ProductID="openEuler-22.03-LTS-SP4" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP4">openEuler-22.03-LTS-SP4</FullProductName>
|
|
</Branch>
|
|
<Branch Type="Package Arch" Name="aarch64">
|
|
<FullProductName ProductID="exim-debugsource-4.96-3" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP4">exim-debugsource-4.96-3.oe2203sp4.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="exim-4.96-3" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP4">exim-4.96-3.oe2203sp4.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="exim-clamav-4.96-3" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP4">exim-clamav-4.96-3.oe2203sp4.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="exim-pgsql-4.96-3" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP4">exim-pgsql-4.96-3.oe2203sp4.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="exim-mon-4.96-3" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP4">exim-mon-4.96-3.oe2203sp4.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="exim-debuginfo-4.96-3" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP4">exim-debuginfo-4.96-3.oe2203sp4.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="exim-mysql-4.96-3" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP4">exim-mysql-4.96-3.oe2203sp4.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="exim-greylist-4.96-3" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP4">exim-greylist-4.96-3.oe2203sp4.aarch64.rpm</FullProductName>
|
|
</Branch>
|
|
<Branch Type="Package Arch" Name="src">
|
|
<FullProductName ProductID="exim-4.96-3" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP4">exim-4.96-3.oe2203sp4.src.rpm</FullProductName>
|
|
</Branch>
|
|
<Branch Type="Package Arch" Name="x86_64">
|
|
<FullProductName ProductID="exim-debugsource-4.96-3" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP4">exim-debugsource-4.96-3.oe2203sp4.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="exim-mysql-4.96-3" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP4">exim-mysql-4.96-3.oe2203sp4.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="exim-clamav-4.96-3" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP4">exim-clamav-4.96-3.oe2203sp4.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="exim-4.96-3" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP4">exim-4.96-3.oe2203sp4.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="exim-pgsql-4.96-3" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP4">exim-pgsql-4.96-3.oe2203sp4.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="exim-debuginfo-4.96-3" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP4">exim-debuginfo-4.96-3.oe2203sp4.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="exim-mon-4.96-3" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP4">exim-mon-4.96-3.oe2203sp4.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="exim-greylist-4.96-3" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP4">exim-greylist-4.96-3.oe2203sp4.x86_64.rpm</FullProductName>
|
|
</Branch>
|
|
</ProductTree>
|
|
<Vulnerability Ordinal="1" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
|
<Notes>
|
|
<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">A vulnerability was found in Exim and classified as problematic. This issue affects some unknown processing of the component Regex Handler. The manipulation leads to use after free. The name of the patch is 4e9ed49f8f12eb331b29bd5b6dc3693c520fddc2. It is recommended to apply a patch to fix this issue. The identifier VDB-211073 was assigned to this vulnerability.</Note>
|
|
</Notes>
|
|
<ReleaseDate>2024-08-02</ReleaseDate>
|
|
<CVE>CVE-2022-3559</CVE>
|
|
<ProductStatuses>
|
|
<Status Type="Fixed">
|
|
<ProductID>openEuler-22.03-LTS-SP4</ProductID>
|
|
</Status>
|
|
</ProductStatuses>
|
|
<Threats>
|
|
<Threat Type="Impact">
|
|
<Description>High</Description>
|
|
</Threat>
|
|
</Threats>
|
|
<CVSSScoreSets>
|
|
<ScoreSet>
|
|
<BaseScore>7.5</BaseScore>
|
|
<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</Vector>
|
|
</ScoreSet>
|
|
</CVSSScoreSets>
|
|
<Remediations>
|
|
<Remediation Type="Vendor Fix">
|
|
<Description>exim security update</Description>
|
|
<DATE>2024-08-02</DATE>
|
|
<URL>https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1927</URL>
|
|
</Remediation>
|
|
</Remediations>
|
|
</Vulnerability>
|
|
<Vulnerability Ordinal="2" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
|
<Notes>
|
|
<Note Title="Vulnerability Description" Type="General" Ordinal="2" xml:lang="en">Exim before 4.97.1 allows SMTP smuggling in certain PIPELINING/CHUNKING configurations. Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Exim supports <LF>.<CR><LF> but some other popular e-mail servers do not.</Note>
|
|
</Notes>
|
|
<ReleaseDate>2024-08-02</ReleaseDate>
|
|
<CVE>CVE-2023-51766</CVE>
|
|
<ProductStatuses>
|
|
<Status Type="Fixed">
|
|
<ProductID>openEuler-22.03-LTS-SP4</ProductID>
|
|
</Status>
|
|
</ProductStatuses>
|
|
<Threats>
|
|
<Threat Type="Impact">
|
|
<Description>Medium</Description>
|
|
</Threat>
|
|
</Threats>
|
|
<CVSSScoreSets>
|
|
<ScoreSet>
|
|
<BaseScore>5.3</BaseScore>
|
|
<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N</Vector>
|
|
</ScoreSet>
|
|
</CVSSScoreSets>
|
|
<Remediations>
|
|
<Remediation Type="Vendor Fix">
|
|
<Description>exim security update</Description>
|
|
<DATE>2024-08-02</DATE>
|
|
<URL>https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1927</URL>
|
|
</Remediation>
|
|
</Remediations>
|
|
</Vulnerability>
|
|
</cvrfdoc> |