New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability
O dear , this is not good : https://www.zerodayinitiative.com/advisories/ZDI-23-1469/
Comments
The timeline for this is probably even more outrageous
06/14/22 – ZDI reported the vulnerability to the vendor.
04/25/23 – The vendor asked us to re-send the reports.
Almost fucking year.
They asked for re-send and after getting in once again they still didnt fix it for half year 💀
Is exim just not safe anymore?
Exim: 74 vulnerabilites
Postfix: 33 vulnerabilites
Hey, it's just a 9.8 so don't wake up the Exim from their deep and long sleep.
Usually you don’t have to sit around as long with your thumb up your ass waiting for something to be published by the time it’s made its public rounds. But usually exim doesn’t let it get to this level of disclosure threat while having nothing to show for it.
One of the two, the reporters or the exim devs, have made some mistakes here. Given the choices, I’m cheering for the reporters to be the ones dropping the ball. Either way someone reputable fucked up, rather it be in our favor.
Some more context about this zero-day and other vulnerabilities: https://seclists.org/oss-sec/2023/q3/254
A thread on the exim-users mailing list https://lists.exim.org/lurker/thread/20230930.205045.d91489b2.en.html mentions release candidates for exim 4.97, which hopefully means that patches should be available soon.
Details are flowing in: https://www.openwall.com/lists/oss-security/2023/10/01/4
This was over reported. These issues probably impact a tiny fraction of exim servers.