Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2019-16928
Vulnerability from cvelistv5
Published
2019-09-27 20:07
Modified
2025-02-04 20:04
Severity ?
EPSS score ?
Summary
Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.
References
CISA Known exploited vulnerability
Data from the Known Exploited Vulnerabilities Catalog
Date added: 2022-03-03
Due date: 2022-03-17
Required action: Apply updates per vendor instructions.
Used in ransomware: Unknown
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-16928
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T01:24:48.568Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.exim.org/lurker/message/20190927.032457.c1044d4c.en.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://bugs.exim.org/show_bug.cgi?id=2449", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://git.exim.org/exim.git/commit/478effbfd9c3cc5a627fc671d4bf94d13670d65f", }, { name: "[oss-security] 20190928 Exim CVE-2019-16928 RCE using a heap-based buffer overflow", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2019/09/28/1", }, { name: "[oss-security] 20190928 Re: Exim CVE-2019-16928 RCE using a heap-based buffer overflow", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2019/09/28/2", }, { name: "[oss-security] 20190928 Re: Exim CVE-2019-16928 RCE using a heap-based buffer overflow", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2019/09/28/3", }, { name: "DSA-4536", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2019/dsa-4536", }, { name: "USN-4141-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "https://usn.ubuntu.com/4141-1/", }, { name: "[oss-security] 20190929 Re: Exim CVE-2019-16928 RCE using a heap-based buffer overflow", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2019/09/28/4", }, { name: "20190929 [SECURITY] [DSA 4536-1] exim4 security update", tags: [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred", ], url: "https://seclists.org/bugtraq/2019/Sep/60", }, { name: "FEDORA-2019-006dfc94cd", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T3TJW4HPYH3O5HZCWGD6NSHTEBTTAPDC/", }, { name: "FEDORA-2019-e080507ba5", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UY6HPRW7MR3KBQ5JFHH6OXM7YCZBJCOB/", }, { name: "FEDORA-2019-d778bd4137", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EED7HM3MFIBAP5OIMJAFJ35JAJABTVSC/", }, { name: "GLSA-202003-47", tags: [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred", ], url: "https://security.gentoo.org/glsa/202003-47", }, ], title: "CVE Program Container", }, { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2019-16928", options: [ { Exploitation: "active", }, { Automatable: "yes", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-02-04T20:03:35.553352Z", version: "2.0.3", }, type: "ssvc", }, }, { other: { content: { dateAdded: "2022-03-03", reference: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2019-16928", }, type: "kev", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-787", description: "CWE-787 Out-of-bounds Write", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-02-04T20:04:50.543Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-03-20T20:06:16.000Z", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://lists.exim.org/lurker/message/20190927.032457.c1044d4c.en.html", }, { tags: [ "x_refsource_MISC", ], url: "https://bugs.exim.org/show_bug.cgi?id=2449", }, { tags: [ "x_refsource_MISC", ], url: "https://git.exim.org/exim.git/commit/478effbfd9c3cc5a627fc671d4bf94d13670d65f", }, { name: "[oss-security] 20190928 Exim CVE-2019-16928 RCE using a heap-based buffer overflow", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2019/09/28/1", }, { name: "[oss-security] 20190928 Re: Exim CVE-2019-16928 RCE using a heap-based buffer overflow", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2019/09/28/2", }, { name: "[oss-security] 20190928 Re: Exim CVE-2019-16928 RCE using a heap-based buffer overflow", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2019/09/28/3", }, { name: "DSA-4536", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2019/dsa-4536", }, { name: "USN-4141-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "https://usn.ubuntu.com/4141-1/", }, { name: "[oss-security] 20190929 Re: Exim CVE-2019-16928 RCE using a heap-based buffer overflow", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2019/09/28/4", }, { name: "20190929 [SECURITY] [DSA 4536-1] exim4 security update", tags: [ "mailing-list", "x_refsource_BUGTRAQ", ], url: "https://seclists.org/bugtraq/2019/Sep/60", }, { name: "FEDORA-2019-006dfc94cd", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T3TJW4HPYH3O5HZCWGD6NSHTEBTTAPDC/", }, { name: "FEDORA-2019-e080507ba5", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UY6HPRW7MR3KBQ5JFHH6OXM7YCZBJCOB/", }, { name: "FEDORA-2019-d778bd4137", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EED7HM3MFIBAP5OIMJAFJ35JAJABTVSC/", }, { name: "GLSA-202003-47", tags: [ "vendor-advisory", "x_refsource_GENTOO", ], url: "https://security.gentoo.org/glsa/202003-47", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2019-16928", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://lists.exim.org/lurker/message/20190927.032457.c1044d4c.en.html", refsource: "MISC", url: "https://lists.exim.org/lurker/message/20190927.032457.c1044d4c.en.html", }, { name: "https://bugs.exim.org/show_bug.cgi?id=2449", refsource: "MISC", url: "https://bugs.exim.org/show_bug.cgi?id=2449", }, { name: "https://git.exim.org/exim.git/commit/478effbfd9c3cc5a627fc671d4bf94d13670d65f", refsource: "MISC", url: "https://git.exim.org/exim.git/commit/478effbfd9c3cc5a627fc671d4bf94d13670d65f", }, { name: "[oss-security] 20190928 Exim CVE-2019-16928 RCE using a heap-based buffer overflow", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2019/09/28/1", }, { name: "[oss-security] 20190928 Re: Exim CVE-2019-16928 RCE using a heap-based buffer overflow", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2019/09/28/2", }, { name: "[oss-security] 20190928 Re: Exim CVE-2019-16928 RCE using a heap-based buffer overflow", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2019/09/28/3", }, { name: "DSA-4536", refsource: "DEBIAN", url: "https://www.debian.org/security/2019/dsa-4536", }, { name: "USN-4141-1", refsource: "UBUNTU", url: "https://usn.ubuntu.com/4141-1/", }, { name: "[oss-security] 20190929 Re: Exim CVE-2019-16928 RCE using a heap-based buffer overflow", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2019/09/28/4", }, { name: "20190929 [SECURITY] [DSA 4536-1] exim4 security update", refsource: "BUGTRAQ", url: "https://seclists.org/bugtraq/2019/Sep/60", }, { name: "FEDORA-2019-006dfc94cd", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3TJW4HPYH3O5HZCWGD6NSHTEBTTAPDC/", }, { name: "FEDORA-2019-e080507ba5", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UY6HPRW7MR3KBQ5JFHH6OXM7YCZBJCOB/", }, { name: "FEDORA-2019-d778bd4137", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EED7HM3MFIBAP5OIMJAFJ35JAJABTVSC/", }, { name: "GLSA-202003-47", refsource: "GENTOO", url: "https://security.gentoo.org/glsa/202003-47", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2019-16928", datePublished: "2019-09-27T20:07:12.000Z", dateReserved: "2019-09-27T00:00:00.000Z", dateUpdated: "2025-02-04T20:04:50.543Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", "vulnerability-lookup:meta": { cisa_known_exploited: { cveID: "CVE-2019-16928", cwes: "[\"CWE-787\"]", dateAdded: "2022-03-03", dueDate: "2022-03-17", knownRansomwareCampaignUse: "Unknown", notes: "https://nvd.nist.gov/vuln/detail/CVE-2019-16928", product: "Exim Internet Mailer", requiredAction: "Apply updates per vendor instructions.", shortDescription: "Exim contains an out-of-bounds write vulnerability which can allow for remote code execution.", vendorProject: "Exim", vulnerabilityName: "Exim Out-of-bounds Write Vulnerability", }, nvd: "{\"cve\":{\"id\":\"CVE-2019-16928\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2019-09-27T21:15:10.017\",\"lastModified\":\"2025-03-07T14:24:42.067\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.\"},{\"lang\":\"es\",\"value\":\"Exim versiones 4.92 hasta 4.92.2, permite una ejecución de código remota, una vulnerabilidad diferente de CVE-2019-15846. Se presenta un desbordamiento del buffer basado en memoria dinámica (heap) en la función string_vformat en el archivo string.c que implica un comando EHLO largo.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"cisaExploitAdd\":\"2022-03-03\",\"cisaActionDue\":\"2022-03-17\",\"cisaRequiredAction\":\"Apply updates per vendor instructions.\",\"cisaVulnerabilityName\":\"Exim Out-of-bounds Write Vulnerability\",\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:exim:exim:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.92\",\"versionEndIncluding\":\"4.92.2\",\"matchCriteriaId\":\"A6833B54-69D3-428C-8D54-50FFDE6154D2\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CD783B0C-9246-47D9-A937-6144FE8BFF0F\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D100F7CE-FC64-4CC6-852A-6136D72DA419\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"97A4B8DF-58DA-4AB6-A1F9-331B36409BA3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80F0FA5D-8D3B-4C0E-81E2-87998286AF33\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2019/09/28/1\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Mailing List\",\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2019/09/28/2\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2019/09/28/3\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2019/09/28/4\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://bugs.exim.org/show_bug.cgi?id=2449\",\"source\":\"cve@mitre.org\",\"tags\":[\"Issue Tracking\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://git.exim.org/exim.git/commit/478effbfd9c3cc5a627fc671d4bf94d13670d65f\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://lists.exim.org/lurker/message/20190927.032457.c1044d4c.en.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EED7HM3MFIBAP5OIMJAFJ35JAJABTVSC/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T3TJW4HPYH3O5HZCWGD6NSHTEBTTAPDC/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UY6HPRW7MR3KBQ5JFHH6OXM7YCZBJCOB/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://seclists.org/bugtraq/2019/Sep/60\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202003-47\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://usn.ubuntu.com/4141-1/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2019/dsa-4536\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2019/09/28/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mailing List\",\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2019/09/28/2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2019/09/28/3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2019/09/28/4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://bugs.exim.org/show_bug.cgi?id=2449\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://git.exim.org/exim.git/commit/478effbfd9c3cc5a627fc671d4bf94d13670d65f\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://lists.exim.org/lurker/message/20190927.032457.c1044d4c.en.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EED7HM3MFIBAP5OIMJAFJ35JAJABTVSC/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T3TJW4HPYH3O5HZCWGD6NSHTEBTTAPDC/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UY6HPRW7MR3KBQ5JFHH6OXM7YCZBJCOB/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://seclists.org/bugtraq/2019/Sep/60\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202003-47\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://usn.ubuntu.com/4141-1/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2019/dsa-4536\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}", vulnrichment: { containers: "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.exim.org/lurker/message/20190927.032457.c1044d4c.en.html\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://bugs.exim.org/show_bug.cgi?id=2449\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://git.exim.org/exim.git/commit/478effbfd9c3cc5a627fc671d4bf94d13670d65f\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2019/09/28/1\", \"name\": \"[oss-security] 20190928 Exim CVE-2019-16928 RCE using a heap-based buffer overflow\", \"tags\": [\"mailing-list\", \"x_refsource_MLIST\", \"x_transferred\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2019/09/28/2\", \"name\": \"[oss-security] 20190928 Re: Exim CVE-2019-16928 RCE using a heap-based buffer overflow\", \"tags\": [\"mailing-list\", \"x_refsource_MLIST\", \"x_transferred\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2019/09/28/3\", \"name\": \"[oss-security] 20190928 Re: Exim CVE-2019-16928 RCE using a heap-based buffer overflow\", \"tags\": [\"mailing-list\", \"x_refsource_MLIST\", \"x_transferred\"]}, {\"url\": \"https://www.debian.org/security/2019/dsa-4536\", \"name\": \"DSA-4536\", \"tags\": [\"vendor-advisory\", \"x_refsource_DEBIAN\", \"x_transferred\"]}, {\"url\": \"https://usn.ubuntu.com/4141-1/\", \"name\": \"USN-4141-1\", \"tags\": [\"vendor-advisory\", \"x_refsource_UBUNTU\", \"x_transferred\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2019/09/28/4\", \"name\": \"[oss-security] 20190929 Re: Exim CVE-2019-16928 RCE using a heap-based buffer overflow\", \"tags\": [\"mailing-list\", \"x_refsource_MLIST\", \"x_transferred\"]}, {\"url\": \"https://seclists.org/bugtraq/2019/Sep/60\", \"name\": \"20190929 [SECURITY] [DSA 4536-1] exim4 security update\", \"tags\": [\"mailing-list\", \"x_refsource_BUGTRAQ\", \"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T3TJW4HPYH3O5HZCWGD6NSHTEBTTAPDC/\", \"name\": \"FEDORA-2019-006dfc94cd\", \"tags\": [\"vendor-advisory\", \"x_refsource_FEDORA\", \"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UY6HPRW7MR3KBQ5JFHH6OXM7YCZBJCOB/\", \"name\": \"FEDORA-2019-e080507ba5\", \"tags\": [\"vendor-advisory\", \"x_refsource_FEDORA\", \"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EED7HM3MFIBAP5OIMJAFJ35JAJABTVSC/\", \"name\": \"FEDORA-2019-d778bd4137\", \"tags\": [\"vendor-advisory\", \"x_refsource_FEDORA\", \"x_transferred\"]}, {\"url\": \"https://security.gentoo.org/glsa/202003-47\", \"name\": \"GLSA-202003-47\", \"tags\": [\"vendor-advisory\", \"x_refsource_GENTOO\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-05T01:24:48.568Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2019-16928\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-04T20:03:35.553352Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2022-03-03\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2019-16928\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-787\", \"description\": \"CWE-787 Out-of-bounds Write\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-04T20:03:18.338Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"n/a\", \"product\": \"n/a\", \"versions\": [{\"status\": \"affected\", \"version\": \"n/a\"}]}], \"references\": [{\"url\": \"https://lists.exim.org/lurker/message/20190927.032457.c1044d4c.en.html\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://bugs.exim.org/show_bug.cgi?id=2449\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://git.exim.org/exim.git/commit/478effbfd9c3cc5a627fc671d4bf94d13670d65f\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2019/09/28/1\", \"name\": \"[oss-security] 20190928 Exim CVE-2019-16928 RCE using a heap-based buffer overflow\", \"tags\": [\"mailing-list\", \"x_refsource_MLIST\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2019/09/28/2\", \"name\": \"[oss-security] 20190928 Re: Exim CVE-2019-16928 RCE using a heap-based buffer overflow\", \"tags\": [\"mailing-list\", \"x_refsource_MLIST\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2019/09/28/3\", \"name\": \"[oss-security] 20190928 Re: Exim CVE-2019-16928 RCE using a heap-based buffer overflow\", \"tags\": [\"mailing-list\", \"x_refsource_MLIST\"]}, {\"url\": \"https://www.debian.org/security/2019/dsa-4536\", \"name\": \"DSA-4536\", \"tags\": [\"vendor-advisory\", \"x_refsource_DEBIAN\"]}, {\"url\": \"https://usn.ubuntu.com/4141-1/\", \"name\": \"USN-4141-1\", \"tags\": [\"vendor-advisory\", \"x_refsource_UBUNTU\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2019/09/28/4\", \"name\": \"[oss-security] 20190929 Re: Exim CVE-2019-16928 RCE using a heap-based buffer overflow\", \"tags\": [\"mailing-list\", \"x_refsource_MLIST\"]}, {\"url\": \"https://seclists.org/bugtraq/2019/Sep/60\", \"name\": \"20190929 [SECURITY] [DSA 4536-1] exim4 security update\", \"tags\": [\"mailing-list\", \"x_refsource_BUGTRAQ\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T3TJW4HPYH3O5HZCWGD6NSHTEBTTAPDC/\", \"name\": \"FEDORA-2019-006dfc94cd\", \"tags\": [\"vendor-advisory\", \"x_refsource_FEDORA\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UY6HPRW7MR3KBQ5JFHH6OXM7YCZBJCOB/\", \"name\": \"FEDORA-2019-e080507ba5\", \"tags\": [\"vendor-advisory\", \"x_refsource_FEDORA\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EED7HM3MFIBAP5OIMJAFJ35JAJABTVSC/\", \"name\": \"FEDORA-2019-d778bd4137\", \"tags\": [\"vendor-advisory\", \"x_refsource_FEDORA\"]}, {\"url\": \"https://security.gentoo.org/glsa/202003-47\", \"name\": \"GLSA-202003-47\", \"tags\": [\"vendor-advisory\", \"x_refsource_GENTOO\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"n/a\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2020-03-20T20:06:16.000Z\"}, \"x_legacyV4Record\": {\"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"n/a\"}]}, \"product_name\": \"n/a\"}]}, \"vendor_name\": \"n/a\"}]}}, \"data_type\": \"CVE\", \"references\": {\"reference_data\": [{\"url\": \"https://lists.exim.org/lurker/message/20190927.032457.c1044d4c.en.html\", \"name\": \"https://lists.exim.org/lurker/message/20190927.032457.c1044d4c.en.html\", \"refsource\": \"MISC\"}, {\"url\": \"https://bugs.exim.org/show_bug.cgi?id=2449\", \"name\": \"https://bugs.exim.org/show_bug.cgi?id=2449\", \"refsource\": \"MISC\"}, {\"url\": \"https://git.exim.org/exim.git/commit/478effbfd9c3cc5a627fc671d4bf94d13670d65f\", \"name\": \"https://git.exim.org/exim.git/commit/478effbfd9c3cc5a627fc671d4bf94d13670d65f\", \"refsource\": \"MISC\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2019/09/28/1\", \"name\": \"[oss-security] 20190928 Exim CVE-2019-16928 RCE using a heap-based buffer overflow\", \"refsource\": \"MLIST\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2019/09/28/2\", \"name\": \"[oss-security] 20190928 Re: Exim CVE-2019-16928 RCE using a heap-based buffer overflow\", \"refsource\": \"MLIST\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2019/09/28/3\", \"name\": \"[oss-security] 20190928 Re: Exim CVE-2019-16928 RCE using a heap-based buffer overflow\", \"refsource\": \"MLIST\"}, {\"url\": \"https://www.debian.org/security/2019/dsa-4536\", \"name\": \"DSA-4536\", \"refsource\": \"DEBIAN\"}, {\"url\": \"https://usn.ubuntu.com/4141-1/\", \"name\": \"USN-4141-1\", \"refsource\": \"UBUNTU\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2019/09/28/4\", \"name\": \"[oss-security] 20190929 Re: Exim CVE-2019-16928 RCE using a heap-based buffer overflow\", \"refsource\": \"MLIST\"}, {\"url\": \"https://seclists.org/bugtraq/2019/Sep/60\", \"name\": \"20190929 [SECURITY] [DSA 4536-1] exim4 security update\", \"refsource\": \"BUGTRAQ\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3TJW4HPYH3O5HZCWGD6NSHTEBTTAPDC/\", \"name\": \"FEDORA-2019-006dfc94cd\", \"refsource\": \"FEDORA\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UY6HPRW7MR3KBQ5JFHH6OXM7YCZBJCOB/\", \"name\": \"FEDORA-2019-e080507ba5\", \"refsource\": \"FEDORA\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EED7HM3MFIBAP5OIMJAFJ35JAJABTVSC/\", \"name\": \"FEDORA-2019-d778bd4137\", \"refsource\": \"FEDORA\"}, {\"url\": \"https://security.gentoo.org/glsa/202003-47\", \"name\": \"GLSA-202003-47\", \"refsource\": \"GENTOO\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"n/a\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2019-16928\", \"STATE\": \"PUBLIC\", \"ASSIGNER\": \"cve@mitre.org\"}}}}", cveMetadata: "{\"cveId\": \"CVE-2019-16928\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-04T20:04:50.543Z\", \"dateReserved\": \"2019-09-27T00:00:00.000Z\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2019-09-27T20:07:12.000Z\", \"assignerShortName\": \"mitre\"}", dataType: "CVE_RECORD", dataVersion: "5.1", }, }, }
gsd-2019-16928
Vulnerability from gsd
Modified
2023-12-13 01:23
Details
Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.
