jiachao2130/cvrf2cusa
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7d8412e76d
cvrf2cusa/cvrf/2024/cvrf-openEuler-SA-2024-1928.xml
Jia Chao 7d8412e76d update 0822 
Signed-off-by: Jia Chao <jiac13@chinaunicom.cn>
2024-08-22 10:38:56 +08:00

112 lines
7.5 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<cvrfdoc xmlns="http://www.icasi.org/CVRF/schema/cvrf/1.1" xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1">
<DocumentTitle xml:lang="en">An update for exim is now available for openEuler-24.03-LTS</DocumentTitle>
<DocumentType>Security Advisory</DocumentType>
<DocumentPublisher Type="Vendor">
<ContactDetails>openeuler-security@openeuler.org</ContactDetails>
<IssuingAuthority>openEuler security committee</IssuingAuthority>
</DocumentPublisher>
<DocumentTracking>
<Identification>
<ID>openEuler-SA-2024-1928</ID>
</Identification>
<Status>Final</Status>
<Version>1.0</Version>
<RevisionHistory>
<Revision>
<Number>1.0</Number>
<Date>2024-08-02</Date>
<Description>Initial</Description>
</Revision>
</RevisionHistory>
<InitialReleaseDate>2024-08-02</InitialReleaseDate>
<CurrentReleaseDate>2024-08-02</CurrentReleaseDate>
<Generator>
<Engine>openEuler SA Tool V1.0</Engine>
<Date>2024-08-02</Date>
</Generator>
</DocumentTracking>
<DocumentNotes>
<Note Title="Synopsis" Type="General" Ordinal="1" xml:lang="en">exim security update</Note>
<Note Title="Summary" Type="General" Ordinal="2" xml:lang="en">An update for exim is now available for openEuler-24.03-LTS.</Note>
<Note Title="Description" Type="General" Ordinal="3" xml:lang="en">Exim is a message transfer agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. It is freely available under the terms of the GNU General Public Licence. In style it is similar to Smail 3, but its facilities are more general. There is a great deal of flexibility in the way mail can be routed, and there are extensive facilities for checking incoming mail. Exim can be installed in place of sendmail, although the configuration of exim is quite different to that of sendmail.
Security Fix(es):
Exim before 4.97.1 allows SMTP smuggling in certain PIPELINING/CHUNKING configurations. Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Exim supports &lt;LF&gt;.&lt;CR&gt;&lt;LF&gt; but some other popular e-mail servers do not.(CVE-2023-51766)</Note>
<Note Title="Topic" Type="General" Ordinal="4" xml:lang="en">An update for exim is now available for openEuler-24.03-LTS.
openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.</Note>
<Note Title="Severity" Type="General" Ordinal="5" xml:lang="en">Medium</Note>
<Note Title="Affected Component" Type="General" Ordinal="6" xml:lang="en">exim</Note>
</DocumentNotes>
<DocumentReferences>
<Reference Type="Self">
<URL>https://www.openeuler.org/en/security/security-bulletins/detail?id=openEuler-SA-2024-1928</URL>
</Reference>
<Reference Type="openEuler CVE">
<URL>https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2023-51766</URL>
</Reference>
<Reference Type="Other">
<URL>https://nvd.nist.gov/vuln/detail/CVE-2023-51766</URL>
</Reference>
</DocumentReferences>
<ProductTree xmlns="http://www.icasi.org/CVRF/schema/prod/1.1">
<Branch Type="Product Name" Name="openEuler">
<FullProductName ProductID="openEuler-24.03-LTS" CPE="cpe:/a:openEuler:openEuler:24.03-LTS">openEuler-24.03-LTS</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="aarch64">
<FullProductName ProductID="exim-4.97.1-2" CPE="cpe:/a:openEuler:openEuler:24.03-LTS">exim-4.97.1-2.oe2403.aarch64.rpm</FullProductName>
