exim uses its own SSL_CIPHER_get_id() which replaces libssl's version
with one that will break once we make SSL_CIPHER opaque.
seems fine to Renaud Allard (maintainer)
Fixes many issues reported (with fixes) last year by Qualys, details will be
available later at https://www.qualys.com/2021/05/04/21nails/21nails.txt
Local vulnerabilities
- CVE-2020-28007: Link attack in Exim's log directory
- CVE-2020-28008: Assorted attacks in Exim's spool directory
- CVE-2020-28014: Arbitrary PID file creation
- CVE-2020-28011: Heap buffer overflow in queue_run()
- CVE-2020-28010: Heap out-of-bounds write in main()
- CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()
- CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()
- CVE-2020-28015: New-line injection into spool header file (local)
- CVE-2020-28012: Missing close-on-exec flag for privileged pipe
- CVE-2020-28009: Integer overflow in get_stdinput()
Remote vulnerabilities
- CVE-2020-28017: Integer overflow in receive_add_recipient()
- CVE-2020-28020: Integer overflow in receive_msg()
- CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()
- CVE-2020-28021: New-line injection into spool header file (remote)
- CVE-2020-28022: Heap out-of-bounds read and write in extract_option()
- CVE-2020-28026: Line truncation and injection in spool_read_header()
- CVE-2020-28019: Failure to reset function pointer after BDAT error
- CVE-2020-28024: Heap buffer underflow in smtp_ungetc()
- CVE-2020-28018: Use-after-free in tls-openssl.c
- CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()
CVE-2019-20790 - OpenDMARC through 1.3.2 and 1.4.x, when used with
pypolicyd-spf 2.0.2, allows attacks that bypass SPF and DMARC
authentication in situations where the HELO field is inconsistent
with the MAIL FROM field.
CVE-2020-12272 - OpenDMARC through 1.3.2 and 1.4.x allows attacks
that inject authentication results to provide false information
about the domain that originated an e-mail message. This is caused
by incorrect parsing and interpretation of SPF/DKIM authentication
results, as demonstrated by the "example.net(.example.com" substring.
CVE-2020-12460 - OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1
has improper null termination in the function opendmarc_xml_parse that
can result in a one-byte heap overflow in opendmarc_xml when parsing a
specially crafted DMARC aggregate report. This can cause remote memory
corruption when a '\0' byte overwrites the heap metadata of the next
chunk and its PREV_INUSE flag.
various null pointer-related fixes, also present in postfix/snapshot but
that will require some diffing and backporting as upstream has removed
support for libressl and older openssl.
This doesn't make much difference for current filters, but allows filters
to clean up after themselves; which helps with memory leak detection.
OK jasper@