Aliases
Aliases
{ GSD: { alias: "CVE-2019-16928", description: "Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.", id: "GSD-2019-16928", references: [ "https://www.suse.com/security/cve/CVE-2019-16928.html", "https://www.debian.org/security/2019/dsa-4536", "https://security.archlinux.org/CVE-2019-16928", "https://alas.aws.amazon.com/cve/html/CVE-2019-16928.html", ], }, gsd: { metadata: { exploitCode: "unknown", remediation: "unknown", reportConfidence: "confirmed", type: "vulnerability", }, osvSchema: { aliases: [ "CVE-2019-16928", ], details: "Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.", id: "GSD-2019-16928", modified: "2023-12-13T01:23:40.714536Z", schema_version: "1.4.0", }, }, namespaces: { "cisa.gov": { cveID: "CVE-2019-16928", dateAdded: "2022-03-03", dueDate: "2022-03-17", product: "Exim Internet Mailer", requiredAction: "Apply updates per vendor instructions.", shortDescription: "Exim contains an out-of-bounds write vulnerability which can allow for remote code execution.", vendorProject: "Exim", vulnerabilityName: "Exim Out-of-bounds Write Vulnerability", }, "cve.org": { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2019-16928", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://lists.exim.org/lurker/message/20190927.032457.c1044d4c.en.html", refsource: "MISC", url: "https://lists.exim.org/lurker/message/20190927.032457.c1044d4c.en.html", }, { name: "https://bugs.exim.org/show_bug.cgi?id=2449", refsource: "MISC", url: "https://bugs.exim.org/show_bug.cgi?id=2449", }, { name: "https://git.exim.org/exim.git/commit/478effbfd9c3cc5a627fc671d4bf94d13670d65f", refsource: "MISC", url: "https://git.exim.org/exim.git/commit/478effbfd9c3cc5a627fc671d4bf94d13670d65f", }, { name: "[oss-security] 20190928 Exim CVE-2019-16928 RCE using a heap-based buffer overflow", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2019/09/28/1", }, { name: "[oss-security] 20190928 Re: Exim CVE-2019-16928 RCE using a heap-based buffer overflow", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2019/09/28/2", }, { name: "[oss-security] 20190928 Re: Exim CVE-2019-16928 RCE using a heap-based buffer overflow", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2019/09/28/3", }, { name: "DSA-4536", refsource: "DEBIAN", url: "https://www.debian.org/security/2019/dsa-4536", }, { name: "USN-4141-1", refsource: "UBUNTU", url: "https://usn.ubuntu.com/4141-1/", }, { name: "[oss-security] 20190929 Re: Exim CVE-2019-16928 RCE using a heap-based buffer overflow", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2019/09/28/4", }, { name: "20190929 [SECURITY] [DSA 4536-1] exim4 security update", refsource: "BUGTRAQ", url: "https://seclists.org/bugtraq/2019/Sep/60", }, { name: "FEDORA-2019-006dfc94cd", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3TJW4HPYH3O5HZCWGD6NSHTEBTTAPDC/", }, { name: "FEDORA-2019-e080507ba5", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UY6HPRW7MR3KBQ5JFHH6OXM7YCZBJCOB/", }, { name: "FEDORA-2019-d778bd4137", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EED7HM3MFIBAP5OIMJAFJ35JAJABTVSC/", }, { name: "GLSA-202003-47", refsource: "GENTOO", url: "https://security.gentoo.org/glsa/202003-47", }, ], }, }, "nvd.nist.gov": { configurations: { CVE_data_version: "4.0", nodes: [ { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:a:exim:exim:*:*:*:*:*:*:*:*", cpe_name: [], versionEndIncluding: "4.92.2", versionStartIncluding: "4.92", vulnerable: true, }, ], operator: "OR", }, { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, ], operator: "OR", }, { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, ], operator: "OR", }, { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, ], operator: "OR", }, ], }, cve: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2019-16928", }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "en", value: "Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "en", value: "CWE-787", }, ], }, ], }, references: { reference_data: [ { name: "https://git.exim.org/exim.git/commit/478effbfd9c3cc5a627fc671d4bf94d13670d65f", refsource: "MISC", tags: [ "Patch", "Third Party Advisory", ], url: "https://git.exim.org/exim.git/commit/478effbfd9c3cc5a627fc671d4bf94d13670d65f", }, { name: "https://lists.exim.org/lurker/message/20190927.032457.c1044d4c.en.html", refsource: "MISC", tags: [ "Vendor Advisory", ], url: "https://lists.exim.org/lurker/message/20190927.032457.c1044d4c.en.html", }, { name: "https://bugs.exim.org/show_bug.cgi?id=2449", refsource: "MISC", tags: [ "Issue Tracking", "Patch", "Vendor Advisory", ], url: "https://bugs.exim.org/show_bug.cgi?id=2449", }, { name: "[oss-security] 20190928 Exim CVE-2019-16928 RCE using a heap-based buffer overflow", refsource: "MLIST", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2019/09/28/1", }, { name: "[oss-security] 20190928 Re: Exim CVE-2019-16928 RCE using a heap-based buffer overflow", refsource: "MLIST", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2019/09/28/2", }, { name: "[oss-security] 20190928 Re: Exim CVE-2019-16928 RCE using a heap-based buffer overflow", refsource: "MLIST", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2019/09/28/3", }, { name: "DSA-4536", refsource: "DEBIAN", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2019/dsa-4536", }, { name: "USN-4141-1", refsource: "UBUNTU", tags: [ "Third Party Advisory", ], url: "https://usn.ubuntu.com/4141-1/", }, { name: "[oss-security] 20190929 Re: Exim CVE-2019-16928 RCE using a heap-based buffer overflow", refsource: "MLIST", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2019/09/28/4", }, { name: "20190929 [SECURITY] [DSA 4536-1] exim4 security update", refsource: "BUGTRAQ", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://seclists.org/bugtraq/2019/Sep/60", }, { name: "FEDORA-2019-006dfc94cd", refsource: "FEDORA", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3TJW4HPYH3O5HZCWGD6NSHTEBTTAPDC/", }, { name: "FEDORA-2019-e080507ba5", refsource: "FEDORA", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UY6HPRW7MR3KBQ5JFHH6OXM7YCZBJCOB/", }, { name: "FEDORA-2019-d778bd4137", refsource: "FEDORA", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EED7HM3MFIBAP5OIMJAFJ35JAJABTVSC/", }, { name: "GLSA-202003-47", refsource: "GENTOO", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202003-47", }, ], }, }, impact: { baseMetricV2: { acInsufInfo: false, cvssV2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, severity: "HIGH", userInteractionRequired: false, }, baseMetricV3: { cvssV3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, }, }, lastModifiedDate: "2022-03-31T17:50Z", publishedDate: "2019-09-27T21:15Z", }, }, }
ghsa-xg2f-gj2p-r7xq
Vulnerability from github
Published
2022-05-24 16:57
Modified
2024-07-24 15:31
Severity ?
Details
Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.
{ affected: [], aliases: [ "CVE-2019-16928", ], database_specific: { cwe_ids: [ "CWE-120", "CWE-787", ], github_reviewed: false, github_reviewed_at: null, nvd_published_at: "2019-09-27T21:15:00Z", severity: "HIGH", }, details: "Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.", id: "GHSA-xg2f-gj2p-r7xq", modified: "2024-07-24T15:31:25Z", published: "2022-05-24T16:57:08Z", references: [ { type: "ADVISORY", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-16928", }, { type: "WEB", url: "https://bugs.exim.org/show_bug.cgi?id=2449", }, { type: "WEB", url: "https://git.exim.org/exim.git/commit/478effbfd9c3cc5a627fc671d4bf94d13670d65f", }, { type: "WEB", url: "https://lists.exim.org/lurker/message/20190927.032457.c1044d4c.en.html", }, { type: "WEB", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EED7HM3MFIBAP5OIMJAFJ35JAJABTVSC", }, { type: "WEB", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T3TJW4HPYH3O5HZCWGD6NSHTEBTTAPDC", }, { type: "WEB", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UY6HPRW7MR3KBQ5JFHH6OXM7YCZBJCOB", }, { type: "WEB", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EED7HM3MFIBAP5OIMJAFJ35JAJABTVSC", }, { type: "WEB", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3TJW4HPYH3O5HZCWGD6NSHTEBTTAPDC", }, { type: "WEB", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UY6HPRW7MR3KBQ5JFHH6OXM7YCZBJCOB", }, { type: "WEB", url: "https://seclists.org/bugtraq/2019/Sep/60", }, { type: "WEB", url: "https://security.gentoo.org/glsa/202003-47", }, { type: "WEB", url: "https://usn.ubuntu.com/4141-1", }, { type: "WEB", url: "https://www.debian.org/security/2019/dsa-4536", }, { type: "WEB", url: "http://www.openwall.com/lists/oss-security/2019/09/28/1", }, { type: "WEB", url: "http://www.openwall.com/lists/oss-security/2019/09/28/2", }, { type: "WEB", url: "http://www.openwall.com/lists/oss-security/2019/09/28/3", }, { type: "WEB", url: "http://www.openwall.com/lists/oss-security/2019/09/28/4", }, ], schema_version: "1.4.0", severity: [ { score: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", type: "CVSS_V3", }, ], }
opensuse-su-2024:10746-1
Vulnerability from csaf_opensuse
Published
2024-06-15 00:00
Modified
2024-06-15 00:00
Summary
exim-4.94.2-4.2 on GA media
Notes
Title of the patch
exim-4.94.2-4.2 on GA media
Description of the patch
These are all security issues fixed in the exim-4.94.2-4.2 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-10746
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "exim-4.94.2-4.2 on GA media", title: "Title of the patch", }, { category: "description", text: "These are all security issues fixed in the exim-4.94.2-4.2 package on the GA media of openSUSE Tumbleweed.", title: "Description of the patch", }, { category: "details", text: "openSUSE-Tumbleweed-2024-10746", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_10746-1.json", }, { category: "self", summary: "SUSE CVE CVE-2016-9963 page", url: "https://www.suse.com/security/cve/CVE-2016-9963/", }, { category: "self", summary: "SUSE CVE CVE-2017-1000369 page", url: "https://www.suse.com/security/cve/CVE-2017-1000369/", }, { category: "self", summary: "SUSE CVE CVE-2017-16943 page", url: "https://www.suse.com/security/cve/CVE-2017-16943/", }, { category: "self", summary: "SUSE CVE CVE-2017-16944 page", url: "https://www.suse.com/security/cve/CVE-2017-16944/", }, { category: "self", summary: "SUSE CVE CVE-2018-6789 page", url: "https://www.suse.com/security/cve/CVE-2018-6789/", }, { category: "self", summary: "SUSE CVE CVE-2019-10149 page", url: "https://www.suse.com/security/cve/CVE-2019-10149/", }, { category: "self", summary: "SUSE CVE CVE-2019-13917 page", url: "https://www.suse.com/security/cve/CVE-2019-13917/", }, { category: "self", summary: "SUSE CVE CVE-2019-15846 page", url: "https://www.suse.com/security/cve/CVE-2019-15846/", }, { category: "self", summary: "SUSE CVE CVE-2019-16928 page", url: "https://www.suse.com/security/cve/CVE-2019-16928/", }, { category: "self", summary: "SUSE CVE CVE-2020-12783 page", url: "https://www.suse.com/security/cve/CVE-2020-12783/", }, { category: "self", summary: "SUSE CVE CVE-2020-28007 page", url: "https://www.suse.com/security/cve/CVE-2020-28007/", }, { category: "self", summary: "SUSE CVE CVE-2020-28008 page", url: "https://www.suse.com/security/cve/CVE-2020-28008/", }, { category: "self", summary: "SUSE CVE CVE-2020-28009 page", url: "https://www.suse.com/security/cve/CVE-2020-28009/", }, { category: "self", summary: "SUSE CVE CVE-2020-28010 page", url: "https://www.suse.com/security/cve/CVE-2020-28010/", }, { category: "self", summary: "SUSE CVE CVE-2020-28011 page", url: "https://www.suse.com/security/cve/CVE-2020-28011/", }, { category: "self", summary: "SUSE CVE CVE-2020-28012 page", url: "https://www.suse.com/security/cve/CVE-2020-28012/", }, { category: "self", summary: "SUSE CVE CVE-2020-28013 page", url: "https://www.suse.com/security/cve/CVE-2020-28013/", }, { category: "self", summary: "SUSE CVE CVE-2020-28014 page", url: "https://www.suse.com/security/cve/CVE-2020-28014/", }, { category: "self", summary: "SUSE CVE CVE-2020-28015 page", url: "https://www.suse.com/security/cve/CVE-2020-28015/", }, { category: "self", summary: "SUSE CVE CVE-2020-28016 page", url: "https://www.suse.com/security/cve/CVE-2020-28016/", }, { category: "self", summary: "SUSE CVE CVE-2020-28017 page", url: "https://www.suse.com/security/cve/CVE-2020-28017/", }, { category: "self", summary: "SUSE CVE CVE-2020-28018 page", url: "https://www.suse.com/security/cve/CVE-2020-28018/", }, { category: "self", summary: "SUSE CVE CVE-2020-28019 page", url: "https://www.suse.com/security/cve/CVE-2020-28019/", }, { category: "self", summary: "SUSE CVE CVE-2020-28020 page", url: "https://www.suse.com/security/cve/CVE-2020-28020/", }, { category: "self", summary: "SUSE CVE CVE-2020-28021 page", url: "https://www.suse.com/security/cve/CVE-2020-28021/", }, { category: "self", summary: "SUSE CVE CVE-2020-28022 page", url: "https://www.suse.com/security/cve/CVE-2020-28022/", }, { category: "self", summary: "SUSE CVE CVE-2020-28023 page", url: "https://www.suse.com/security/cve/CVE-2020-28023/", }, { category: "self", summary: "SUSE CVE CVE-2020-28024 page", url: "https://www.suse.com/security/cve/CVE-2020-28024/", }, { category: "self", summary: "SUSE CVE CVE-2020-28025 page", url: "https://www.suse.com/security/cve/CVE-2020-28025/", }, { category: "self", summary: "SUSE CVE CVE-2020-28026 page", url: "https://www.suse.com/security/cve/CVE-2020-28026/", }, { category: "self", summary: "SUSE CVE CVE-2020-8015 page", url: "https://www.suse.com/security/cve/CVE-2020-8015/", }, ], title: "exim-4.94.2-4.2 on GA media", tracking: { current_release_date: "2024-06-15T00:00:00Z", generator: { date: "2024-06-15T00:00:00Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "openSUSE-SU-2024:10746-1", initial_release_date: "2024-06-15T00:00:00Z", revision_history: [ { date: "2024-06-15T00:00:00Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "exim-4.94.2-4.2.aarch64", product: { name: "exim-4.94.2-4.2.aarch64", product_id: "exim-4.94.2-4.2.aarch64", }, }, { category: "product_version", name: "eximon-4.94.2-4.2.aarch64", product: { name: "eximon-4.94.2-4.2.aarch64", product_id: "eximon-4.94.2-4.2.aarch64", }, }, { category: "product_version", name: "eximstats-html-4.94.2-4.2.aarch64", product: { name: "eximstats-html-4.94.2-4.2.aarch64", product_id: "eximstats-html-4.94.2-4.2.aarch64", }, }, ], category: "architecture", name: "aarch64", }, { branches: [ { category: "product_version", name: "exim-4.94.2-4.2.ppc64le", product: { name: "exim-4.94.2-4.2.ppc64le", product_id: "exim-4.94.2-4.2.ppc64le", }, }, { category: "product_version", name: "eximon-4.94.2-4.2.ppc64le", product: { name: "eximon-4.94.2-4.2.ppc64le", product_id: "eximon-4.94.2-4.2.ppc64le", }, }, { category: "product_version", name: "eximstats-html-4.94.2-4.2.ppc64le", product: { name: "eximstats-html-4.94.2-4.2.ppc64le", product_id: "eximstats-html-4.94.2-4.2.ppc64le", }, }, ], category: "architecture", name: "ppc64le", }, { branches: [ { category: "product_version", name: "exim-4.94.2-4.2.s390x", product: { name: "exim-4.94.2-4.2.s390x", product_id: "exim-4.94.2-4.2.s390x", }, }, { category: "product_version", name: "eximon-4.94.2-4.2.s390x", product: { name: "eximon-4.94.2-4.2.s390x", product_id: "eximon-4.94.2-4.2.s390x", }, }, { category: "product_version", name: "eximstats-html-4.94.2-4.2.s390x", product: { name: "eximstats-html-4.94.2-4.2.s390x", product_id: "eximstats-html-4.94.2-4.2.s390x", }, }, ], category: "architecture", name: "s390x", }, { branches: [ { category: "product_version", name: "exim-4.94.2-4.2.x86_64", product: { name: "exim-4.94.2-4.2.x86_64", product_id: "exim-4.94.2-4.2.x86_64", }, }, { category: "product_version", name: "eximon-4.94.2-4.2.x86_64", product: { name: "eximon-4.94.2-4.2.x86_64", product_id: "eximon-4.94.2-4.2.x86_64", }, }, { category: "product_version", name: "eximstats-html-4.94.2-4.2.x86_64", product: { name: "eximstats-html-4.94.2-4.2.x86_64", product_id: "eximstats-html-4.94.2-4.2.x86_64", }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_name", name: "openSUSE Tumbleweed", product: { name: "openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed", product_identification_helper: { cpe: "cpe:/o:opensuse:tumbleweed", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "exim-4.94.2-4.2.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", }, product_reference: "exim-4.94.2-4.2.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "exim-4.94.2-4.2.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", }, product_reference: "exim-4.94.2-4.2.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "exim-4.94.2-4.2.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", }, product_reference: "exim-4.94.2-4.2.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "exim-4.94.2-4.2.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", }, product_reference: "exim-4.94.2-4.2.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "eximon-4.94.2-4.2.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", }, product_reference: "eximon-4.94.2-4.2.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "eximon-4.94.2-4.2.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", }, product_reference: "eximon-4.94.2-4.2.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "eximon-4.94.2-4.2.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", }, product_reference: "eximon-4.94.2-4.2.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "eximon-4.94.2-4.2.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", }, product_reference: "eximon-4.94.2-4.2.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "eximstats-html-4.94.2-4.2.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", }, product_reference: "eximstats-html-4.94.2-4.2.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "eximstats-html-4.94.2-4.2.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", }, product_reference: "eximstats-html-4.94.2-4.2.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "eximstats-html-4.94.2-4.2.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", }, product_reference: "eximstats-html-4.94.2-4.2.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "eximstats-html-4.94.2-4.2.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", }, product_reference: "eximstats-html-4.94.2-4.2.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, ], }, vulnerabilities: [ { cve: "CVE-2016-9963", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2016-9963", }, ], notes: [ { category: "general", text: "Exim before 4.87.1 might allow remote attackers to obtain the private DKIM signing key via vectors related to log files and bounce messages.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2016-9963", url: "https://www.suse.com/security/cve/CVE-2016-9963", }, { category: "external", summary: "SUSE Bug 1015930 for CVE-2016-9963", url: "https://bugzilla.suse.com/1015930", }, { category: "external", summary: "SUSE Bug 1053919 for CVE-2016-9963", url: "https://bugzilla.suse.com/1053919", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.9, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2016-9963", }, { cve: "CVE-2017-1000369", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-1000369", }, ], notes: [ { category: "general", text: "Exim supports the use of multiple \"-p\" command line arguments which are malloc()'ed and never free()'ed, used in conjunction with other issues allows attackers to cause arbitrary code execution. This affects exim version 4.89 and earlier. Please note that at this time upstream has released a patch (commit 65e061b76867a9ea7aeeb535341b790b90ae6c21), but it is not known if a new point release is available that addresses this issue at this time.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2017-1000369", url: "https://www.suse.com/security/cve/CVE-2017-1000369", }, { category: "external", summary: "SUSE Bug 1037551 for CVE-2017-1000369", url: "https://bugzilla.suse.com/1037551", }, { category: "external", summary: "SUSE Bug 1044692 for CVE-2017-1000369", url: "https://bugzilla.suse.com/1044692", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 4, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "low", }, ], title: "CVE-2017-1000369", }, { cve: "CVE-2017-16943", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-16943", }, ], notes: [ { category: "general", text: "The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2017-16943", url: "https://www.suse.com/security/cve/CVE-2017-16943", }, { category: "external", summary: "SUSE Bug 1069857 for CVE-2017-16943", url: "https://bugzilla.suse.com/1069857", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "critical", }, ], title: "CVE-2017-16943", }, { cve: "CVE-2017-16944", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-16944", }, ], notes: [ { category: "general", text: "The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a '.' character signifying the end of the content, related to the bdat_getc function.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2017-16944", url: "https://www.suse.com/security/cve/CVE-2017-16944", }, { category: "external", summary: "SUSE Bug 1069859 for CVE-2017-16944", url: "https://bugzilla.suse.com/1069859", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2017-16944", }, { cve: "CVE-2018-6789", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-6789", }, ], notes: [ { category: "general", text: "An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1. By sending a handcrafted message, a buffer overflow may happen. This can be used to execute code remotely.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2018-6789", url: "https://www.suse.com/security/cve/CVE-2018-6789", }, { category: "external", summary: "SUSE Bug 1079832 for CVE-2018-6789", url: "https://bugzilla.suse.com/1079832", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "critical", }, ], title: "CVE-2018-6789", }, { cve: "CVE-2019-10149", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2019-10149", }, ], notes: [ { category: "general", text: "A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2019-10149", url: "https://www.suse.com/security/cve/CVE-2019-10149", }, { category: "external", summary: "SUSE Bug 1136587 for CVE-2019-10149", url: "https://bugzilla.suse.com/1136587", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "critical", }, ], title: "CVE-2019-10149", }, { cve: "CVE-2019-13917", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2019-13917", }, ], notes: [ { category: "general", text: "Exim 4.85 through 4.92 (fixed in 4.92.1) allows remote code execution as root in some unusual configurations that use the ${sort } expansion for items that can be controlled by an attacker (e.g., $local_part or $domain).", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2019-13917", url: "https://www.suse.com/security/cve/CVE-2019-13917", }, { category: "external", summary: "SUSE Bug 1142207 for CVE-2019-13917", url: "https://bugzilla.suse.com/1142207", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "critical", }, ], title: "CVE-2019-13917", }, { cve: "CVE-2019-15846", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2019-15846", }, ], notes: [ { category: "general", text: "Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via a trailing backslash.