Debian Bug report logs - #992172
exim4: CVE-2021-38371

Package: src:exim4; Maintainer for src:exim4 is Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sat, 14 Aug 2021 20:51:02 UTC

Severity: important

Tags: security, upstream

Found in version exim4/4.94.2-7

Fixed in versions exim4/4.95~RC0-1, 4.95~RC2-1

Done: Andreas Metzler <ametzler@bebt.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#992172; Package src:exim4. (Sat, 14 Aug 2021 20:51:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. (Sat, 14 Aug 2021 20:51:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: exim4
Version: 4.94.2-7
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for exim4, this is to start
tracking the issue downstream for us. Note that at time of writing [2]
gives still a 404.

CVE-2021-38371[0]:
| The STARTTLS feature in Exim through 4.94.2 allows response injection
| (buffering) during MTA SMTP sending.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-38371
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38371
[1] https://nostarttls.secvuln.info
[2] https://www.exim.org/static/doc/security/CVE-2021-38371.txt

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#992172; Package src:exim4. (Sun, 15 Aug 2021 05:24:03 GMT) (full text, mbox, link).

Acknowledgement sent to Andreas Metzler <ametzler@bebt.de>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. (Sun, 15 Aug 2021 05:24:03 GMT) (full text, mbox, link).

Message #10 received at 992172@bugs.debian.org (full text, mbox, reply):

On 2021-08-14 Salvatore Bonaccorso <carnil@debian.org> wrote:
> Source: exim4
> Version: 4.94.2-7
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

> Hi,

> The following vulnerability was published for exim4, this is to start
> tracking the issue downstream for us. Note that at time of writing [2]
> gives still a 404.

> CVE-2021-38371[0]:
> | The STARTTLS feature in Exim through 4.94.2 allows response injection
> | (buffering) during MTA SMTP sending.
[...]

IIRC that is mitigated in experimental (4.95 rc) by ALPN and unkown
command related changes, I will not be able to check in detail for a
week or so, though.

cu Andreas

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. (Sun, 15 Aug 2021 07:09:03 GMT) (full text, mbox, link).

Message #15 received at 992172@bugs.debian.org (full text, mbox, reply):

HI Andreas,

On Sun, Aug 15, 2021 at 07:21:40AM +0200, Andreas Metzler wrote:
> On 2021-08-14 Salvatore Bonaccorso <carnil@debian.org> wrote:
> > Source: exim4
> > Version: 4.94.2-7
> > Severity: important
> > Tags: security upstream
> > X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
> 
> > Hi,
> 
> > The following vulnerability was published for exim4, this is to start
> > tracking the issue downstream for us. Note that at time of writing [2]
> > gives still a 404.
> 
> > CVE-2021-38371[0]:
> > | The STARTTLS feature in Exim through 4.94.2 allows response injection
> > | (buffering) during MTA SMTP sending.
> [...]
> 
> IIRC that is mitigated in experimental (4.95 rc) by ALPN and unkown
> command related changes, I will not be able to check in detail for a
> week or so, though.

Ack thanks for the information. Let's wait to see what's written in de
advisory URL once it becomes public.

Thanks for your work on exim4 packages!

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#992172; Package src:exim4. (Wed, 15 Mar 2023 16:21:28 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. (Wed, 15 Mar 2023 16:21:28 GMT) (full text, mbox, link).

Message #20 received at 992172@bugs.debian.org (full text, mbox, reply):

Am Sun, Aug 15, 2021 at 07:21:40AM +0200 schrieb Andreas Metzler:
> On 2021-08-14 Salvatore Bonaccorso <carnil@debian.org> wrote:
> > Source: exim4
> > Version: 4.94.2-7
> > Severity: important
> > Tags: security upstream
> > X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
> 
> > Hi,
> 
> > The following vulnerability was published for exim4, this is to start
> > tracking the issue downstream for us. Note that at time of writing [2]
> > gives still a 404.
> 
> > CVE-2021-38371[0]:
> > | The STARTTLS feature in Exim through 4.94.2 allows response injection
> > | (buffering) during MTA SMTP sending.
> [...]
> 
> IIRC that is mitigated in experimental (4.95 rc) by ALPN and unkown
> command related changes, I will not be able to check in detail for a
> week or so, though.

Do you know if this is fixed in 4.96/bookworm?

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#992172; Package src:exim4. (Wed, 15 Mar 2023 19:51:08 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. (Wed, 15 Mar 2023 19:51:08 GMT) (full text, mbox, link).

Message #25 received at 992172@bugs.debian.org (full text, mbox, reply):

Hello Andreas and Moritz,

On Wed, Mar 15, 2023 at 05:18:15PM +0100, Moritz Mühlenhoff wrote:
> Am Sun, Aug 15, 2021 at 07:21:40AM +0200 schrieb Andreas Metzler:
> > On 2021-08-14 Salvatore Bonaccorso <carnil@debian.org> wrote:
> > > Source: exim4
> > > Version: 4.94.2-7
> > > Severity: important
> > > Tags: security upstream
> > > X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
> > 
> > > Hi,
> > 
> > > The following vulnerability was published for exim4, this is to start
> > > tracking the issue downstream for us. Note that at time of writing [2]
> > > gives still a 404.
> > 
> > > CVE-2021-38371[0]:
> > > | The STARTTLS feature in Exim through 4.94.2 allows response injection
> > > | (buffering) during MTA SMTP sending.
> > [...]
> > 
> > IIRC that is mitigated in experimental (4.95 rc) by ALPN and unkown
> > command related changes, I will not be able to check in detail for a
> > week or so, though.
> 
> Do you know if this is fixed in 4.96/bookworm?

