====================================================================

                             CERT-Renater

                 Note d'Information No. 2019/VULN263

_____________________________________________________________________

DATE                : 04/09/2019

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Exim versions prior to 4.92.2.

=====================================================================
https://lists.exim.org/lurker/message/20190904.092248.0ae7f727.en.html
_____________________________________________________________________

CVE ID:     CVE-2019-15846
Version(s): up to and including 4.92.1
Issue:      A local or remote attacker can execute programs with root
            privileges.
Details:    Will be made public at CRD. Currently there is no known
            exploit, but a rudimentary POC exists.

Coordinated Release Date (CRD) for Exim 4.92.2:
            2019-09-06 10:00 UTC

Contact:    security () exim org

Proposed Timeline
=================

2019-09-03:
    - initial notification to distros () openwall org and
      exim-maintainers () exim org

2019-09-04: <-- NOW
    - This Heads-up notice to oss-security () lists openwall com,
      exim-users () exim org, and exim-announce () exim org

2019-09-06 10:00 UTC:
    - Coordinated relase date
    - Notice to oss-security, exim-users, and exim-announce
    - Publish the patches in our official and public Git repositories
      and the packages on our FTP server.

Downloads available starting at CRD (not yet)
=============================================

The downloads are not yet available. They will be made available
at the above mentioned CRD.

Release tarballs (exim-4.92.2):

    https://ftp.exim.org/pub/exim/exim4/

The package files are signed with my GPG key.

The full Git repo:

    https://git.exim.org/exim.git
    https://github.com/Exim/exim    [mirror of the above]
    - tag    exim-4.92.2
    - branch exim-4.92.2+fixes

The tagged commit is the officially released version. The tag is signed
with my GPG key.  The +fixes branch isn't officially maintained, but
contains useful patches *and* the security fix. The relevant commit is
signed with my GPG key. The old exim-4.92.1+fixes branch is being
functionally
replaced by the new exim-4.92.2+fixes branch.

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann

 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -

=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================