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2019-15846", url: "https://www.suse.com/security/cve/CVE-2019-15846", }, { category: "external", summary: "SUSE Bug 1149182 for CVE-2019-15846", url: "https://bugzilla.suse.com/1149182", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "critical", }, ], title: "CVE-2019-15846", }, { cve: "CVE-2019-16928", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2019-16928", }, ], notes: [ { category: "general", text: "Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2019-16928", url: "https://www.suse.com/security/cve/CVE-2019-16928", }, { category: "external", summary: "SUSE Bug 1152507 for CVE-2019-16928", url: "https://bugzilla.suse.com/1152507", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "critical", }, ], title: "CVE-2019-16928", }, { cve: "CVE-2020-12783", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-12783", }, ], notes: [ { category: "general", text: "Exim through 4.93 has an out-of-bounds read in the SPA authenticator that could result in SPA/NTLM authentication bypass in auths/spa.c and auths/auth-spa.c.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-12783", url: "https://www.suse.com/security/cve/CVE-2020-12783", }, { category: "external", summary: "SUSE Bug 1171490 for CVE-2020-12783", url: "https://bugzilla.suse.com/1171490", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2020-12783", }, { cve: "CVE-2020-28007", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28007", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the log directory (owned by a non-root user), a symlink or hard link attack allows overwriting critical root-owned files anywhere on the filesystem.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28007", url: "https://www.suse.com/security/cve/CVE-2020-28007", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28007", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "critical", }, ], title: "CVE-2020-28007", }, { cve: "CVE-2020-28008", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28008", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the spool directory (owned by a non-root user), an attacker can write to a /var/spool/exim4/input spool header file, in which a crafted recipient address can indirectly lead to command execution.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28008", url: "https://www.suse.com/security/cve/CVE-2020-28008", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28008", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "critical", }, ], title: "CVE-2020-28008", }, { cve: "CVE-2020-28009", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28009", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow because get_stdinput allows unbounded reads that are accompanied by unbounded increases in a certain size variable. NOTE: exploitation may be impractical because of the execution time needed to overflow (multiple days).", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28009", url: "https://www.suse.com/security/cve/CVE-2020-28009", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28009", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "critical", }, ], title: "CVE-2020-28009", }, { cve: "CVE-2020-28010", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28010", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Out-of-bounds Write because the main function, while setuid root, copies the current working directory pathname into a buffer that is too small (on some common platforms).", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28010", url: "https://www.suse.com/security/cve/CVE-2020-28010", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28010", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "critical", }, ], title: "CVE-2020-28010", }, { cve: "CVE-2020-28011", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28011", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Heap-based Buffer Overflow in queue_run via two sender options: -R and -S. This may cause privilege escalation from exim to root.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28011", url: "https://www.suse.com/security/cve/CVE-2020-28011", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28011", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "critical", }, ], title: "CVE-2020-28011", }, { cve: "CVE-2020-28012", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28012", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Exposure of File Descriptor to Unintended Control Sphere because rda_interpret uses a privileged pipe that lacks a close-on-exec flag.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28012", url: "https://www.suse.com/security/cve/CVE-2020-28012", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28012", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "critical", }, ], title: "CVE-2020-28012", }, { cve: "CVE-2020-28013", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28013", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Heap-based Buffer Overflow because it mishandles \"-F '.('\" on the command line, and thus may allow privilege escalation from any user to root. This occurs because of the interpretation of negative sizes in strncpy.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28013", url: "https://www.suse.com/security/cve/CVE-2020-28013", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28013", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "critical", }, ], title: "CVE-2020-28013", }, { cve: "CVE-2020-28014", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28014", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. The -oP option is available to the exim user, and allows a denial of service because root-owned files can be overwritten.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28014", url: "https://www.suse.com/security/cve/CVE-2020-28014", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28014", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "critical", }, ], title: "CVE-2020-28014", }, { cve: "CVE-2020-28015", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28015", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. Local users can alter the behavior of root processes because a recipient address can have a newline character.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28015", url: "https://www.suse.com/security/cve/CVE-2020-28015", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28015", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "critical", }, ], title: "CVE-2020-28015", }, { cve: "CVE-2020-28016", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28016", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows an off-by-two Out-of-bounds Write because \"-F ''\" is mishandled by parse_fix_phrase.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28016", url: "https://www.suse.com/security/cve/CVE-2020-28016", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28016", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "critical", }, ], title: "CVE-2020-28016", }, { cve: "CVE-2020-28017", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28017", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow in receive_add_recipient via an e-mail message with fifty million recipients. NOTE: remote exploitation may be difficult because of resource consumption.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28017", url: "https://www.suse.com/security/cve/CVE-2020-28017", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28017", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "critical", }, ], title: "CVE-2020-28017", }, { cve: "CVE-2020-28018", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28018", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Use After Free in smtp_reset in certain situations that may be common for builds with OpenSSL.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28018", url: "https://www.suse.com/security/cve/CVE-2020-28018", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28018", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "critical", }, ], title: "CVE-2020-28018", }, { cve: "CVE-2020-28019", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28019", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 has Improper Initialization that can lead to recursion-based stack consumption or other consequences. This occurs because use of certain getc functions is mishandled when a client uses BDAT instead of DATA.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28019", url: "https://www.suse.com/security/cve/CVE-2020-28019", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28019", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "critical", }, ], title: "CVE-2020-28019", }, { cve: "CVE-2020-28020", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28020", }, ], notes: [ { category: "general", text: "Exim 4 before 4.92 allows Integer Overflow to Buffer Overflow, in which an unauthenticated remote attacker can execute arbitrary code by leveraging the mishandling of continuation lines during header-length restriction.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28020", url: "https://www.suse.com/security/cve/CVE-2020-28020", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28020", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "critical", }, ], title: "CVE-2020-28020", }, { cve: "CVE-2020-28021", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28021", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. An authenticated remote SMTP client can insert newline characters into a spool file (which indirectly leads to remote code execution as root) via AUTH= in a MAIL FROM command.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28021", url: "https://www.suse.com/security/cve/CVE-2020-28021", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28021", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 8.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "critical", }, ], title: "CVE-2020-28021", }, { cve: "CVE-2020-28022", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28022", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 has Improper Restriction of Write Operations within the Bounds of a Memory Buffer. This occurs when processing name=value pairs within MAIL FROM and RCPT TO commands.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28022", url: "https://www.suse.com/security/cve/CVE-2020-28022", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28022", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "critical", }, ], title: "CVE-2020-28022", }, { cve: "CVE-2020-28023", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28023", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Out-of-bounds Read. smtp_setup_msg may disclose sensitive information from process memory to an unauthenticated SMTP client.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28023", url: "https://www.suse.com/security/cve/CVE-2020-28023", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28023", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "critical", }, ], title: "CVE-2020-28023", }, { cve: "CVE-2020-28024", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28024", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Buffer Underwrite that may result in unauthenticated remote attackers executing arbitrary commands, because smtp_ungetc was only intended to push back characters, but can actually push back non-character error codes such as EOF.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28024", url: "https://www.suse.com/security/cve/CVE-2020-28024", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28024", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "critical", }, ], title: "CVE-2020-28024", }, { cve: "CVE-2020-28025", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28025", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Out-of-bounds Read because pdkim_finish_bodyhash does not validate the relationship between sig->bodyhash.len and b->bh.len; thus, a crafted DKIM-Signature header might lead to a leak of sensitive information from process memory.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28025", url: "https://www.suse.com/security/cve/CVE-2020-28025", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28025", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "critical", }, ], title: "CVE-2020-28025", }, { cve: "CVE-2020-28026", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28026", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters, relevant in non-default configurations that enable Delivery Status Notification (DSN). Certain uses of ORCPT= can place a newline into a spool header file, and indirectly allow unauthenticated remote attackers to execute arbitrary commands as root.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28026", url: "https://www.suse.com/security/cve/CVE-2020-28026", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28026", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "critical", }, ], title: "CVE-2020-28026", }, { cve: "CVE-2020-8015", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-8015", }, ], notes: [ { category: "general", text: "A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of exim in openSUSE Factory allows local attackers to escalate from user mail to root. This issue affects: openSUSE Factory exim versions prior to 4.93.0.4-3.1.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-8015", url: "https://www.suse.com/security/cve/CVE-2020-8015", }, { category: "external", summary: "SUSE Bug 1154062 for CVE-2020-8015", url: "https://bugzilla.suse.com/1154062", }, { category: "external", summary: "SUSE Bug 1154183 for CVE-2020-8015", url: "https://bugzilla.suse.com/1154183", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:exim-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:exim-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:exim-4.94.2-4.2.s390x", "openSUSE Tumbleweed:exim-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximon-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximon-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximon-4.94.2-4.2.x86_64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.aarch64", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.ppc64le", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.s390x", "openSUSE Tumbleweed:eximstats-html-4.94.2-4.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2020-8015", }, ], }
opensuse-su-2021:0754-1
Vulnerability from csaf_opensuse
Published
2021-05-20 08:51
Modified
2021-05-20 08:51
Summary
Security update for exim
Notes
Title of the patch
Security update for exim
Description of the patch
This update for exim fixes the following issues:
Exim was updated to exim-4.94.2
security update (boo#1185631)
* CVE-2020-28007: Link attack in Exim's log directory
* CVE-2020-28008: Assorted attacks in Exim's spool directory
* CVE-2020-28014: Arbitrary PID file creation
* CVE-2020-28011: Heap buffer overflow in queue_run()
* CVE-2020-28010: Heap out-of-bounds write in main()
* CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()
* CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()
* CVE-2020-28015: New-line injection into spool header file (local)
* CVE-2020-28012: Missing close-on-exec flag for privileged pipe
* CVE-2020-28009: Integer overflow in get_stdinput()
* CVE-2020-28017: Integer overflow in receive_add_recipient()
* CVE-2020-28020: Integer overflow in receive_msg()
* CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()
* CVE-2020-28021: New-line injection into spool header file (remote)
* CVE-2020-28022: Heap out-of-bounds read and write in extract_option()
* CVE-2020-28026: Line truncation and injection in spool_read_header()
* CVE-2020-28019: Failure to reset function pointer after BDAT error
* CVE-2020-28024: Heap buffer underflow in smtp_ungetc()
* CVE-2020-28018: Use-after-free in tls-openssl.c
* CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()
update to exim-4.94.1
* Fix security issue in BDAT state confusion.
Ensure we reset known-good where we know we need to not be reading BDAT
data, as a general case fix, and move the places where we switch to BDAT
mode until after various protocol state checks.
Fixes CVE-2020-BDATA reported by Qualys.
* Fix security issue in SMTP verb option parsing (CVE-2020-EXOPT)
* Fix security issue with too many recipients on a message (to remove a
known security problem if someone does set recipients_max to unlimited,
or if local additions add to the recipient list).
Fixes CVE-2020-RCPTL reported by Qualys.
* Fix CVE-2020-28016 (PFPZA): Heap out-of-bounds write in parse_fix_phrase()
* Fix security issue CVE-2020-PFPSN and guard against cmdline invoker
providing a particularly obnoxious sender full name.
* Fix Linux security issue CVE-2020-SLCWD and guard against PATH_MAX
better.
- bring back missing exim_db.8 manual page (fixes boo#1173693)
- bring in changes from current +fixes (lots of taint check fixes)
* Bug 1329: Fix format of Maildir-format filenames to match other mail-
related applications. Previously an 'H' was used where available info
says that 'M' should be, so change to match.
* Bug 2587: Fix pam expansion condition. Tainted values are commonly used
as arguments, so an implementation trying to copy these into a local
buffer was taking a taint-enforcement trap. Fix by using dynamically
created buffers.
* Bug 2586: Fix listcount expansion operator. Using tainted arguments is
reasonable, eg. to count headers. Fix by using dynamically created
buffers rather than a local. Do similar fixes for ACL actions 'dcc',
'log_reject_target', 'malware' and 'spam'; the arguments are expanded
so could be handling tainted values.
* Bug 2590: Fix -bi (newaliases). A previous code rearrangement had
broken the (no-op) support for this sendmail command. Restore it
to doing nothing, silently, and returning good status.
- update to exim 4.94
* some transports now refuse to use tainted data in constructing their delivery
location
this WILL BREAK configurations which are not updated accordingly.
In particular: any Transport use of $local_user which has been relying upon
check_local_user far away in the Router to make it safe, should be updated to
replace $local_user with $local_part_data.
* Attempting to remove, in router or transport, a header name that ends with
an asterisk (which is a standards-legal name) will now result in all headers
named starting with the string before the asterisk being removed.
- switch pretrans to use lua
(fixes boo#1171877)
- bring changes from current in +fixes branch
(patch-exim-fixes-ee83de04d3087efaf808d1f2235a988275c2ee94)
* fixes CVE-2020-12783 (boo#1171490)
* Regard command-line recipients as tainted.
* Bug 2489: Fix crash in the 'pam' expansion condition.
* Use tainted buffers for the transport smtp context.
* Bug 2493: Harden ARC verify against Outlook, which has been seen to mix
the ordering of its ARC headers. This caused a crash.
* Bug 2492: Use tainted memory for retry record when needed. Previously when
a new record was being constructed with information from the peer, a trap
was taken.
* Bug 2494: Unset the default for dmarc_tld_file.
* Fix an uninitialised flag in early-pipelining. Previously connections
could, depending on the platform, hang at the STARTTLS response.
* Bug 2498: Reset a counter used for ARC verify before handling another
message on a connection. Previously if one message had ARC headers and
the following one did not, a crash could result when adding an
Authentication-Results: header.
* Bug 2500: Rewind some of the common-coding in string handling between the
Exim main code and Exim-related utities.
* Fix the variables set by the gsasl authenticator.
* Bug 2507: Modules: on handling a dynamic-module (lookups) open failure,
only retrieve the errormessage once.
* Bug 2501: Fix init call in the heimdal authenticator. Previously it
adjusted the size of a major service buffer; this failed because the
buffer was in use at the time. Change to a compile-time increase in the
buffer size, when this authenticator is compiled into exim.
- update to exim 4.93.0.4 (+fixes release)
* Avoid costly startup code when not strictly needed. This reduces time
for some exim process initialisations. It does mean that the logging
of TLS configuration problems is only done for the daemon startup.
* Early-pipelining support code is now included unless disabled in Makefile.
* DKIM verification defaults no long accept sha1 hashes, to conform to
RFC 8301. They can still be enabled, using the dkim_verify_hashes main
option.
* Support CHUNKING from an smtp transport using a transport_filter, when
DKIM signing is being done. Previously a transport_filter would always
disable CHUNKING, falling back to traditional DATA.
* Regard command-line receipients as tainted.
* Bug 340: Remove the daemon pid file on exit, whe due to SIGTERM.
* Bug 2489: Fix crash in the 'pam' expansion condition. It seems that the
PAM library frees one of the arguments given to it, despite the
documentation. Therefore a plain malloc must be used.
* Bug 2491: Use tainted buffers for the transport smtp context. Previously
on-stack buffers were used, resulting in a taint trap when DSN information
copied from a received message was written into the buffer.
* Bug 2493: Harden ARC verify against Outlook, whick has been seen to mix
the ordering of its ARC headers. This caused a crash.
* Bug 2492: Use tainted memory for retry record when needed. Previously when
a new record was being constructed with information from the peer, a trap
was taken.
* Bug 2494: Unset the default for dmarc_tld_file. Previously a naiive
installation would get error messages from DMARC verify, when it hit the
nonexistent file indicated by the default. Distros wanting DMARC enabled
should both provide the file and set the option.
Also enforce no DMARC verification for command-line sourced messages.
* Fix an uninitialised flag in early-pipelining. Previously connections
could, depending on the platform, hang at the STARTTLS response.
* Bug 2498: Reset a counter used for ARC verify before handling another
message on a connection. Previously if one message had ARC headers and
the following one did not, a crash could result when adding an
Authentication-Results: header.
* Bug 2500: Rewind some of the common-coding in string handling between the
Exim main code and Exim-related utities. The introduction of taint
tracking also did many adjustments to string handling. Since then, eximon
frequently terminated with an assert failure.
* When PIPELINING, synch after every hundred or so RCPT commands sent and
check for 452 responses. This slightly helps the inefficieny of doing
a large alias-expansion into a recipient-limited target. The max_rcpt
transport option still applies (and at the current default, will override
the new feature). The check is done for either cause of synch, and forces
a fast-retry of all 452'd recipients using a new MAIL FROM on the same
connection. The new facility is not tunable at this time.