Looks the planned advisory at
https://www.exim.org/static/doc/security/CVE-2021-38371.txt is not
online.

Looping in as well Heiko Schlittermann. Heiko, can you share details
on fixes?

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#992172; Package src:exim4. (Wed, 15 Mar 2023 22:45:02 GMT) (full text, mbox, link).

Acknowledgement sent to Heiko Schlittermann <hs@schlittermann.de>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. (Wed, 15 Mar 2023 22:45:02 GMT) (full text, mbox, link).

Message #30 received at 992172@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

[not encrypted, I'm not able to find the key of Moritz]
Hi,

Salvatore Bonaccorso <carnil@debian.org> (Mi 15 Mär 2023 20:49:01 CET):
> Looks the planned advisory at
> https://www.exim.org/static/doc/security/CVE-2021-38371.txt is not
> online.

I found the message from last year on the list, and the today's messages
too. It seems that there was some discussion about the content of the
advisory.

I'll try to clarify it and then return.

-- 
Heiko

[signature.asc (application/pgp-signature, inline)]

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Thu, 16 Mar 2023 21:51:14 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Thu, 16 Mar 2023 21:51:14 GMT) (full text, mbox, link).

Message #35 received at 992172-done@bugs.debian.org (full text, mbox, reply):

Source: exim4
Source-Version: 4.95~RC0-1

On Thu, Mar 16, 2023 at 06:21:47PM +0100, Andreas Metzler wrote:
> On 2023-03-15 Moritz Mühlenhoff <jmm@inutil.org> wrote:
> > Am Sun, Aug 15, 2021 at 07:21:40AM +0200 schrieb Andreas Metzler:
> > > On 2021-08-14 Salvatore Bonaccorso <carnil@debian.org> wrote:
> [...]
> > > > CVE-2021-38371[0]:
> > > > | The STARTTLS feature in Exim through 4.94.2 allows response injection
> > > > | (buffering) during MTA SMTP sending.
> > > [...]
> > > 
> > > IIRC that is mitigated in experimental (4.95 rc) by ALPN and unkown
> > > command related changes, I will not be able to check in detail for a
> > > week or so, though.
> 
> > Do you know if this is fixed in 4.96/bookworm?
> 
> Yes it is. 4.95 and later are fine.
> https://lists.exim.org/lurker/message/20230315.200011.3128be8e.en.html

Thanks, so the mentioned commit was in exim-4.95-RC0 upstream tag, and
so fixed in Debian first with the eximerimental upload 4.95~RC0-1.

Commited locally for the security-tracker and closing the bug (but
various Debian services are down right now).

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#992172; Package src:exim4. (Thu, 16 Mar 2023 22:15:04 GMT) (full text, mbox, link).

Acknowledgement sent to Andreas Metzler <ametzler@bebt.de>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. (Thu, 16 Mar 2023 22:15:04 GMT) (full text, mbox, link).

Message #40 received at 992172@bugs.debian.org (full text, mbox, reply):

On 2023-03-15 Moritz Mühlenhoff <jmm@inutil.org> wrote:
> Am Sun, Aug 15, 2021 at 07:21:40AM +0200 schrieb Andreas Metzler:
> > On 2021-08-14 Salvatore Bonaccorso <carnil@debian.org> wrote:
[...]
> > > CVE-2021-38371[0]:
> > > | The STARTTLS feature in Exim through 4.94.2 allows response injection
> > > | (buffering) during MTA SMTP sending.
> > [...]
> > 
> > IIRC that is mitigated in experimental (4.95 rc) by ALPN and unkown
> > command related changes, I will not be able to check in detail for a
> > week or so, though.

> Do you know if this is fixed in 4.96/bookworm?

Yes it is. 4.95 and later are fine.
https://lists.exim.org/lurker/message/20230315.200011.3128be8e.en.html

cu Andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

Reply sent to Andreas Metzler <ametzler@bebt.de>:
You have taken responsibility. (Thu, 16 Mar 2023 22:15:06 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Thu, 16 Mar 2023 22:15:06 GMT) (full text, mbox, link).

Message #45 received at 992172-done@bugs.debian.org (full text, mbox, reply):

Version: 4.95~RC2-1

On 2021-08-15 Andreas Metzler <ametzler@bebt.de> wrote:
> On 2021-08-14 Salvatore Bonaccorso <carnil@debian.org> wrote:
> > Source: exim4
> > Version: 4.94.2-7
[...]
> > The following vulnerability was published for exim4, this is to start
> > tracking the issue downstream for us. Note that at time of writing [2]
> > gives still a 404.

> > CVE-2021-38371[0]:
> > | The STARTTLS feature in Exim through 4.94.2 allows response injection
> > | (buffering) during MTA SMTP sending.
> [...]

> IIRC that is mitigated in experimental (4.95 rc) by ALPN and unkown
> command related changes, I will not be able to check in detail for a
> week or so, though.

Fixed with commit 1b9ab35f323121aabf029f0496c7227818efad14.

https://lists.exim.org/lurker/message/20230315.200011.3128be8e.en.html

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 14 Apr 2023 07:26:07 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Jul 10 20:54:36 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #992172 exim4: CVE-2021-38371

Debian Bug report logs - #992172
exim4: CVE-2021-38371