Bug 1996 - CVE-2016-9963 - DKIM info leak
CVE-2016-9963 - DKIM info leak
Status: RESOLVED FIXED
Product: Exim
Classification: Unclassified
Component: Unfiled
4.87
All All
: high bug
: Exim 4.88
Assigned To: Jeremy Harris
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-12-15 23:13 UTC by Jeremy Harris
Modified: 2017-01-08 21:37 UTC (History)
5 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Harris 2016-12-15 23:13:28 UTC

    
Comment 1 Heiko Schlittermann 2016-12-19 11:24:13 UTC
Bugfixes are available for packagers, maintainers and contributors.

If you need access to these repos, please contact hs@schlittermann.de via GPG signed mail, send your public SSH key, and explain why you need access right now.

The fixed releases (4.87.1, 4.88) will be made public during Dec, 25th.
Comment 2 Phil Pennock 2016-12-21 20:04:55 UTC
Wait what?  A security release on Christmas Day?

Even if there's nothing to be done for a particular install, folks will still have to analyze and determine that.  For many folks, they'll have to act quickly to build packages.  Even if they don't, they still have to figure that out.

So a Sunday security release is unfortunate enough; one of the biggest global holidays is a really unfortunate choice and should be avoided unless there's compelling rationale for why it must be that date.

Can we defer until Tuesday 27th?
Comment 3 Jeremy Harris 2016-12-25 11:08:58 UTC
https://exim.org/static/doc/CVE-2016-9963.txt

Fix by: 87cb4a166c47
Comment 4 Jeremy Harris 2017-01-08 21:37:51 UTC
Nobody commented