* Fix the variables set by the gsasl authenticator. Previously a pointer to
library live data was being used, so the results became garbage. Make
copies while it is still usable.
* Logging: when the deliver_time selector ise set, include the DT= field
on delivery deferred (==) and failed (**) lines (if a delivery was
attemtped). Previously it was only on completion (=>) lines.
* Authentication: the gsasl driver not provides the $authN variables in time
for the expansion of the server_scram_iter and server_scram_salt options.
spec file cleanup to make update work
- add docdir to spec
- update to exim 4.93
* SUPPORT_DMARC replaces EXPERIMENTAL_DMARC
* DISABLE_TLS replaces SUPPORT_TLS
* Bump the version for the local_scan API.
* smtp transport option hosts_try_fastopen defaults to '*'.
* DNSSec is requested (not required) for all queries. (This seemes to
ask for trouble if your resolver is a systemd-resolved.)
* Generic router option retry_use_local_part defaults to 'true' under specific
pre-conditions.
* Introduce a tainting mechanism for values read from untrusted sources.
* Use longer file names for temporary spool files (this avoids
name conflicts with spool on a shared file system).
* Use dsn_from main config option (was ignored previously).
- update to exim 4.92.3
* CVE-2019-16928: fix against Heap-based buffer overflow in string_vformat,
remote code execution seems to be possible
- update to exim 4.92.2
* CVE-2019-15846: fix against remote attackers executing arbitrary code as
root via a trailing backslash
- update to exim 4.92.1
* CVE-2019-13917: Fixed an issue with ${sort} expansion which could
allow remote attackers to execute other programs with root privileges
(boo#1142207)
- spec file cleanup
* fix DANE inclusion guard condition
* re-enable i18n and remove misleading comment
* EXPERIMENTAL_SPF is now SUPPORT_SPF
* DANE is now SUPPORT_DANE
- update to exim 4.92
* ${l_header:<name>} expansion
* ${readsocket} now supports TLS
* 'utf8_downconvert' option (if built with SUPPORT_I18N)
* 'pipelining' log_selector
* JSON variants for ${extract } expansion
* 'noutf8' debug option
* TCP Fast Open support on MacOS
* CVE-2019-10149: Fixed a Remote Command Execution (boo#1136587)
- add workaround patch for compile time error on missing printf
format annotation (gnu_printf.patch)
- update to 4.91
* DEFER rather than ERROR on redis cluster MOVED response.
* Catch and remove uninitialized value warning in exiqsumm
* Disallow '/' characters in queue names specified for the 'queue=' ACL
modifier. This matches the restriction on the commandline.
* Fix pgsql lookup for multiple result-tuples with a single column.
Previously only the last row was returned.
* Bug 2217: Tighten up the parsing of DKIM signature headers.
* Bug 2215: Fix crash associated with dnsdb lookup done from DKIM ACL.
* Fix issue with continued-connections when the DNS shifts unreliably.
* Bug 2214: Fix SMTP responses resulting from non-accept result of MIME ACL.
* The 'support for' informational output now, which built with Content
Scanning support, has a line for the malware scanner interfaces compiled
in. Interface can be individually included or not at build time.
* The 'aveserver', 'kavdaemon' and 'mksd' interfaces are now not included
by the template makefile 'src/EDITME'. The 'STREAM' support for an older
ClamAV interface method is removed.
* Bug 2223: Fix mysql lookup returns for the no-data case (when the number of
rows affected is given instead).
* The runtime Berkeley DB library version is now additionally output by
'exim -d -bV'. Previously only the compile-time version was shown.
* Bug 2230: Fix cutthrough routing for nonfirst messages in an initiating
SMTP connection.
* Bug 2229: Fix cutthrough routing for nonstandard port numbers defined by
routers.
* Bug 2174: A timeout on connect for a callout was also erroneously seen as
a timeout on read on a GnuTLS initiating connection, resulting in the
initiating connection being dropped.
* Relax results from ACL control request to enable cutthrough, in
unsupported situations, from error to silently (except under debug)
ignoring.
* Fix Buffer overflow in base64d() (CVE-2018-6789)
* Fix bug in DKIM verify: a buffer overflow could corrupt the malloc
metadata, resulting in a crash in free().
* Fix broken Heimdal GSSAPI authenticator integration.
* Bug 2113: Fix conversation closedown with the Avast malware scanner.
* Bug 2239: Enforce non-usability of control=utf8_downconvert in the mail ACL.
* Speed up macro lookups during configuration file read, by skipping non-
macro text after a replacement (previously it was only once per line) and
by skipping builtin macros when searching for an uppercase lead character.
* DANE support moved from Experimental to mainline. The Makefile control
for the build is renamed.
* Fix memory leak during multi-message connections using STARTTLS.
* Bug 2236: When a DKIM verification result is overridden by ACL, DMARC
reported the original. Fix to report (as far as possible) the ACL
result replacing the original.
* Fix memory leak during multi-message connections using STARTTLS under
OpenSSL
* Bug 2242: Fix exim_dbmbuild to permit directoryless filenames.
* Fix utf8_downconvert propagation through a redirect router.
* Bug 2253: For logging delivery lines under PRDR, append the overall
DATA response info to the (existing) per-recipient response info for
the 'C=' log element.
* Bug 2251: Fix ldap lookups that return a single attribute having zero-
length value.
* Support Avast multiline protocol, this allows passing flags to
newer versions of the scanner.
* Ensure that variables possibly set during message acceptance are marked
dead before release of memory in the daemon loop.
* Bug 2250: Fix a longstanding bug in heavily-pipelined SMTP input (such
as a multi-recipient message from a mailinglist manager).
* The (EXPERIMENTAL_DMARC) variable $dmarc_ar_header is withdrawn, being
replaced by the ${authresults } expansion.
* Bug 2257: Fix pipe transport to not use a socket-only syscall.
* Set a handler for SIGTERM and call exit(3) if running as PID 1. This
allows proper process termination in container environments.
* Bug 2258: Fix spool_wireformat in combination with LMTP transport.
Previously the 'final dot' had a newline after it; ensure it is CR,LF.
* SPF: remove support for the 'spf' ACL condition outcome values 'err_temp'
and 'err_perm', deprecated since 4.83 when the RFC-defined words
' temperror' and 'permerror' were introduced.
* Re-introduce enforcement of no cutthrough delivery on transports having
transport-filters or DKIM-signing.
* Cutthrough: for a final-dot response timeout (and nonunderstood responses)
in defer=pass mode supply a 450 to the initiator. Previously the message
would be spooled.
* DANE: add dane_require_tls_ciphers SMTP Transport option; if unset,
tls_require_ciphers is used as before.
* Malware Avast: Better match the Avast multiline protocol.
* Fix reinitialisation of DKIM logging variable between messages.
* Bug 2255: Revert the disable of the OpenSSL session caching.
* Add util/renew-opendmarc-tlds.sh script for safe renewal of public
suffix list.
* DKIM: accept Ed25519 pubkeys in SubjectPublicKeyInfo-wrapped form,
since the IETF WG has not yet settled on that versus the original
'bare' representation.
* Fix syslog logging for syslog_timestamp=no and log_selector +millisec.
Previously the millisecond value corrupted the output.
Fix also for syslog_pid=no and log_selector +pid, for which the pid
corrupted the output.
- Replace xorg-x11-devel by individual pkgconfig() buildrequires.
- update to 4.90.1
* Allow PKG_CONFIG_PATH to be set in Local/Makefile and use it correctly
during configuration. Wildcards are allowed and expanded.
* Shorten the log line for daemon startup by collapsing adjacent sets of
identical IP addresses on different listening ports. Will also affect
'exiwhat' output.
* Tighten up the checking in isip4 (et al): dotted-quad components larger
than 255 are no longer allowed.
* Default openssl_options to include +no_ticket, to reduce load on peers.
Disable the session-cache too, which might reduce our load. Since we
currrectly use a new context for every connection, both as server and
client, there is no benefit for these.
* Add $SOURCE_DATE_EPOCH support for reproducible builds, per spec at
<https://reproducible-builds.org/specs/source-date-epoch/>.
* Fix smtp transport use of limited max_rcpt under mua_wrapper. Previously
the check for any unsuccessful recipients did not notice the limit, and
erroneously found still-pending ones.
* Pipeline CHUNKING command and data together, on kernels that support
MSG_MORE. Only in-clear (not on TLS connections).
* Avoid using a temporary file during transport using dkim. Unless a
transport-filter is involved we can buffer the headers in memory for
creating the signature, and read the spool data file once for the
signature and again for transmission.
* Enable use of sendfile in Linux builds as default. It was disabled in
4.77 as the kernel support then wasn't solid, having issues in 64bit
mode. Now, it's been long enough. Add support for FreeBSD also.
* Add commandline_checks_require_admin option.
* Do pipelining under TLS.
* For the 'sock' variant of the malware scanner interface, accept an empty
cmdline element to get the documented default one. Previously it was
inaccessible.
* Prevent repeated use of -p/-oMr
* DKIM: enforce the DNS pubkey record 'h' permitted-hashes optional field,
if present.
* DKIM: when a message has multiple signatures matching an identity given
in dkim_verify_signers, run the dkim acl once for each.
* Support IDNA2008.
* The path option on a pipe transport is now expanded before use
* Have the EHLO response advertise VRFY, if there is a vrfy ACL defined.
- Several bug fixes
- Fix for buffer overflow in base64decode() (boo#1079832 CVE-2018-6789)
This update was imported from the openSUSE:Leap:15.2:Update update project.
Patchnames
openSUSE-2021-754
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "critical", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Security update for exim", title: "Title of the patch", }, { category: "description", text: "This update for exim fixes the following issues:\n\n\nExim was updated to exim-4.94.2\n\nsecurity update (boo#1185631)\n\n * CVE-2020-28007: Link attack in Exim's log directory\n * CVE-2020-28008: Assorted attacks in Exim's spool directory\n * CVE-2020-28014: Arbitrary PID file creation\n * CVE-2020-28011: Heap buffer overflow in queue_run()\n * CVE-2020-28010: Heap out-of-bounds write in main()\n * CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()\n * CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()\n * CVE-2020-28015: New-line injection into spool header file (local)\n * CVE-2020-28012: Missing close-on-exec flag for privileged pipe\n * CVE-2020-28009: Integer overflow in get_stdinput()\n * CVE-2020-28017: Integer overflow in receive_add_recipient()\n * CVE-2020-28020: Integer overflow in receive_msg()\n * CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()\n * CVE-2020-28021: New-line injection into spool header file (remote)\n * CVE-2020-28022: Heap out-of-bounds read and write in extract_option()\n * CVE-2020-28026: Line truncation and injection in spool_read_header()\n * CVE-2020-28019: Failure to reset function pointer after BDAT error\n * CVE-2020-28024: Heap buffer underflow in smtp_ungetc()\n * CVE-2020-28018: Use-after-free in tls-openssl.c\n * CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()\n\nupdate to exim-4.94.1\n\n * Fix security issue in BDAT state confusion.\n Ensure we reset known-good where we know we need to not be reading BDAT\n data, as a general case fix, and move the places where we switch to BDAT\n mode until after various protocol state checks.\n Fixes CVE-2020-BDATA reported by Qualys.\n * Fix security issue in SMTP verb option parsing (CVE-2020-EXOPT)\n * Fix security issue with too many recipients on a message (to remove a\n known security problem if someone does set recipients_max to unlimited,\n or if local additions add to the recipient list).\n Fixes CVE-2020-RCPTL reported by Qualys.\n * Fix CVE-2020-28016 (PFPZA): Heap out-of-bounds write in parse_fix_phrase()\n * Fix security issue CVE-2020-PFPSN and guard against cmdline invoker\n providing a particularly obnoxious sender full name.\n * Fix Linux security issue CVE-2020-SLCWD and guard against PATH_MAX\n better.\n\n- bring back missing exim_db.8 manual page (fixes boo#1173693)\n\n- bring in changes from current +fixes (lots of taint check fixes)\n * Bug 1329: Fix format of Maildir-format filenames to match other mail-\n related applications. Previously an 'H' was used where available info\n says that 'M' should be, so change to match.\n * Bug 2587: Fix pam expansion condition. Tainted values are commonly used\n as arguments, so an implementation trying to copy these into a local\n buffer was taking a taint-enforcement trap. Fix by using dynamically\n created buffers.\n * Bug 2586: Fix listcount expansion operator. Using tainted arguments is\n reasonable, eg. to count headers. Fix by using dynamically created\n buffers rather than a local. Do similar fixes for ACL actions 'dcc',\n 'log_reject_target', 'malware' and 'spam'; the arguments are expanded\n so could be handling tainted values.\n * Bug 2590: Fix -bi (newaliases). A previous code rearrangement had\n broken the (no-op) support for this sendmail command. Restore it\n to doing nothing, silently, and returning good status.\n\n- update to exim 4.94\n * some transports now refuse to use tainted data in constructing their delivery\n location\n this WILL BREAK configurations which are not updated accordingly.\n In particular: any Transport use of $local_user which has been relying upon\n check_local_user far away in the Router to make it safe, should be updated to\n replace $local_user with $local_part_data.\n * Attempting to remove, in router or transport, a header name that ends with\n an asterisk (which is a standards-legal name) will now result in all headers\n named starting with the string before the asterisk being removed.\n\n- switch pretrans to use lua\n (fixes boo#1171877)\n \n\n- bring changes from current in +fixes branch\n (patch-exim-fixes-ee83de04d3087efaf808d1f2235a988275c2ee94)\n * fixes CVE-2020-12783 (boo#1171490)\n * Regard command-line recipients as tainted.\n * Bug 2489: Fix crash in the 'pam' expansion condition.\n * Use tainted buffers for the transport smtp context.\n * Bug 2493: Harden ARC verify against Outlook, which has been seen to mix\n the ordering of its ARC headers. This caused a crash.\n * Bug 2492: Use tainted memory for retry record when needed. Previously when\n a new record was being constructed with information from the peer, a trap\n was taken.\n * Bug 2494: Unset the default for dmarc_tld_file.\n * Fix an uninitialised flag in early-pipelining. Previously connections\n could, depending on the platform, hang at the STARTTLS response.\n * Bug 2498: Reset a counter used for ARC verify before handling another\n message on a connection. Previously if one message had ARC headers and\n the following one did not, a crash could result when adding an\n Authentication-Results: header.\n * Bug 2500: Rewind some of the common-coding in string handling between the\n Exim main code and Exim-related utities.\n * Fix the variables set by the gsasl authenticator.\n * Bug 2507: Modules: on handling a dynamic-module (lookups) open failure,\n only retrieve the errormessage once.\n * Bug 2501: Fix init call in the heimdal authenticator. Previously it\n adjusted the size of a major service buffer; this failed because the\n buffer was in use at the time. Change to a compile-time increase in the\n buffer size, when this authenticator is compiled into exim.\n\n- update to exim 4.93.0.4 (+fixes release)\n * Avoid costly startup code when not strictly needed. This reduces time\n for some exim process initialisations. It does mean that the logging\n of TLS configuration problems is only done for the daemon startup.\n * Early-pipelining support code is now included unless disabled in Makefile.\n * DKIM verification defaults no long accept sha1 hashes, to conform to\n RFC 8301. They can still be enabled, using the dkim_verify_hashes main\n option.\n * Support CHUNKING from an smtp transport using a transport_filter, when\n DKIM signing is being done. Previously a transport_filter would always\n disable CHUNKING, falling back to traditional DATA.\n * Regard command-line receipients as tainted.\n * Bug 340: Remove the daemon pid file on exit, whe due to SIGTERM.\n * Bug 2489: Fix crash in the 'pam' expansion condition. It seems that the\n PAM library frees one of the arguments given to it, despite the\n documentation. Therefore a plain malloc must be used.\n * Bug 2491: Use tainted buffers for the transport smtp context. Previously\n on-stack buffers were used, resulting in a taint trap when DSN information\n copied from a received message was written into the buffer.\n * Bug 2493: Harden ARC verify against Outlook, whick has been seen to mix\n the ordering of its ARC headers. This caused a crash.\n * Bug 2492: Use tainted memory for retry record when needed. Previously when\n a new record was being constructed with information from the peer, a trap\n was taken.\n * Bug 2494: Unset the default for dmarc_tld_file. Previously a naiive\n installation would get error messages from DMARC verify, when it hit the\n nonexistent file indicated by the default. Distros wanting DMARC enabled\n should both provide the file and set the option.\n Also enforce no DMARC verification for command-line sourced messages.\n * Fix an uninitialised flag in early-pipelining. Previously connections\n could, depending on the platform, hang at the STARTTLS response.\n * Bug 2498: Reset a counter used for ARC verify before handling another\n message on a connection. Previously if one message had ARC headers and\n the following one did not, a crash could result when adding an\n Authentication-Results: header.\n * Bug 2500: Rewind some of the common-coding in string handling between the\n Exim main code and Exim-related utities. The introduction of taint\n tracking also did many adjustments to string handling. Since then, eximon\n frequently terminated with an assert failure.\n * When PIPELINING, synch after every hundred or so RCPT commands sent and\n check for 452 responses. This slightly helps the inefficieny of doing\n a large alias-expansion into a recipient-limited target. The max_rcpt\n transport option still applies (and at the current default, will override\n the new feature). The check is done for either cause of synch, and forces\n a fast-retry of all 452'd recipients using a new MAIL FROM on the same\n connection. The new facility is not tunable at this time.\n * Fix the variables set by the gsasl authenticator. Previously a pointer to\n library live data was being used, so the results became garbage. Make\n copies while it is still usable.\n * Logging: when the deliver_time selector ise set, include the DT= field\n on delivery deferred (==) and failed (**) lines (if a delivery was\n attemtped). Previously it was only on completion (=>) lines.\n * Authentication: the gsasl driver not provides the $authN variables in time\n for the expansion of the server_scram_iter and server_scram_salt options.\n\nspec file cleanup to make update work\n- add docdir to spec\n\n- update to exim 4.93\n * SUPPORT_DMARC replaces EXPERIMENTAL_DMARC\n * DISABLE_TLS replaces SUPPORT_TLS\n * Bump the version for the local_scan API.\n * smtp transport option hosts_try_fastopen defaults to '*'.\n * DNSSec is requested (not required) for all queries. (This seemes to\n ask for trouble if your resolver is a systemd-resolved.)\n * Generic router option retry_use_local_part defaults to 'true' under specific\n pre-conditions.\n * Introduce a tainting mechanism for values read from untrusted sources.\n * Use longer file names for temporary spool files (this avoids\n name conflicts with spool on a shared file system).\n * Use dsn_from main config option (was ignored previously).\n\n- update to exim 4.92.3\n * CVE-2019-16928: fix against Heap-based buffer overflow in string_vformat,\n remote code execution seems to be possible\n\n- update to exim 4.92.2\n * CVE-2019-15846: fix against remote attackers executing arbitrary code as\n root via a trailing backslash\n\n- update to exim 4.92.1\n * CVE-2019-13917: Fixed an issue with ${sort} expansion which could \n allow remote attackers to execute other programs with root privileges \n (boo#1142207)\n\n- spec file cleanup\n * fix DANE inclusion guard condition\n * re-enable i18n and remove misleading comment\n * EXPERIMENTAL_SPF is now SUPPORT_SPF\n * DANE is now SUPPORT_DANE\n\n- update to exim 4.92\n * ${l_header:<name>} expansion\n * ${readsocket} now supports TLS\n * 'utf8_downconvert' option (if built with SUPPORT_I18N)\n * 'pipelining' log_selector\n * JSON variants for ${extract } expansion\n * 'noutf8' debug option\n * TCP Fast Open support on MacOS\n * CVE-2019-10149: Fixed a Remote Command Execution (boo#1136587)\n- add workaround patch for compile time error on missing printf\n format annotation (gnu_printf.patch)\n\n- update to 4.91\n * DEFER rather than ERROR on redis cluster MOVED response.\n * Catch and remove uninitialized value warning in exiqsumm\n * Disallow '/' characters in queue names specified for the 'queue=' ACL\n modifier. This matches the restriction on the commandline.\n * Fix pgsql lookup for multiple result-tuples with a single column.\n Previously only the last row was returned.