Opened 5 weeks ago

Closed 4 weeks ago

#21133 closed enhancement (fixed)

exim-4.98.1

Reported by: Bruce Dubbs Owned by: Douglas R. Reno
Priority: elevated Milestone: 12.3
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

New point version.

Change History (6)

comment:1 by Joe Locash, 5 weeks ago

Priority: normalelevated

Elevating because this update fixes a security issue:

CVE-2025-26794: Exim: SQL injection (https://seclists.org/oss-sec/2025/q1/153) 

today, 12:00 UTC we published an Exim security release: exim-4.98.1
For further details please see https://exim.org/static/doc/security/CVE-2025-26794.txt

CVE-2025-26794.txt: 

# CVE 2025-26794

- Sat, 08 Feb 2025 21:14:37 +0100: reported
  - by: "Oscar Bataille" <batailleoscar@protonmail.com>
  - to: security@exim.org
- Sun, 9 Feb 2025 00:00:05 +0100: report confirmed
- Tue, 11 Feb 2025 00:23:34 +0100: issue confirmed
- Tue, 11 Feb 2025 00:23:34 +0100: issue confirmed
- Tue, 11 Feb 2025 12:54:10 +0000: CVE ID requested
- Fri, 14 Feb 2025 04:19:13 -0500: CVE ID 2025-26794 received
- Tue, 18 Feb 2025 20:56:25 +0100: sent notification to <distros@vs.openwall.org>
- Wed, 19 Feb 2025 23:07:02 +0100: sent notification to <oss-security@lists.openwall.com>, and <exim-users@lists.exim.org>
- Wed, 19 Feb 2025 23:07:02 +0100: sent notification to <oss-security@lists.openwall.com>, and <exim-users@lists.exim.org>
- Thu, 20 Feb 2025 18:36:34 +0100: sent notification to <exim-announce@lists.exim.org>
- Fri, 21 Feb 2025 13:00:00 +0100: published the changes on https://code.exim.org/exim/exim.git


## Details

A SQL injection is possible.

The following conditions have to be met for being vulnerable:

- Exim Version 4.98
- Build time option _USE_SQLITE_ is set (it enables the use of SQLite
  for the hints databases) -- check the output of `exim -bV`, whether it
  contains
  ```
  Hints DB:
    Using sqlite3
  ```
- Runtime config enables ETRN (`acl_smtp_etrn` returns _accept_
  (defaults to _deny_))
- Runtime config enforces ETRN serialization (`smtp_etrn_serialize` is
  set to _true_ (defaults to _true_))

## Acknowledgements

Thanks to Oscar Bataille for discovering and reporting this issue in a
responsible manner.

comment:2 by Bruce Dubbs, 5 weeks ago

Milestone: 12.412.3

Not tagged yet. Will update this when we tag it.

comment:3 by Douglas R. Reno, 5 weeks ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:4 by Douglas R. Reno, 4 weeks ago

Resolution: fixed
Status: assignedclosed

Fixed at f9d803fa936d34f59a2bcb9fdbb07b096bc94445

comment:5 by Douglas R. Reno, 4 weeks ago

Resolution: fixed
Status: closedreopened

Reopen for SA. I need some sleep soon.

comment:6 by Douglas R. Reno, 4 weeks ago

Resolution: fixed
Status: reopenedclosed

SA-12.2-094 issued

Note: See TracTickets for help on using tickets.