<FullProductName ProductID="exim-debugsource-4.97.1-2" CPE="cpe:/a:openEuler:openEuler:24.03-LTS">exim-debugsource-4.97.1-2.oe2403.aarch64.rpm</FullProductName>
<FullProductName ProductID="exim-greylist-4.97.1-2" CPE="cpe:/a:openEuler:openEuler:24.03-LTS">exim-greylist-4.97.1-2.oe2403.aarch64.rpm</FullProductName>
<FullProductName ProductID="exim-debuginfo-4.97.1-2" CPE="cpe:/a:openEuler:openEuler:24.03-LTS">exim-debuginfo-4.97.1-2.oe2403.aarch64.rpm</FullProductName>
<FullProductName ProductID="exim-mysql-4.97.1-2" CPE="cpe:/a:openEuler:openEuler:24.03-LTS">exim-mysql-4.97.1-2.oe2403.aarch64.rpm</FullProductName>
<FullProductName ProductID="exim-mon-4.97.1-2" CPE="cpe:/a:openEuler:openEuler:24.03-LTS">exim-mon-4.97.1-2.oe2403.aarch64.rpm</FullProductName>
<FullProductName ProductID="exim-pgsql-4.97.1-2" CPE="cpe:/a:openEuler:openEuler:24.03-LTS">exim-pgsql-4.97.1-2.oe2403.aarch64.rpm</FullProductName>
<FullProductName ProductID="exim-clamav-4.97.1-2" CPE="cpe:/a:openEuler:openEuler:24.03-LTS">exim-clamav-4.97.1-2.oe2403.aarch64.rpm</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="src">
<FullProductName ProductID="exim-4.97.1-2" CPE="cpe:/a:openEuler:openEuler:24.03-LTS">exim-4.97.1-2.oe2403.src.rpm</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="x86_64">
<FullProductName ProductID="exim-greylist-4.97.1-2" CPE="cpe:/a:openEuler:openEuler:24.03-LTS">exim-greylist-4.97.1-2.oe2403.x86_64.rpm</FullProductName>
<FullProductName ProductID="exim-clamav-4.97.1-2" CPE="cpe:/a:openEuler:openEuler:24.03-LTS">exim-clamav-4.97.1-2.oe2403.x86_64.rpm</FullProductName>
<FullProductName ProductID="exim-pgsql-4.97.1-2" CPE="cpe:/a:openEuler:openEuler:24.03-LTS">exim-pgsql-4.97.1-2.oe2403.x86_64.rpm</FullProductName>
<FullProductName ProductID="exim-debuginfo-4.97.1-2" CPE="cpe:/a:openEuler:openEuler:24.03-LTS">exim-debuginfo-4.97.1-2.oe2403.x86_64.rpm</FullProductName>
<FullProductName ProductID="exim-mysql-4.97.1-2" CPE="cpe:/a:openEuler:openEuler:24.03-LTS">exim-mysql-4.97.1-2.oe2403.x86_64.rpm</FullProductName>
<FullProductName ProductID="exim-mon-4.97.1-2" CPE="cpe:/a:openEuler:openEuler:24.03-LTS">exim-mon-4.97.1-2.oe2403.x86_64.rpm</FullProductName>
<FullProductName ProductID="exim-4.97.1-2" CPE="cpe:/a:openEuler:openEuler:24.03-LTS">exim-4.97.1-2.oe2403.x86_64.rpm</FullProductName>
<FullProductName ProductID="exim-debugsource-4.97.1-2" CPE="cpe:/a:openEuler:openEuler:24.03-LTS">exim-debugsource-4.97.1-2.oe2403.x86_64.rpm</FullProductName>
</Branch>
</ProductTree>
<Vulnerability Ordinal="1" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
<Notes>
<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">Exim before 4.97.1 allows SMTP smuggling in certain PIPELINING/CHUNKING configurations. Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Exim supports &lt;LF&gt;.&lt;CR&gt;&lt;LF&gt; but some other popular e-mail servers do not.</Note>
</Notes>
<ReleaseDate>2024-08-02</ReleaseDate>
<CVE>CVE-2023-51766</CVE>
<ProductStatuses>
<Status Type="Fixed">
<ProductID>openEuler-24.03-LTS</ProductID>
</Status>
</ProductStatuses>
<Threats>
<Threat Type="Impact">
<Description>Medium</Description>
</Threat>
</Threats>
<CVSSScoreSets>
<ScoreSet>
<BaseScore>5.3</BaseScore>
<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N</Vector>
</ScoreSet>
</CVSSScoreSets>
<Remediations>
<Remediation Type="Vendor Fix">
<Description>exim security update</Description>
<DATE>2024-08-02</DATE>
<URL>https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1928</URL>
</Remediation>
</Remediations>
</Vulnerability>
</cvrfdoc>
Reference in New Issue View Git Blame Copy Permalink