\n * Bug 2217: Tighten up the parsing of DKIM signature headers.\n * Bug 2215: Fix crash associated with dnsdb lookup done from DKIM ACL.\n * Fix issue with continued-connections when the DNS shifts unreliably.\n * Bug 2214: Fix SMTP responses resulting from non-accept result of MIME ACL.\n * The 'support for' informational output now, which built with Content\n Scanning support, has a line for the malware scanner interfaces compiled\n in. Interface can be individually included or not at build time.\n * The 'aveserver', 'kavdaemon' and 'mksd' interfaces are now not included\n by the template makefile 'src/EDITME'. The 'STREAM' support for an older\n ClamAV interface method is removed.\n * Bug 2223: Fix mysql lookup returns for the no-data case (when the number of\n rows affected is given instead).\n * The runtime Berkeley DB library version is now additionally output by\n 'exim -d -bV'. Previously only the compile-time version was shown.\n * Bug 2230: Fix cutthrough routing for nonfirst messages in an initiating\n SMTP connection.\n * Bug 2229: Fix cutthrough routing for nonstandard port numbers defined by\n routers.\n * Bug 2174: A timeout on connect for a callout was also erroneously seen as\n a timeout on read on a GnuTLS initiating connection, resulting in the\n initiating connection being dropped.\n * Relax results from ACL control request to enable cutthrough, in\n unsupported situations, from error to silently (except under debug)\n ignoring.\n * Fix Buffer overflow in base64d() (CVE-2018-6789)\n * Fix bug in DKIM verify: a buffer overflow could corrupt the malloc\n metadata, resulting in a crash in free().\n * Fix broken Heimdal GSSAPI authenticator integration.\n * Bug 2113: Fix conversation closedown with the Avast malware scanner.\n * Bug 2239: Enforce non-usability of control=utf8_downconvert in the mail ACL.\n * Speed up macro lookups during configuration file read, by skipping non-\n macro text after a replacement (previously it was only once per line) and\n by skipping builtin macros when searching for an uppercase lead character.\n * DANE support moved from Experimental to mainline. The Makefile control\n for the build is renamed.\n * Fix memory leak during multi-message connections using STARTTLS.\n * Bug 2236: When a DKIM verification result is overridden by ACL, DMARC\n reported the original. Fix to report (as far as possible) the ACL\n result replacing the original.\n * Fix memory leak during multi-message connections using STARTTLS under\n OpenSSL\n * Bug 2242: Fix exim_dbmbuild to permit directoryless filenames.\n * Fix utf8_downconvert propagation through a redirect router.\n * Bug 2253: For logging delivery lines under PRDR, append the overall\n DATA response info to the (existing) per-recipient response info for\n the 'C=' log element.\n * Bug 2251: Fix ldap lookups that return a single attribute having zero-\n length value.\n * Support Avast multiline protocol, this allows passing flags to\n newer versions of the scanner.\n * Ensure that variables possibly set during message acceptance are marked\n dead before release of memory in the daemon loop.\n * Bug 2250: Fix a longstanding bug in heavily-pipelined SMTP input (such\n as a multi-recipient message from a mailinglist manager).\n * The (EXPERIMENTAL_DMARC) variable $dmarc_ar_header is withdrawn, being\n replaced by the ${authresults } expansion.\n * Bug 2257: Fix pipe transport to not use a socket-only syscall.\n * Set a handler for SIGTERM and call exit(3) if running as PID 1. This\n allows proper process termination in container environments.\n * Bug 2258: Fix spool_wireformat in combination with LMTP transport.\n Previously the 'final dot' had a newline after it; ensure it is CR,LF.\n * SPF: remove support for the 'spf' ACL condition outcome values 'err_temp'\n and 'err_perm', deprecated since 4.83 when the RFC-defined words\n ' temperror' and 'permerror' were introduced.\n * Re-introduce enforcement of no cutthrough delivery on transports having\n transport-filters or DKIM-signing.\n * Cutthrough: for a final-dot response timeout (and nonunderstood responses)\n in defer=pass mode supply a 450 to the initiator. Previously the message\n would be spooled.\n * DANE: add dane_require_tls_ciphers SMTP Transport option; if unset,\n tls_require_ciphers is used as before.\n * Malware Avast: Better match the Avast multiline protocol.\n * Fix reinitialisation of DKIM logging variable between messages.\n * Bug 2255: Revert the disable of the OpenSSL session caching.\n * Add util/renew-opendmarc-tlds.sh script for safe renewal of public\n suffix list.\n * DKIM: accept Ed25519 pubkeys in SubjectPublicKeyInfo-wrapped form,\n since the IETF WG has not yet settled on that versus the original\n 'bare' representation.\n * Fix syslog logging for syslog_timestamp=no and log_selector +millisec.\n Previously the millisecond value corrupted the output.\n Fix also for syslog_pid=no and log_selector +pid, for which the pid\n corrupted the output.\n- Replace xorg-x11-devel by individual pkgconfig() buildrequires. \n- update to 4.90.1\n * Allow PKG_CONFIG_PATH to be set in Local/Makefile and use it correctly\n during configuration. Wildcards are allowed and expanded.\n * Shorten the log line for daemon startup by collapsing adjacent sets of\n identical IP addresses on different listening ports. Will also affect\n 'exiwhat' output.\n * Tighten up the checking in isip4 (et al): dotted-quad components larger\n than 255 are no longer allowed.\n * Default openssl_options to include +no_ticket, to reduce load on peers.\n Disable the session-cache too, which might reduce our load. Since we\n currrectly use a new context for every connection, both as server and\n client, there is no benefit for these.\n * Add $SOURCE_DATE_EPOCH support for reproducible builds, per spec at\n <https://reproducible-builds.org/specs/source-date-epoch/>.\n * Fix smtp transport use of limited max_rcpt under mua_wrapper. Previously\n the check for any unsuccessful recipients did not notice the limit, and\n erroneously found still-pending ones.\n * Pipeline CHUNKING command and data together, on kernels that support\n MSG_MORE. Only in-clear (not on TLS connections).\n * Avoid using a temporary file during transport using dkim. Unless a\n transport-filter is involved we can buffer the headers in memory for\n creating the signature, and read the spool data file once for the\n signature and again for transmission.\n * Enable use of sendfile in Linux builds as default. It was disabled in\n 4.77 as the kernel support then wasn't solid, having issues in 64bit\n mode. Now, it's been long enough. Add support for FreeBSD also.\n * Add commandline_checks_require_admin option.\n * Do pipelining under TLS.\n * For the 'sock' variant of the malware scanner interface, accept an empty\n cmdline element to get the documented default one. Previously it was\n inaccessible.\n * Prevent repeated use of -p/-oMr\n * DKIM: enforce the DNS pubkey record 'h' permitted-hashes optional field,\n if present.\n * DKIM: when a message has multiple signatures matching an identity given\n in dkim_verify_signers, run the dkim acl once for each.\n * Support IDNA2008.\n * The path option on a pipe transport is now expanded before use\n * Have the EHLO response advertise VRFY, if there is a vrfy ACL defined.\n- Several bug fixes\n- Fix for buffer overflow in base64decode() (boo#1079832 CVE-2018-6789)\n \nThis update was imported from the openSUSE:Leap:15.2:Update update project.", title: "Description of the patch", }, { category: "details", text: "openSUSE-2021-754", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2021_0754-1.json", }, { category: "self", summary: "URL for openSUSE-SU-2021:0754-1", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3FZPX7R5ELKQM2EW7W2JYZ7EFIIDTT4E/", }, { category: "self", summary: "E-Mail link for openSUSE-SU-2021:0754-1", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3FZPX7R5ELKQM2EW7W2JYZ7EFIIDTT4E/", }, { category: "self", summary: "SUSE Bug 1079832", url: "https://bugzilla.suse.com/1079832", }, { category: "self", summary: "SUSE Bug 1171490", url: "https://bugzilla.suse.com/1171490", }, { category: "self", summary: "SUSE Bug 1171877", url: "https://bugzilla.suse.com/1171877", }, { category: "self", summary: "SUSE Bug 1173693", url: "https://bugzilla.suse.com/1173693", }, { category: "self", summary: "SUSE Bug 1185631", url: "https://bugzilla.suse.com/1185631", }, { category: "self", summary: "SUSE CVE CVE-2017-1000369 page", url: "https://www.suse.com/security/cve/CVE-2017-1000369/", }, { category: "self", summary: "SUSE CVE CVE-2017-16943 page", url: "https://www.suse.com/security/cve/CVE-2017-16943/", }, { category: "self", summary: "SUSE CVE CVE-2017-16944 page", url: "https://www.suse.com/security/cve/CVE-2017-16944/", }, { category: "self", summary: "SUSE CVE CVE-2018-6789 page", url: "https://www.suse.com/security/cve/CVE-2018-6789/", }, { category: "self", summary: "SUSE CVE CVE-2019-16928 page", url: "https://www.suse.com/security/cve/CVE-2019-16928/", }, { category: "self", summary: "SUSE CVE CVE-2020-12783 page", url: "https://www.suse.com/security/cve/CVE-2020-12783/", }, { category: "self", summary: "SUSE CVE CVE-2020-28007 page", url: "https://www.suse.com/security/cve/CVE-2020-28007/", }, { category: "self", summary: "SUSE CVE CVE-2020-28008 page", url: "https://www.suse.com/security/cve/CVE-2020-28008/", }, { category: "self", summary: "SUSE CVE CVE-2020-28009 page", url: "https://www.suse.com/security/cve/CVE-2020-28009/", }, { category: "self", summary: "SUSE CVE CVE-2020-28010 page", url: "https://www.suse.com/security/cve/CVE-2020-28010/", }, { category: "self", summary: "SUSE CVE CVE-2020-28011 page", url: "https://www.suse.com/security/cve/CVE-2020-28011/", }, { category: "self", summary: "SUSE CVE CVE-2020-28012 page", url: "https://www.suse.com/security/cve/CVE-2020-28012/", }, { category: "self", summary: "SUSE CVE CVE-2020-28013 page", url: "https://www.suse.com/security/cve/CVE-2020-28013/", }, { category: "self", summary: "SUSE CVE CVE-2020-28014 page", url: "https://www.suse.com/security/cve/CVE-2020-28014/", }, { category: "self", summary: "SUSE CVE CVE-2020-28015 page", url: "https://www.suse.com/security/cve/CVE-2020-28015/", }, { category: "self", summary: "SUSE CVE CVE-2020-28016 page", url: "https://www.suse.com/security/cve/CVE-2020-28016/", }, { category: "self", summary: "SUSE CVE CVE-2020-28017 page", url: "https://www.suse.com/security/cve/CVE-2020-28017/", }, { category: "self", summary: "SUSE CVE CVE-2020-28018 page", url: "https://www.suse.com/security/cve/CVE-2020-28018/", }, { category: "self", summary: "SUSE CVE CVE-2020-28019 page", url: "https://www.suse.com/security/cve/CVE-2020-28019/", }, { category: "self", summary: "SUSE CVE CVE-2020-28020 page", url: "https://www.suse.com/security/cve/CVE-2020-28020/", }, { category: "self", summary: "SUSE CVE CVE-2020-28021 page", url: "https://www.suse.com/security/cve/CVE-2020-28021/", }, { category: "self", summary: "SUSE CVE CVE-2020-28022 page", url: "https://www.suse.com/security/cve/CVE-2020-28022/", }, { category: "self", summary: "SUSE CVE CVE-2020-28023 page", url: "https://www.suse.com/security/cve/CVE-2020-28023/", }, { category: "self", summary: "SUSE CVE CVE-2020-28024 page", url: "https://www.suse.com/security/cve/CVE-2020-28024/", }, { category: "self", summary: "SUSE CVE CVE-2020-28025 page", url: "https://www.suse.com/security/cve/CVE-2020-28025/", }, { category: "self", summary: "SUSE CVE CVE-2020-28026 page", url: "https://www.suse.com/security/cve/CVE-2020-28026/", }, ], title: "Security update for exim", tracking: { current_release_date: "2021-05-20T08:51:56Z", generator: { date: "2021-05-20T08:51:56Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "openSUSE-SU-2021:0754-1", initial_release_date: "2021-05-20T08:51:56Z", revision_history: [ { date: "2021-05-20T08:51:56Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "exim-4.94.2-bp152.6.4.1.aarch64", product: { name: "exim-4.94.2-bp152.6.4.1.aarch64", product_id: "exim-4.94.2-bp152.6.4.1.aarch64", }, }, { category: "product_version", name: "eximon-4.94.2-bp152.6.4.1.aarch64", product: { name: "eximon-4.94.2-bp152.6.4.1.aarch64", product_id: "eximon-4.94.2-bp152.6.4.1.aarch64", }, }, { category: "product_version", name: "eximstats-html-4.94.2-bp152.6.4.1.aarch64", product: { name: "eximstats-html-4.94.2-bp152.6.4.1.aarch64", product_id: "eximstats-html-4.94.2-bp152.6.4.1.aarch64", }, }, { category: "product_version", name: "libspf2-2-1.2.10-bp152.5.1.aarch64", product: { name: "libspf2-2-1.2.10-bp152.5.1.aarch64", product_id: "libspf2-2-1.2.10-bp152.5.1.aarch64", }, }, { category: "product_version", name: "libspf2-devel-1.2.10-bp152.5.1.aarch64", product: { name: "libspf2-devel-1.2.10-bp152.5.1.aarch64", product_id: "libspf2-devel-1.2.10-bp152.5.1.aarch64", }, }, { category: "product_version", name: "libspf2-tools-1.2.10-bp152.5.1.aarch64", product: { name: "libspf2-tools-1.2.10-bp152.5.1.aarch64", product_id: "libspf2-tools-1.2.10-bp152.5.1.aarch64", }, }, ], category: "architecture", name: "aarch64", }, { branches: [ { category: "product_version", name: "exim-4.94.2-bp152.6.4.1.ppc64le", product: { name: "exim-4.94.2-bp152.6.4.1.ppc64le", product_id: "exim-4.94.2-bp152.6.4.1.ppc64le", }, }, { category: "product_version", name: "eximon-4.94.2-bp152.6.4.1.ppc64le", product: { name: "eximon-4.94.2-bp152.6.4.1.ppc64le", product_id: "eximon-4.94.2-bp152.6.4.1.ppc64le", }, }, { category: "product_version", name: "eximstats-html-4.94.2-bp152.6.4.1.ppc64le", product: { name: "eximstats-html-4.94.2-bp152.6.4.1.ppc64le", product_id: "eximstats-html-4.94.2-bp152.6.4.1.ppc64le", }, }, { category: "product_version", name: "libspf2-2-1.2.10-bp152.5.1.ppc64le", product: { name: "libspf2-2-1.2.10-bp152.5.1.ppc64le", product_id: "libspf2-2-1.2.10-bp152.5.1.ppc64le", }, }, { category: "product_version", name: "libspf2-devel-1.2.10-bp152.5.1.ppc64le", product: { name: "libspf2-devel-1.2.10-bp152.5.1.ppc64le", product_id: "libspf2-devel-1.2.10-bp152.5.1.ppc64le", }, }, { category: "product_version", name: "libspf2-tools-1.2.10-bp152.5.1.ppc64le", product: { name: "libspf2-tools-1.2.10-bp152.5.1.ppc64le", product_id: "libspf2-tools-1.2.10-bp152.5.1.ppc64le", }, }, ], category: "architecture", name: "ppc64le", }, { branches: [ { category: "product_version", name: "exim-4.94.2-bp152.6.4.1.s390x", product: { name: "exim-4.94.2-bp152.6.4.1.s390x", product_id: "exim-4.94.2-bp152.6.4.1.s390x", }, }, { category: "product_version", name: "eximon-4.94.2-bp152.6.4.1.s390x", product: { name: "eximon-4.94.2-bp152.6.4.1.s390x", product_id: "eximon-4.94.2-bp152.6.4.1.s390x", }, }, { category: "product_version", name: "eximstats-html-4.94.2-bp152.6.4.1.s390x", product: { name: "eximstats-html-4.94.2-bp152.6.4.1.s390x", product_id: "eximstats-html-4.94.2-bp152.6.4.1.s390x", }, }, { category: "product_version", name: "libspf2-2-1.2.10-bp152.5.1.s390x", product: { name: "libspf2-2-1.2.10-bp152.5.1.s390x", product_id: "libspf2-2-1.2.10-bp152.5.1.s390x", }, }, { category: "product_version", name: "libspf2-devel-1.2.10-bp152.5.1.s390x", product: { name: "libspf2-devel-1.2.10-bp152.5.1.s390x", product_id: "libspf2-devel-1.2.10-bp152.5.1.s390x", }, }, { category: "product_version", name: "libspf2-tools-1.2.10-bp152.5.1.s390x", product: { name: "libspf2-tools-1.2.10-bp152.5.1.s390x", product_id: "libspf2-tools-1.2.10-bp152.5.1.s390x", }, }, ], category: "architecture", name: "s390x", }, { branches: [ { category: "product_version", name: "exim-4.94.2-bp152.6.4.1.x86_64", product: { name: "exim-4.94.2-bp152.6.4.1.x86_64", product_id: "exim-4.94.2-bp152.6.4.1.x86_64", }, }, { category: "product_version", name: "eximon-4.94.2-bp152.6.4.1.x86_64", product: { name: "eximon-4.94.2-bp152.6.4.1.x86_64", product_id: "eximon-4.94.2-bp152.6.4.1.x86_64", }, }, { category: "product_version", name: "eximstats-html-4.94.2-bp152.6.4.1.x86_64", product: { name: "eximstats-html-4.94.2-bp152.6.4.1.x86_64", product_id: "eximstats-html-4.94.2-bp152.6.4.1.x86_64", }, }, { category: "product_version", name: "libspf2-2-1.2.10-bp152.5.1.x86_64", product: { name: "libspf2-2-1.2.10-bp152.5.1.x86_64", product_id: "libspf2-2-1.2.10-bp152.5.1.x86_64", }, }, { category: "product_version", name: "libspf2-devel-1.2.10-bp152.5.1.x86_64", product: { name: "libspf2-devel-1.2.10-bp152.5.1.x86_64", product_id: "libspf2-devel-1.2.10-bp152.5.1.x86_64", }, }, { category: "product_version", name: "libspf2-tools-1.2.10-bp152.5.1.x86_64", product: { name: "libspf2-tools-1.2.10-bp152.5.1.x86_64", product_id: "libspf2-tools-1.2.10-bp152.5.1.x86_64", }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_name", name: "SUSE Package Hub 15 SP2", product: { name: "SUSE Package Hub 15 SP2", product_id: "SUSE Package Hub 15 SP2", }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "exim-4.94.2-bp152.6.4.1.aarch64 as component of SUSE Package Hub 15 SP2", product_id: "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", }, product_reference: "exim-4.94.2-bp152.6.4.1.aarch64", relates_to_product_reference: "SUSE Package Hub 15 SP2", }, { category: "default_component_of", full_product_name: { name: "exim-4.94.2-bp152.6.4.1.ppc64le as component of SUSE Package Hub 15 SP2", product_id: "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", }, product_reference: "exim-4.94.2-bp152.6.4.1.ppc64le", relates_to_product_reference: "SUSE Package Hub 15 SP2", }, { category: "default_component_of", full_product_name: { name: "exim-4.94.2-bp152.6.4.1.s390x as component of SUSE Package Hub 15 SP2", product_id: "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", }, product_reference: "exim-4.94.2-bp152.6.4.1.s390x", relates_to_product_reference: "SUSE Package Hub 15 SP2", }, { category: "default_component_of", full_product_name: { name: "exim-4.94.2-bp152.6.4.1.x86_64 as component of SUSE Package Hub 15 SP2", product_id: "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", }, product_reference: "exim-4.94.2-bp152.6.4.1.x86_64", relates_to_product_reference: "SUSE Package Hub 15 SP2", }, { category: "default_component_of", full_product_name: { name: "eximon-4.94.2-bp152.6.4.1.aarch64 as component of SUSE Package Hub 15 SP2", product_id: "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", }, product_reference: "eximon-4.94.2-bp152.6.4.1.aarch64", relates_to_product_reference: "SUSE Package Hub 15 SP2", }, { category: "default_component_of", full_product_name: { name: "eximon-4.94.2-bp152.6.4.1.ppc64le as component of SUSE Package Hub 15 SP2", product_id: "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", }, product_reference: "eximon-4.94.2-bp152.6.4.1.ppc64le", relates_to_product_reference: "SUSE Package Hub 15 SP2", }, { category: "default_component_of", full_product_name: { name: "eximon-4.94.2-bp152.6.4.1.s390x as component of SUSE Package Hub 15 SP2", product_id: "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", }, product_reference: "eximon-4.94.2-bp152.6.4.1.s390x", relates_to_product_reference: "SUSE Package Hub 15 SP2", }, { category: "default_component_of", full_product_name: { name: "eximon-4.94.2-bp152.6.4.1.x86_64 as component of SUSE Package Hub 15 SP2", product_id: "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", }, product_reference: "eximon-4.94.2-bp152.6.4.1.x86_64", relates_to_product_reference: "SUSE Package Hub 15 SP2", }, { category: "default_component_of", full_product_name: { name: "eximstats-html-4.94.2-bp152.6.4.1.aarch64 as component of SUSE Package Hub 15 SP2", product_id: "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", }, product_reference: "eximstats-html-4.94.2-bp152.6.4.1.aarch64", relates_to_product_reference: "SUSE Package Hub 15 SP2", }, { category: "default_component_of", full_product_name: { name: "eximstats-html-4.94.2-bp152.6.4.1.ppc64le as component of SUSE Package Hub 15 SP2", product_id: "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", }, product_reference: "eximstats-html-4.94.2-bp152.6.4.1.ppc64le", relates_to_product_reference: "SUSE Package Hub 15 SP2", }, { category: "default_component_of", full_product_name: { name: "eximstats-html-4.94.2-bp152.6.4.1.s390x as component of SUSE Package Hub 15 SP2", product_id: "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", }, product_reference: "eximstats-html-4.94.2-bp152.6.4.1.s390x", relates_to_product_reference: "SUSE Package Hub 15 SP2", }, { category: "default_component_of", full_product_name: { name: "eximstats-html-4.94.2-bp152.6.4.1.x86_64 as component of SUSE Package Hub 15 SP2", product_id: "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", }, product_reference: "eximstats-html-4.94.2-bp152.6.4.1.x86_64", relates_to_product_reference: "SUSE Package Hub 15 SP2", }, { category: "default_component_of", full_product_name: { name: "libspf2-2-1.2.10-bp152.5.1.aarch64 as component of SUSE Package Hub 15 SP2", product_id: "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", }, product_reference: "libspf2-2-1.2.10-bp152.5.1.aarch64", relates_to_product_reference: "SUSE Package Hub 15 SP2", }, { category: "default_component_of", full_product_name: { name: "libspf2-2-1.2.10-bp152.5.1.ppc64le as component of SUSE Package Hub 15 SP2", product_id: "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", }, product_reference: "libspf2-2-1.2.10-bp152.5.1.ppc64le", relates_to_product_reference: "SUSE Package Hub 15 SP2", }, { category: "default_component_of", full_product_name: { name: "libspf2-2-1.2.10-bp152.5.1.s390x as component of SUSE Package Hub 15 SP2", product_id: "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", }, product_reference: "libspf2-2-1.2.10-bp152.5.1.s390x", relates_to_product_reference: "SUSE Package Hub 15 SP2", }, { category: "default_component_of", full_product_name: { name: "libspf2-2-1.2.10-bp152.5.1.x86_64 as component of SUSE Package Hub 15 SP2", product_id: "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", }, product_reference: "libspf2-2-1.2.10-bp152.5.1.x86_64", relates_to_product_reference: "SUSE Package Hub 15 SP2", }, { category: "default_component_of", full_product_name: { name: "libspf2-devel-1.2.10-bp152.5.1.aarch64 as component of SUSE Package Hub 15 SP2", product_id: "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", }, product_reference: "libspf2-devel-1.2.10-bp152.5.1.aarch64", relates_to_product_reference: "SUSE Package Hub 15 SP2", }, { category: "default_component_of", full_product_name: { name: "libspf2-devel-1.2.10-bp152.5.1.ppc64le as component of SUSE Package Hub 15 SP2", product_id: "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", }, product_reference: "libspf2-devel-1.2.10-bp152.5.1.ppc64le", relates_to_product_reference: "SUSE Package Hub 15 SP2", }, { category: "default_component_of", full_product_name: { name: "libspf2-devel-1.2.10-bp152.5.1.s390x as component of SUSE Package Hub 15 SP2", product_id: "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", }, product_reference: "libspf2-devel-1.2.10-bp152.5.1.s390x", relates_to_product_reference: "SUSE Package Hub 15 SP2", }, { category: "default_component_of", full_product_name: { name: "libspf2-devel-1.2.10-bp152.5.1.x86_64 as component of SUSE Package Hub 15 SP2", product_id: "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", }, product_reference: "libspf2-devel-1.2.10-bp152.5.1.x86_64", relates_to_product_reference: "SUSE Package Hub 15 SP2", }, { category: "default_component_of", full_product_name: { name: "libspf2-tools-1.2.10-bp152.5.1.aarch64 as component of SUSE Package Hub 15 SP2", product_id: "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", }, product_reference: "libspf2-tools-1.2.10-bp152.5.1.aarch64", relates_to_product_reference: "SUSE Package Hub 15 SP2", }, { category: "default_component_of", full_product_name: { name: "libspf2-tools-1.2.10-bp152.5.1.ppc64le as component of SUSE Package Hub 15 SP2", product_id: "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", }, product_reference: "libspf2-tools-1.2.10-bp152.5.1.ppc64le", relates_to_product_reference: "SUSE Package Hub 15 SP2", }, { category: "default_component_of", full_product_name: { name: "libspf2-tools-1.2.10-bp152.5.1.s390x as component of SUSE Package Hub 15 SP2", product_id: "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", }, product_reference: "libspf2-tools-1.2.10-bp152.5.1.s390x", relates_to_product_reference: "SUSE Package Hub 15 SP2", }, { category: "default_component_of", full_product_name: { name: "libspf2-tools-1.2.10-bp152.5.1.x86_64 as component of SUSE Package Hub 15 SP2", product_id: "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", }, product_reference: "libspf2-tools-1.2.10-bp152.5.1.x86_64", relates_to_product_reference: "SUSE Package Hub 15 SP2", }, ], }, vulnerabilities: [ { cve: "CVE-2017-1000369", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-1000369", }, ], notes: [ { category: "general", text: "Exim supports the use of multiple \"-p\" command line arguments which are malloc()'ed and never free()'ed, used in conjunction with other issues allows attackers to cause arbitrary code execution. This affects exim version 4.89 and earlier. Please note that at this time upstream has released a patch (commit 65e061b76867a9ea7aeeb535341b790b90ae6c21), but it is not known if a new point release is available that addresses this issue at this time.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2017-1000369", url: "https://www.suse.com/security/cve/CVE-2017-1000369", }, { category: "external", summary: "SUSE Bug 1037551 for CVE-2017-1000369", url: "https://bugzilla.suse.com/1037551", }, { category: "external", summary: "SUSE Bug 1044692 for CVE-2017-1000369", url: "https://bugzilla.suse.com/1044692", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 4, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, products: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:51:56Z", details: "low", }, ], title: "CVE-2017-1000369", }, { cve: "CVE-2017-16943", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-16943", }, ], notes: [ { category: "general", text: "The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2017-16943", url: "https://www.suse.com/security/cve/CVE-2017-16943", }, { category: "external", summary: "SUSE Bug 1069857 for CVE-2017-16943", url: "https://bugzilla.suse.com/1069857", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:51:56Z", details: "critical", }, ], title: "CVE-2017-16943", }, { cve: "CVE-2017-16944", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-16944", }, ], notes: [ { category: "general", text: "The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a '.' character signifying the end of the content, related to the bdat_getc function.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2017-16944", url: "https://www.suse.com/security/cve/CVE-2017-16944", }, { category: "external", summary: "SUSE Bug 1069859 for CVE-2017-16944", url: "https://bugzilla.suse.com/1069859", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:51:56Z", details: "important", }, ], title: "CVE-2017-16944", }, { cve: "CVE-2018-6789", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-6789", }, ], notes: [ { category: "general", text: "An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1. By sending a handcrafted message, a buffer overflow may happen. This can be used to execute code remotely.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2018-6789", url: "https://www.suse.com/security/cve/CVE-2018-6789", }, { category: "external", summary: "SUSE Bug 1079832 for CVE-2018-6789", url: "https://bugzilla.suse.com/1079832", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:51:56Z", details: "critical", }, ], title: "CVE-2018-6789", }, { cve: "CVE-2019-16928", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2019-16928", }, ], notes: [ { category: "general", text: "Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2019-16928", url: "https://www.suse.com/security/cve/CVE-2019-16928", }, { category: "external", summary: "SUSE Bug 1152507 for CVE-2019-16928", url: "https://bugzilla.suse.com/1152507", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:51:56Z", details: "critical", }, ], title: "CVE-2019-16928", }, { cve: "CVE-2020-12783", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-12783", }, ], notes: [ { category: "general", text: "Exim through 4.93 has an out-of-bounds read in the SPA authenticator that could result in SPA/NTLM authentication bypass in auths/spa.c and auths/auth-spa.c.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-12783", url: "https://www.suse.com/security/cve/CVE-2020-12783", }, { category: "external", summary: "SUSE Bug 1171490 for CVE-2020-12783", url: "https://bugzilla.suse.com/1171490", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:51:56Z", details: "important", }, ], title: "CVE-2020-12783", }, { cve: "CVE-2020-28007", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28007", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the log directory (owned by a non-root user), a symlink or hard link attack allows overwriting critical root-owned files anywhere on the filesystem.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28007", url: "https://www.suse.com/security/cve/CVE-2020-28007", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28007", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:51:56Z", details: "critical", }, ], title: "CVE-2020-28007", }, { cve: "CVE-2020-28008", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28008", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the spool directory (owned by a non-root user), an attacker can write to a /var/spool/exim4/input spool header file, in which a crafted recipient address can indirectly lead to command execution.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28008", url: "https://www.suse.com/security/cve/CVE-2020-28008", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28008", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:51:56Z", details: "critical", }, ], title: "CVE-2020-28008", }, { cve: "CVE-2020-28009", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28009", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow because get_stdinput allows unbounded reads that are accompanied by unbounded increases in a certain size variable. NOTE: exploitation may be impractical because of the execution time needed to overflow (multiple days).", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28009", url: "https://www.suse.com/security/cve/CVE-2020-28009", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28009", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:51:56Z", details: "critical", }, ], title: "CVE-2020-28009", }, { cve: "CVE-2020-28010", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28010", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Out-of-bounds Write because the main function, while setuid root, copies the current working directory pathname into a buffer that is too small (on some common platforms).", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28010", url: "https://www.suse.com/security/cve/CVE-2020-28010", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28010", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:51:56Z", details: "critical", }, ], title: "CVE-2020-28010", }, { cve: "CVE-2020-28011", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28011", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Heap-based Buffer Overflow in queue_run via two sender options: -R and -S. This may cause privilege escalation from exim to root.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28011", url: "https://www.suse.com/security/cve/CVE-2020-28011", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28011", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:51:56Z", details: "critical", }, ], title: "CVE-2020-28011", }, { cve: "CVE-2020-28012", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28012", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Exposure of File Descriptor to Unintended Control Sphere because rda_interpret uses a privileged pipe that lacks a close-on-exec flag.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28012", url: "https://www.suse.com/security/cve/CVE-2020-28012", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28012", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:51:56Z", details: "critical", }, ], title: "CVE-2020-28012", }, { cve: "CVE-2020-28013", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28013", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Heap-based Buffer Overflow because it mishandles \"-F '.('\" on the command line, and thus may allow privilege escalation from any user to root. This occurs because of the interpretation of negative sizes in strncpy.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28013", url: "https://www.suse.com/security/cve/CVE-2020-28013", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28013", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:51:56Z", details: "critical", }, ], title: "CVE-2020-28013", }, { cve: "CVE-2020-28014", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28014", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. The -oP option is available to the exim user, and allows a denial of service because root-owned files can be overwritten.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28014", url: "https://www.suse.com/security/cve/CVE-2020-28014", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28014", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:51:56Z", details: "critical", }, ], title: "CVE-2020-28014", }, { cve: "CVE-2020-28015", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28015", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. Local users can alter the behavior of root processes because a recipient address can have a newline character.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28015", url: "https://www.suse.com/security/cve/CVE-2020-28015", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28015", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:51:56Z", details: "critical", }, ], title: "CVE-2020-28015", }, { cve: "CVE-2020-28016", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28016", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows an off-by-two Out-of-bounds Write because \"-F ''\" is mishandled by parse_fix_phrase.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28016", url: "https://www.suse.com/security/cve/CVE-2020-28016", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28016", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:51:56Z", details: "critical", }, ], title: "CVE-2020-28016", }, { cve: "CVE-2020-28017", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28017", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow in receive_add_recipient via an e-mail message with fifty million recipients. NOTE: remote exploitation may be difficult because of resource consumption.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28017", url: "https://www.suse.com/security/cve/CVE-2020-28017", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28017", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:51:56Z", details: "critical", }, ], title: "CVE-2020-28017", }, { cve: "CVE-2020-28018", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28018", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Use After Free in smtp_reset in certain situations that may be common for builds with OpenSSL.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28018", url: "https://www.suse.com/security/cve/CVE-2020-28018", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28018", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:51:56Z", details: "critical", }, ], title: "CVE-2020-28018", }, { cve: "CVE-2020-28019", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28019", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 has Improper Initialization that can lead to recursion-based stack consumption or other consequences. This occurs because use of certain getc functions is mishandled when a client uses BDAT instead of DATA.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28019", url: "https://www.suse.com/security/cve/CVE-2020-28019", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28019", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:51:56Z", details: "critical", }, ], title: "CVE-2020-28019", }, { cve: "CVE-2020-28020", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28020", }, ], notes: [ { category: "general", text: "Exim 4 before 4.92 allows Integer Overflow to Buffer Overflow, in which an unauthenticated remote attacker can execute arbitrary code by leveraging the mishandling of continuation lines during header-length restriction.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28020", url: "https://www.suse.com/security/cve/CVE-2020-28020", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28020", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:51:56Z", details: "critical", }, ], title: "CVE-2020-28020", }, { cve: "CVE-2020-28021", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28021", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. An authenticated remote SMTP client can insert newline characters into a spool file (which indirectly leads to remote code execution as root) via AUTH= in a MAIL FROM command.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28021", url: "https://www.suse.com/security/cve/CVE-2020-28021", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28021", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 8.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:51:56Z", details: "critical", }, ], title: "CVE-2020-28021", }, { cve: "CVE-2020-28022", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28022", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 has Improper Restriction of Write Operations within the Bounds of a Memory Buffer. This occurs when processing name=value pairs within MAIL FROM and RCPT TO commands.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28022", url: "https://www.suse.com/security/cve/CVE-2020-28022", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28022", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:51:56Z", details: "critical", }, ], title: "CVE-2020-28022", }, { cve: "CVE-2020-28023", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28023", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Out-of-bounds Read. smtp_setup_msg may disclose sensitive information from process memory to an unauthenticated SMTP client.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28023", url: "https://www.suse.com/security/cve/CVE-2020-28023", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28023", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:51:56Z", details: "critical", }, ], title: "CVE-2020-28023", }, { cve: "CVE-2020-28024", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28024", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Buffer Underwrite that may result in unauthenticated remote attackers executing arbitrary commands, because smtp_ungetc was only intended to push back characters, but can actually push back non-character error codes such as EOF.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28024", url: "https://www.suse.com/security/cve/CVE-2020-28024", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28024", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:51:56Z", details: "critical", }, ], title: "CVE-2020-28024", }, { cve: "CVE-2020-28025", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28025", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Out-of-bounds Read because pdkim_finish_bodyhash does not validate the relationship between sig->bodyhash.len and b->bh.len; thus, a crafted DKIM-Signature header might lead to a leak of sensitive information from process memory.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28025", url: "https://www.suse.com/security/cve/CVE-2020-28025", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28025", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:51:56Z", details: "critical", }, ], title: "CVE-2020-28025", }, { cve: "CVE-2020-28026", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28026", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters, relevant in non-default configurations that enable Delivery Status Notification (DSN). Certain uses of ORCPT= can place a newline into a spool header file, and indirectly allow unauthenticated remote attackers to execute arbitrary commands as root.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28026", url: "https://www.suse.com/security/cve/CVE-2020-28026", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28026", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:exim-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximon-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.aarch64", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.ppc64le", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.s390x", "SUSE Package Hub 15 SP2:eximstats-html-4.94.2-bp152.6.4.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-2-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-devel-1.2.10-bp152.5.1.x86_64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.aarch64", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.ppc64le", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.s390x", "SUSE Package Hub 15 SP2:libspf2-tools-1.2.10-bp152.5.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:51:56Z", details: "critical", }, ], title: "CVE-2020-28026", }, ], }
opensuse-su-2021:0753-1
Vulnerability from csaf_opensuse
Published
2021-05-20 08:50
Modified
2021-05-20 08:50
Summary
Security update for exim
Notes
Title of the patch
Security update for exim
Description of the patch
This update for exim fixes the following issues:
exim was updated to 4.94.2:
security update (boo#1185631)
* CVE-2020-28007: Link attack in Exim's log directory
* CVE-2020-28008: Assorted attacks in Exim's spool directory
* CVE-2020-28014: Arbitrary PID file creation
* CVE-2020-28011: Heap buffer overflow in queue_run()
* CVE-2020-28010: Heap out-of-bounds write in main()
* CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()
* CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()
* CVE-2020-28015: New-line injection into spool header file (local)
* CVE-2020-28012: Missing close-on-exec flag for privileged pipe
* CVE-2020-28009: Integer overflow in get_stdinput()
* CVE-2020-28017: Integer overflow in receive_add_recipient()
* CVE-2020-28020: Integer overflow in receive_msg()
* CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()
* CVE-2020-28021: New-line injection into spool header file (remote)
* CVE-2020-28022: Heap out-of-bounds read and write in extract_option()
* CVE-2020-28026: Line truncation and injection in spool_read_header()
* CVE-2020-28019: Failure to reset function pointer after BDAT error
* CVE-2020-28024: Heap buffer underflow in smtp_ungetc()
* CVE-2020-28018: Use-after-free in tls-openssl.c
* CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()
update to exim-4.94.1
* Fix security issue in BDAT state confusion.
Ensure we reset known-good where we know we need to not be reading BDAT
data, as a general case fix, and move the places where we switch to BDAT
mode until after various protocol state checks.
Fixes CVE-2020-BDATA reported by Qualys.
* Fix security issue in SMTP verb option parsing (CVE-2020-EXOPT)
* Fix security issue with too many recipients on a message (to remove a
known security problem if someone does set recipients_max to unlimited,
or if local additions add to the recipient list).
Fixes CVE-2020-RCPTL reported by Qualys.
* Fix CVE-2020-28016 (PFPZA): Heap out-of-bounds write in parse_fix_phrase()
* Fix security issue CVE-2020-PFPSN and guard against cmdline invoker
providing a particularly obnoxious sender full name.
* Fix Linux security issue CVE-2020-SLCWD and guard against PATH_MAX
better.
- bring back missing exim_db.8 manual page (fixes boo#1173693)
- bring in changes from current +fixes (lots of taint check fixes)
* Bug 1329: Fix format of Maildir-format filenames to match other mail-
related applications. Previously an 'H' was used where available info
says that 'M' should be, so change to match.
* Bug 2587: Fix pam expansion condition. Tainted values are commonly used
as arguments, so an implementation trying to copy these into a local
buffer was taking a taint-enforcement trap. Fix by using dynamically
created buffers.
* Bug 2586: Fix listcount expansion operator. Using tainted arguments is
reasonable, eg. to count headers. Fix by using dynamically created
buffers rather than a local. Do similar fixes for ACL actions 'dcc',
'log_reject_target', 'malware' and 'spam'; the arguments are expanded
so could be handling tainted values.
* Bug 2590: Fix -bi (newaliases). A previous code rearrangement had
broken the (no-op) support for this sendmail command. Restore it
to doing nothing, silently, and returning good status.
update to exim 4.94
* some transports now refuse to use tainted data in constructing their delivery
location
this WILL BREAK configurations which are not updated accordingly.
In particular: any Transport use of $local_user which has been relying upon
check_local_user far away in the Router to make it safe, should be updated to
replace $local_user with $local_part_data.
* Attempting to remove, in router or transport, a header name that ends with
an asterisk (which is a standards-legal name) will now result in all headers
named starting with the string before the asterisk being removed.
- switch pretrans to use lua (fixes boo#1171877)
- bring changes from current in +fixes branch
(patch-exim-fixes-ee83de04d3087efaf808d1f2235a988275c2ee94)
* fixes CVE-2020-12783 (boo#1171490)
* Regard command-line recipients as tainted.
* Bug 2489: Fix crash in the 'pam' expansion condition.
* Use tainted buffers for the transport smtp context.
* Bug 2493: Harden ARC verify against Outlook, which has been seen to mix
the ordering of its ARC headers. This caused a crash.
* Bug 2492: Use tainted memory for retry record when needed. Previously when
a new record was being constructed with information from the peer, a trap
was taken.
* Bug 2494: Unset the default for dmarc_tld_file.
* Fix an uninitialised flag in early-pipelining. Previously connections
could, depending on the platform, hang at the STARTTLS response.
* Bug 2498: Reset a counter used for ARC verify before handling another
message on a connection. Previously if one message had ARC headers and
the following one did not, a crash could result when adding an
Authentication-Results: header.
* Bug 2500: Rewind some of the common-coding in string handling between the
Exim main code and Exim-related utities.
* Fix the variables set by the gsasl authenticator.
* Bug 2507: Modules: on handling a dynamic-module (lookups) open failure,
only retrieve the errormessage once.
* Bug 2501: Fix init call in the heimdal authenticator. Previously it
adjusted the size of a major service buffer; this failed because the
buffer was in use at the time. Change to a compile-time increase in the
buffer size, when this authenticator is compiled into exim.
- don't create logfiles during install
* fixes CVE-2020-8015 (boo#1154183)
- add a spec-file workaround for boo#1160726
- update to exim 4.93.0.4 (+fixes release)
* Avoid costly startup code when not strictly needed. This reduces time
for some exim process initialisations. It does mean that the logging
of TLS configuration problems is only done for the daemon startup.
* Early-pipelining support code is now included unless disabled in Makefile.
* DKIM verification defaults no long accept sha1 hashes, to conform to
RFC 8301. They can still be enabled, using the dkim_verify_hashes main
option.
* Support CHUNKING from an smtp transport using a transport_filter, when
DKIM signing is being done. Previously a transport_filter would always
disable CHUNKING, falling back to traditional DATA.
* Regard command-line receipients as tainted.
* Bug 340: Remove the daemon pid file on exit, whe due to SIGTERM.
* Bug 2489: Fix crash in the 'pam' expansion condition. It seems that the
PAM library frees one of the arguments given to it, despite the
documentation. Therefore a plain malloc must be used.
* Bug 2491: Use tainted buffers for the transport smtp context. Previously
on-stack buffers were used, resulting in a taint trap when DSN information
copied from a received message was written into the buffer.
* Bug 2493: Harden ARC verify against Outlook, whick has been seen to mix
the ordering of its ARC headers. This caused a crash.
* Bug 2492: Use tainted memory for retry record when needed. Previously when
a new record was being constructed with information from the peer, a trap
was taken.
* Bug 2494: Unset the default for dmarc_tld_file. Previously a naiive
installation would get error messages from DMARC verify, when it hit the
nonexistent file indicated by the default. Distros wanting DMARC enabled
should both provide the file and set the option.
Also enforce no DMARC verification for command-line sourced messages.
* Fix an uninitialised flag in early-pipelining. Previously connections
could, depending on the platform, hang at the STARTTLS response.
* Bug 2498: Reset a counter used for ARC verify before handling another
message on a connection. Previously if one message had ARC headers and
the following one did not, a crash could result when adding an
Authentication-Results: header.
* Bug 2500: Rewind some of the common-coding in string handling between the
Exim main code and Exim-related utities. The introduction of taint
tracking also did many adjustments to string handling. Since then, eximon
frequently terminated with an assert failure.
* When PIPELINING, synch after every hundred or so RCPT commands sent and
check for 452 responses. This slightly helps the inefficieny of doing
a large alias-expansion into a recipient-limited target. The max_rcpt
transport option still applies (and at the current default, will override
the new feature). The check is done for either cause of synch, and forces
a fast-retry of all 452'd recipients using a new MAIL FROM on the same
connection. The new facility is not tunable at this time.
* Fix the variables set by the gsasl authenticator. Previously a pointer to
library live data was being used, so the results became garbage. Make
copies while it is still usable.
* Logging: when the deliver_time selector ise set, include the DT= field
on delivery deferred (==) and failed (**) lines (if a delivery was
attemtped). Previously it was only on completion (=>) lines.
* Authentication: the gsasl driver not provides the $authN variables in time
for the expansion of the server_scram_iter and server_scram_salt options.
spec file cleanup to make update work
- add docdir to spec
- update to exim 4.93
* SUPPORT_DMARC replaces EXPERIMENTAL_DMARC
* DISABLE_TLS replaces SUPPORT_TLS
* Bump the version for the local_scan API.
* smtp transport option hosts_try_fastopen defaults to '*'.
* DNSSec is requested (not required) for all queries. (This seemes to
ask for trouble if your resolver is a systemd-resolved.)
* Generic router option retry_use_local_part defaults to 'true' under specific
pre-conditions.
* Introduce a tainting mechanism for values read from untrusted sources.
* Use longer file names for temporary spool files (this avoids
name conflicts with spool on a shared file system).
* Use dsn_from main config option (was ignored previously).
- update to exim 4.92.3
* CVE-2019-16928: fix against Heap-based buffer overflow in string_vformat,
remote code execution seems to be possible
- update to exim 4.92.2
* CVE-2019-15846: fix against remote attackers executing arbitrary code as
root via a trailing backslash
- update to exim 4.92.1
* CVE-2019-13917: Fixed an issue with ${sort} expansion which could
allow remote attackers to execute other programs with root privileges
(boo#1142207)
- spec file cleanup
* fix DANE inclusion guard condition
* re-enable i18n and remove misleading comment
* EXPERIMENTAL_SPF is now SUPPORT_SPF
* DANE is now SUPPORT_DANE
- update to exim 4.92
* ${l_header:<name>} expansion
* ${readsocket} now supports TLS
* 'utf8_downconvert' option (if built with SUPPORT_I18N)
* 'pipelining' log_selector
* JSON variants for ${extract } expansion
* 'noutf8' debug option
* TCP Fast Open support on MacOS
* CVE-2019-10149: Fixed a Remote Command Execution (boo#1136587)
- add workaround patch for compile time error on missing printf
format annotation (gnu_printf.patch)
- update to 4.91
* DEFER rather than ERROR on redis cluster MOVED response.
* Catch and remove uninitialized value warning in exiqsumm
* Disallow '/' characters in queue names specified for the 'queue=' ACL
modifier. This matches the restriction on the commandline.
* Fix pgsql lookup for multiple result-tuples with a single column.
Previously only the last row was returned.
* Bug 2217: Tighten up the parsing of DKIM signature headers.
* Bug 2215: Fix crash associated with dnsdb lookup done from DKIM ACL.
* Fix issue with continued-connections when the DNS shifts unreliably.
* Bug 2214: Fix SMTP responses resulting from non-accept result of MIME ACL.
* The 'support for' informational output now, which built with Content
Scanning support, has a line for the malware scanner interfaces compiled
in. Interface can be individually included or not at build time.
* The 'aveserver', 'kavdaemon' and 'mksd' interfaces are now not included
by the template makefile 'src/EDITME'. The 'STREAM' support for an older
ClamAV interface method is removed.
* Bug 2223: Fix mysql lookup returns for the no-data case (when the number of
rows affected is given instead).
* The runtime Berkeley DB library version is now additionally output by
'exim -d -bV'. Previously only the compile-time version was shown.
* Bug 2230: Fix cutthrough routing for nonfirst messages in an initiating
SMTP connection.
* Bug 2229: Fix cutthrough routing for nonstandard port numbers defined by
routers.
* Bug 2174: A timeout on connect for a callout was also erroneously seen as
a timeout on read on a GnuTLS initiating connection, resulting in the
initiating connection being dropped.
* Relax results from ACL control request to enable cutthrough, in
unsupported situations, from error to silently (except under debug)
ignoring.
* Fix Buffer overflow in base64d() (CVE-2018-6789)
* Fix bug in DKIM verify: a buffer overflow could corrupt the malloc
metadata, resulting in a crash in free().
* Fix broken Heimdal GSSAPI authenticator integration.
* Bug 2113: Fix conversation closedown with the Avast malware scanner.
* Bug 2239: Enforce non-usability of control=utf8_downconvert in the mail ACL.
* Speed up macro lookups during configuration file read, by skipping non-
macro text after a replacement (previously it was only once per line) and
by skipping builtin macros when searching for an uppercase lead character.
* DANE support moved from Experimental to mainline. The Makefile control
for the build is renamed.
* Fix memory leak during multi-message connections using STARTTLS.
* Bug 2236: When a DKIM verification result is overridden by ACL, DMARC
reported the original. Fix to report (as far as possible) the ACL
result replacing the original.
* Fix memory leak during multi-message connections using STARTTLS under
OpenSSL
* Bug 2242: Fix exim_dbmbuild to permit directoryless filenames.
* Fix utf8_downconvert propagation through a redirect router.
* Bug 2253: For logging delivery lines under PRDR, append the overall
DATA response info to the (existing) per-recipient response info for
the 'C=' log element.
* Bug 2251: Fix ldap lookups that return a single attribute having zero-
length value.
* Support Avast multiline protocol, this allows passing flags to
newer versions of the scanner.
* Ensure that variables possibly set during message acceptance are marked
dead before release of memory in the daemon loop.
* Bug 2250: Fix a longstanding bug in heavily-pipelined SMTP input (such
as a multi-recipient message from a mailinglist manager).
* The (EXPERIMENTAL_DMARC) variable $dmarc_ar_header is withdrawn, being
replaced by the ${authresults } expansion.
* Bug 2257: Fix pipe transport to not use a socket-only syscall.
* Set a handler for SIGTERM and call exit(3) if running as PID 1. This
allows proper process termination in container environments.
* Bug 2258: Fix spool_wireformat in combination with LMTP transport.
Previously the 'final dot' had a newline after it; ensure it is CR,LF.
* SPF: remove support for the 'spf' ACL condition outcome values 'err_temp'
and 'err_perm', deprecated since 4.83 when the RFC-defined words
' temperror' and 'permerror' were introduced.
* Re-introduce enforcement of no cutthrough delivery on transports having
transport-filters or DKIM-signing.
* Cutthrough: for a final-dot response timeout (and nonunderstood responses)
in defer=pass mode supply a 450 to the initiator. Previously the message
would be spooled.
* DANE: add dane_require_tls_ciphers SMTP Transport option; if unset,
tls_require_ciphers is used as before.
* Malware Avast: Better match the Avast multiline protocol.
* Fix reinitialisation of DKIM logging variable between messages.
* Bug 2255: Revert the disable of the OpenSSL session caching.
* Add util/renew-opendmarc-tlds.sh script for safe renewal of public
suffix list.
* DKIM: accept Ed25519 pubkeys in SubjectPublicKeyInfo-wrapped form,
since the IETF WG has not yet settled on that versus the original
'bare' representation.
* Fix syslog logging for syslog_timestamp=no and log_selector +millisec.
Previously the millisecond value corrupted the output.
Fix also for syslog_pid=no and log_selector +pid, for which the pid
corrupted the output.
- Replace xorg-x11-devel by individual pkgconfig() buildrequires.
- update to 4.90.1
* Allow PKG_CONFIG_PATH to be set in Local/Makefile and use it correctly
during configuration. Wildcards are allowed and expanded.
* Shorten the log line for daemon startup by collapsing adjacent sets of
identical IP addresses on different listening ports. Will also affect
'exiwhat' output.
* Tighten up the checking in isip4 (et al): dotted-quad components larger
than 255 are no longer allowed.
* Default openssl_options to include +no_ticket, to reduce load on peers.
Disable the session-cache too, which might reduce our load. Since we
currrectly use a new context for every connection, both as server and
client, there is no benefit for these.
* Add $SOURCE_DATE_EPOCH support for reproducible builds, per spec at
<https://reproducible-builds.org/specs/source-date-epoch/>.
* Fix smtp transport use of limited max_rcpt under mua_wrapper. Previously
the check for any unsuccessful recipients did not notice the limit, and
erroneously found still-pending ones.
* Pipeline CHUNKING command and data together, on kernels that support
MSG_MORE. Only in-clear (not on TLS connections).
* Avoid using a temporary file during transport using dkim. Unless a
transport-filter is involved we can buffer the headers in memory for
creating the signature, and read the spool data file once for the
signature and again for transmission.
* Enable use of sendfile in Linux builds as default. It was disabled in
4.77 as the kernel support then wasn't solid, having issues in 64bit
mode. Now, it's been long enough. Add support for FreeBSD also.
* Add commandline_checks_require_admin option.
* Do pipelining under TLS.
* For the 'sock' variant of the malware scanner interface, accept an empty
cmdline element to get the documented default one. Previously it was
inaccessible.
* Prevent repeated use of -p/-oMr
* DKIM: enforce the DNS pubkey record 'h' permitted-hashes optional field,
if present.
* DKIM: when a message has multiple signatures matching an identity given
in dkim_verify_signers, run the dkim acl once for each.
* Support IDNA2008.
* The path option on a pipe transport is now expanded before use
* Have the EHLO response advertise VRFY, if there is a vrfy ACL defined.
- Several bug fixes
- Fix for buffer overflow in base64decode() (boo#1079832 CVE-2018-6789)
Patchnames
openSUSE-2021-753
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "critical", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Security update for exim", title: "Title of the patch", }, { category: "description", text: "This update for exim fixes the following issues:\n\nexim was updated to 4.94.2:\n\nsecurity update (boo#1185631)\n\n * CVE-2020-28007: Link attack in Exim's log directory\n * CVE-2020-28008: Assorted attacks in Exim's spool directory\n * CVE-2020-28014: Arbitrary PID file creation\n * CVE-2020-28011: Heap buffer overflow in queue_run()\n * CVE-2020-28010: Heap out-of-bounds write in main()\n * CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()\n * CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()\n * CVE-2020-28015: New-line injection into spool header file (local)\n * CVE-2020-28012: Missing close-on-exec flag for privileged pipe\n * CVE-2020-28009: Integer overflow in get_stdinput()\n * CVE-2020-28017: Integer overflow in receive_add_recipient()\n * CVE-2020-28020: Integer overflow in receive_msg()\n * CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()\n * CVE-2020-28021: New-line injection into spool header file (remote)\n * CVE-2020-28022: Heap out-of-bounds read and write in extract_option()\n * CVE-2020-28026: Line truncation and injection in spool_read_header()\n * CVE-2020-28019: Failure to reset function pointer after BDAT error\n * CVE-2020-28024: Heap buffer underflow in smtp_ungetc()\n * CVE-2020-28018: Use-after-free in tls-openssl.c\n * CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()\n\nupdate to exim-4.94.1\n\n * Fix security issue in BDAT state confusion.\n Ensure we reset known-good where we know we need to not be reading BDAT\n data, as a general case fix, and move the places where we switch to BDAT\n mode until after various protocol state checks.\n Fixes CVE-2020-BDATA reported by Qualys.\n * Fix security issue in SMTP verb option parsing (CVE-2020-EXOPT)\n * Fix security issue with too many recipients on a message (to remove a\n known security problem if someone does set recipients_max to unlimited,\n or if local additions add to the recipient list).\n Fixes CVE-2020-RCPTL reported by Qualys.\n * Fix CVE-2020-28016 (PFPZA): Heap out-of-bounds write in parse_fix_phrase()\n * Fix security issue CVE-2020-PFPSN and guard against cmdline invoker\n providing a particularly obnoxious sender full name.\n * Fix Linux security issue CVE-2020-SLCWD and guard against PATH_MAX\n better.\n\n- bring back missing exim_db.8 manual page (fixes boo#1173693)\n\n- bring in changes from current +fixes (lots of taint check fixes)\n * Bug 1329: Fix format of Maildir-format filenames to match other mail-\n related applications. Previously an 'H' was used where available info\n says that 'M' should be, so change to match.\n * Bug 2587: Fix pam expansion condition. Tainted values are commonly used\n as arguments, so an implementation trying to copy these into a local\n buffer was taking a taint-enforcement trap. Fix by using dynamically\n created buffers.\n * Bug 2586: Fix listcount expansion operator. Using tainted arguments is\n reasonable, eg. to count headers. Fix by using dynamically created\n buffers rather than a local. Do similar fixes for ACL actions 'dcc',\n 'log_reject_target', 'malware' and 'spam'; the arguments are expanded\n so could be handling tainted values.\n * Bug 2590: Fix -bi (newaliases). A previous code rearrangement had\n broken the (no-op) support for this sendmail command. Restore it\n to doing nothing, silently, and returning good status.\n\nupdate to exim 4.94\n\n * some transports now refuse to use tainted data in constructing their delivery\n location\n this WILL BREAK configurations which are not updated accordingly.\n In particular: any Transport use of $local_user which has been relying upon\n check_local_user far away in the Router to make it safe, should be updated to\n replace $local_user with $local_part_data.\n * Attempting to remove, in router or transport, a header name that ends with\n an asterisk (which is a standards-legal name) will now result in all headers\n named starting with the string before the asterisk being removed.\n\n- switch pretrans to use lua (fixes boo#1171877)\n \n\n- bring changes from current in +fixes branch\n (patch-exim-fixes-ee83de04d3087efaf808d1f2235a988275c2ee94)\n * fixes CVE-2020-12783 (boo#1171490)\n * Regard command-line recipients as tainted.\n * Bug 2489: Fix crash in the 'pam' expansion condition.\n * Use tainted buffers for the transport smtp context.\n * Bug 2493: Harden ARC verify against Outlook, which has been seen to mix\n the ordering of its ARC headers. This caused a crash.\n * Bug 2492: Use tainted memory for retry record when needed. Previously when\n a new record was being constructed with information from the peer, a trap\n was taken.\n * Bug 2494: Unset the default for dmarc_tld_file.\n * Fix an uninitialised flag in early-pipelining. Previously connections\n could, depending on the platform, hang at the STARTTLS response.\n * Bug 2498: Reset a counter used for ARC verify before handling another\n message on a connection. Previously if one message had ARC headers and\n the following one did not, a crash could result when adding an\n Authentication-Results: header.\n * Bug 2500: Rewind some of the common-coding in string handling between the\n Exim main code and Exim-related utities.\n * Fix the variables set by the gsasl authenticator.\n * Bug 2507: Modules: on handling a dynamic-module (lookups) open failure,\n only retrieve the errormessage once.\n * Bug 2501: Fix init call in the heimdal authenticator. Previously it\n adjusted the size of a major service buffer; this failed because the\n buffer was in use at the time. Change to a compile-time increase in the\n buffer size, when this authenticator is compiled into exim.\n\n- don't create logfiles during install\n * fixes CVE-2020-8015 (boo#1154183)\n\n- add a spec-file workaround for boo#1160726\n\n- update to exim 4.93.0.4 (+fixes release)\n * Avoid costly startup code when not strictly needed. This reduces time\n for some exim process initialisations. It does mean that the logging\n of TLS configuration problems is only done for the daemon startup.\n * Early-pipelining support code is now included unless disabled in Makefile.\n * DKIM verification defaults no long accept sha1 hashes, to conform to\n RFC 8301. They can still be enabled, using the dkim_verify_hashes main\n option.\n * Support CHUNKING from an smtp transport using a transport_filter, when\n DKIM signing is being done. Previously a transport_filter would always\n disable CHUNKING, falling back to traditional DATA.\n * Regard command-line receipients as tainted.\n * Bug 340: Remove the daemon pid file on exit, whe due to SIGTERM.\n * Bug 2489: Fix crash in the 'pam' expansion condition. It seems that the\n PAM library frees one of the arguments given to it, despite the\n documentation. Therefore a plain malloc must be used.\n * Bug 2491: Use tainted buffers for the transport smtp context. Previously\n on-stack buffers were used, resulting in a taint trap when DSN information\n copied from a received message was written into the buffer.\n * Bug 2493: Harden ARC verify against Outlook, whick has been seen to mix\n the ordering of its ARC headers. This caused a crash.\n * Bug 2492: Use tainted memory for retry record when needed. Previously when\n a new record was being constructed with information from the peer, a trap\n was taken.\n * Bug 2494: Unset the default for dmarc_tld_file. Previously a naiive\n installation would get error messages from DMARC verify, when it hit the\n nonexistent file indicated by the default. Distros wanting DMARC enabled\n should both provide the file and set the option.\n Also enforce no DMARC verification for command-line sourced messages.\n * Fix an uninitialised flag in early-pipelining. Previously connections\n could, depending on the platform, hang at the STARTTLS response.\n * Bug 2498: Reset a counter used for ARC verify before handling another\n message on a connection. Previously if one message had ARC headers and\n the following one did not, a crash could result when adding an\n Authentication-Results: header.\n * Bug 2500: Rewind some of the common-coding in string handling between the\n Exim main code and Exim-related utities. The introduction of taint\n tracking also did many adjustments to string handling. Since then, eximon\n frequently terminated with an assert failure.\n * When PIPELINING, synch after every hundred or so RCPT commands sent and\n check for 452 responses. This slightly helps the inefficieny of doing\n a large alias-expansion into a recipient-limited target. The max_rcpt\n transport option still applies (and at the current default, will override\n the new feature). The check is done for either cause of synch, and forces\n a fast-retry of all 452'd recipients using a new MAIL FROM on the same\n connection. The new facility is not tunable at this time.\n * Fix the variables set by the gsasl authenticator. Previously a pointer to\n library live data was being used, so the results became garbage. Make\n copies while it is still usable.\n * Logging: when the deliver_time selector ise set, include the DT= field\n on delivery deferred (==) and failed (**) lines (if a delivery was\n attemtped). Previously it was only on completion (=>) lines.\n * Authentication: the gsasl driver not provides the $authN variables in time\n for the expansion of the server_scram_iter and server_scram_salt options.\n\nspec file cleanup to make update work\n- add docdir to spec\n\n- update to exim 4.93\n * SUPPORT_DMARC replaces EXPERIMENTAL_DMARC\n * DISABLE_TLS replaces SUPPORT_TLS\n * Bump the version for the local_scan API.\n * smtp transport option hosts_try_fastopen defaults to '*'.\n * DNSSec is requested (not required) for all queries. (This seemes to\n ask for trouble if your resolver is a systemd-resolved.)\n * Generic router option retry_use_local_part defaults to 'true' under specific\n pre-conditions.\n * Introduce a tainting mechanism for values read from untrusted sources.\n * Use longer file names for temporary spool files (this avoids\n name conflicts with spool on a shared file system).\n * Use dsn_from main config option (was ignored previously).\n\n- update to exim 4.92.3\n * CVE-2019-16928: fix against Heap-based buffer overflow in string_vformat,\n remote code execution seems to be possible\n\n- update to exim 4.92.2\n * CVE-2019-15846: fix against remote attackers executing arbitrary code as\n root via a trailing backslash\n\n- update to exim 4.92.1\n * CVE-2019-13917: Fixed an issue with ${sort} expansion which could \n allow remote attackers to execute other programs with root privileges \n (boo#1142207)\n\n- spec file cleanup\n * fix DANE inclusion guard condition\n * re-enable i18n and remove misleading comment\n * EXPERIMENTAL_SPF is now SUPPORT_SPF\n * DANE is now SUPPORT_DANE\n\n- update to exim 4.92\n * ${l_header:<name>} expansion\n * ${readsocket} now supports TLS\n * 'utf8_downconvert' option (if built with SUPPORT_I18N)\n * 'pipelining' log_selector\n * JSON variants for ${extract } expansion\n * 'noutf8' debug option\n * TCP Fast Open support on MacOS\n * CVE-2019-10149: Fixed a Remote Command Execution (boo#1136587)\n- add workaround patch for compile time error on missing printf\n format annotation (gnu_printf.patch)\n\n- update to 4.91\n * DEFER rather than ERROR on redis cluster MOVED response.\n * Catch and remove uninitialized value warning in exiqsumm\n * Disallow '/' characters in queue names specified for the 'queue=' ACL\n modifier. This matches the restriction on the commandline.\n * Fix pgsql lookup for multiple result-tuples with a single column.\n Previously only the last row was returned.\n * Bug 2217: Tighten up the parsing of DKIM signature headers.\n * Bug 2215: Fix crash associated with dnsdb lookup done from DKIM ACL.\n * Fix issue with continued-connections when the DNS shifts unreliably.\n * Bug 2214: Fix SMTP responses resulting from non-accept result of MIME ACL.\n * The 'support for' informational output now, which built with Content\n Scanning support, has a line for the malware scanner interfaces compiled\n in. Interface can be individually included or not at build time.\n * The 'aveserver', 'kavdaemon' and 'mksd' interfaces are now not included\n by the template makefile 'src/EDITME'. The 'STREAM' support for an older\n ClamAV interface method is removed.\n * Bug 2223: Fix mysql lookup returns for the no-data case (when the number of\n rows affected is given instead).\n * The runtime Berkeley DB library version is now additionally output by\n 'exim -d -bV'. Previously only the compile-time version was shown.\n * Bug 2230: Fix cutthrough routing for nonfirst messages in an initiating\n SMTP connection.\n * Bug 2229: Fix cutthrough routing for nonstandard port numbers defined by\n routers.\n * Bug 2174: A timeout on connect for a callout was also erroneously seen as\n a timeout on read on a GnuTLS initiating connection, resulting in the\n initiating connection being dropped.\n * Relax results from ACL control request to enable cutthrough, in\n unsupported situations, from error to silently (except under debug)\n ignoring.\n * Fix Buffer overflow in base64d() (CVE-2018-6789)\n * Fix bug in DKIM verify: a buffer overflow could corrupt the malloc\n metadata, resulting in a crash in free().\n * Fix broken Heimdal GSSAPI authenticator integration.\n * Bug 2113: Fix conversation closedown with the Avast malware scanner.\n * Bug 2239: Enforce non-usability of control=utf8_downconvert in the mail ACL.\n * Speed up macro lookups during configuration file read, by skipping non-\n macro text after a replacement (previously it was only once per line) and\n by skipping builtin macros when searching for an uppercase lead character.\n * DANE support moved from Experimental to mainline. The Makefile control\n for the build is renamed.\n * Fix memory leak during multi-message connections using STARTTLS.\n * Bug 2236: When a DKIM verification result is overridden by ACL, DMARC\n reported the original. Fix to report (as far as possible) the ACL\n result replacing the original.\n * Fix memory leak during multi-message connections using STARTTLS under\n OpenSSL\n * Bug 2242: Fix exim_dbmbuild to permit directoryless filenames.\n * Fix utf8_downconvert propagation through a redirect router.\n * Bug 2253: For logging delivery lines under PRDR, append the overall\n DATA response info to the (existing) per-recipient response info for\n the 'C=' log element.\n * Bug 2251: Fix ldap lookups that return a single attribute having zero-\n length value.\n * Support Avast multiline protocol, this allows passing flags to\n newer versions of the scanner.\n * Ensure that variables possibly set during message acceptance are marked\n dead before release of memory in the daemon loop.\n * Bug 2250: Fix a longstanding bug in heavily-pipelined SMTP input (such\n as a multi-recipient message from a mailinglist manager).\n * The (EXPERIMENTAL_DMARC) variable $dmarc_ar_header is withdrawn, being\n replaced by the ${authresults } expansion.\n * Bug 2257: Fix pipe transport to not use a socket-only syscall.\n * Set a handler for SIGTERM and call exit(3) if running as PID 1. This\n allows proper process termination in container environments.\n * Bug 2258: Fix spool_wireformat in combination with LMTP transport.\n Previously the 'final dot' had a newline after it; ensure it is CR,LF.\n * SPF: remove support for the 'spf' ACL condition outcome values 'err_temp'\n and 'err_perm', deprecated since 4.83 when the RFC-defined words\n ' temperror' and 'permerror' were introduced.\n * Re-introduce enforcement of no cutthrough delivery on transports having\n transport-filters or DKIM-signing.\n * Cutthrough: for a final-dot response timeout (and nonunderstood responses)\n in defer=pass mode supply a 450 to the initiator. Previously the message\n would be spooled.\n * DANE: add dane_require_tls_ciphers SMTP Transport option; if unset,\n tls_require_ciphers is used as before.\n * Malware Avast: Better match the Avast multiline protocol.\n * Fix reinitialisation of DKIM logging variable between messages.\n * Bug 2255: Revert the disable of the OpenSSL session caching.\n * Add util/renew-opendmarc-tlds.sh script for safe renewal of public\n suffix list.\n * DKIM: accept Ed25519 pubkeys in SubjectPublicKeyInfo-wrapped form,\n since the IETF WG has not yet settled on that versus the original\n 'bare' representation.\n * Fix syslog logging for syslog_timestamp=no and log_selector +millisec.\n Previously the millisecond value corrupted the output.\n Fix also for syslog_pid=no and log_selector +pid, for which the pid\n corrupted the output.\n\n- Replace xorg-x11-devel by individual pkgconfig() buildrequires. \n\n- update to 4.90.1\n * Allow PKG_CONFIG_PATH to be set in Local/Makefile and use it correctly\n during configuration. Wildcards are allowed and expanded.\n * Shorten the log line for daemon startup by collapsing adjacent sets of\n identical IP addresses on different listening ports. Will also affect\n 'exiwhat' output.\n * Tighten up the checking in isip4 (et al): dotted-quad components larger\n than 255 are no longer allowed.\n * Default openssl_options to include +no_ticket, to reduce load on peers.\n Disable the session-cache too, which might reduce our load. Since we\n currrectly use a new context for every connection, both as server and\n client, there is no benefit for these.\n * Add $SOURCE_DATE_EPOCH support for reproducible builds, per spec at\n <https://reproducible-builds.org/specs/source-date-epoch/>.\n * Fix smtp transport use of limited max_rcpt under mua_wrapper. Previously\n the check for any unsuccessful recipients did not notice the limit, and\n erroneously found still-pending ones.\n * Pipeline CHUNKING command and data together, on kernels that support\n MSG_MORE. Only in-clear (not on TLS connections).\n * Avoid using a temporary file during transport using dkim. Unless a\n transport-filter is involved we can buffer the headers in memory for\n creating the signature, and read the spool data file once for the\n signature and again for transmission.\n * Enable use of sendfile in Linux builds as default. It was disabled in\n 4.77 as the kernel support then wasn't solid, having issues in 64bit\n mode. Now, it's been long enough. Add support for FreeBSD also.\n * Add commandline_checks_require_admin option.\n * Do pipelining under TLS.\n * For the 'sock' variant of the malware scanner interface, accept an empty\n cmdline element to get the documented default one. Previously it was\n inaccessible.\n * Prevent repeated use of -p/-oMr\n * DKIM: enforce the DNS pubkey record 'h' permitted-hashes optional field,\n if present.\n * DKIM: when a message has multiple signatures matching an identity given\n in dkim_verify_signers, run the dkim acl once for each.\n * Support IDNA2008.\n * The path option on a pipe transport is now expanded before use\n * Have the EHLO response advertise VRFY, if there is a vrfy ACL defined.\n- Several bug fixes\n- Fix for buffer overflow in base64decode() (boo#1079832 CVE-2018-6789)\n", title: "Description of the patch", }, { category: "details", text: "openSUSE-2021-753", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2021_0753-1.json", }, { category: "self", summary: "URL for openSUSE-SU-2021:0753-1", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UMX36VOLIS2TDKA3MXOUO365NDUK5WQ3/", }, { category: "self", summary: "E-Mail link for openSUSE-SU-2021:0753-1", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UMX36VOLIS2TDKA3MXOUO365NDUK5WQ3/", }, { category: "self", summary: "SUSE Bug 1079832", url: "https://bugzilla.suse.com/1079832", }, { category: "self", summary: "SUSE Bug 1136587", url: "https://bugzilla.suse.com/1136587", }, { category: "self", summary: "SUSE Bug 1142207", url: "https://bugzilla.suse.com/1142207", }, { category: "self", summary: "SUSE Bug 1154183", url: "https://bugzilla.suse.com/1154183", }, { category: "self", summary: "SUSE Bug 1160726", url: "https://bugzilla.suse.com/1160726", }, { category: "self", summary: "SUSE Bug 1171490", url: "https://bugzilla.suse.com/1171490", }, { category: "self", summary: "SUSE Bug 1171877", url: "https://bugzilla.suse.com/1171877", }, { category: "self", summary: "SUSE Bug 1173693", url: "https://bugzilla.suse.com/1173693", }, { category: "self", summary: "SUSE Bug 1185631", url: "https://bugzilla.suse.com/1185631", }, { category: "self", summary: "SUSE CVE CVE-2017-1000369 page", url: "https://www.suse.com/security/cve/CVE-2017-1000369/", }, { category: "self", summary: "SUSE CVE CVE-2017-16943 page", url: "https://www.suse.com/security/cve/CVE-2017-16943/", }, { category: "self", summary: "SUSE CVE CVE-2017-16944 page", url: "https://www.suse.com/security/cve/CVE-2017-16944/", }, { category: "self", summary: "SUSE CVE CVE-2018-6789 page", url: "https://www.suse.com/security/cve/CVE-2018-6789/", }, { category: "self", summary: "SUSE CVE CVE-2019-10149 page", url: "https://www.suse.com/security/cve/CVE-2019-10149/", }, { category: "self", summary: "SUSE CVE CVE-2019-13917 page", url: "https://www.suse.com/security/cve/CVE-2019-13917/", }, { category: "self", summary: "SUSE CVE CVE-2019-15846 page", url: "https://www.suse.com/security/cve/CVE-2019-15846/", }, { category: "self", summary: "SUSE CVE CVE-2019-16928 page", url: "https://www.suse.com/security/cve/CVE-2019-16928/", }, { category: "self", summary: "SUSE CVE CVE-2020-12783 page", url: "https://www.suse.com/security/cve/CVE-2020-12783/", }, { category: "self", summary: "SUSE CVE CVE-2020-28007 page", url: "https://www.suse.com/security/cve/CVE-2020-28007/", }, { category: "self", summary: "SUSE CVE CVE-2020-28008 page", url: "https://www.suse.com/security/cve/CVE-2020-28008/", }, { category: "self", summary: "SUSE CVE CVE-2020-28009 page", url: "https://www.suse.com/security/cve/CVE-2020-28009/", }, { category: "self", summary: "SUSE CVE CVE-2020-28010 page", url: "https://www.suse.com/security/cve/CVE-2020-28010/", }, { category: "self", summary: "SUSE CVE CVE-2020-28011 page", url: "https://www.suse.com/security/cve/CVE-2020-28011/", }, { category: "self", summary: "SUSE CVE CVE-2020-28012 page", url: "https://www.suse.com/security/cve/CVE-2020-28012/", }, { category: "self", summary: "SUSE CVE CVE-2020-28013 page", url: "https://www.suse.com/security/cve/CVE-2020-28013/", }, { category: "self", summary: "SUSE CVE CVE-2020-28014 page", url: "https://www.suse.com/security/cve/CVE-2020-28014/", }, { category: "self", summary: "SUSE CVE CVE-2020-28015 page", url: "https://www.suse.com/security/cve/CVE-2020-28015/", }, { category: "self", summary: "SUSE CVE CVE-2020-28016 page", url: "https://www.suse.com/security/cve/CVE-2020-28016/", }, { category: "self", summary: "SUSE CVE CVE-2020-28017 page", url: "https://www.suse.com/security/cve/CVE-2020-28017/", }, { category: "self", summary: "SUSE CVE CVE-2020-28018 page", url: "https://www.suse.com/security/cve/CVE-2020-28018/", }, { category: "self", summary: "SUSE CVE CVE-2020-28019 page", url: "https://www.suse.com/security/cve/CVE-2020-28019/", }, { category: "self", summary: "SUSE CVE CVE-2020-28020 page", url: "https://www.suse.com/security/cve/CVE-2020-28020/", }, { category: "self", summary: "SUSE CVE CVE-2020-28021 page", url: "https://www.suse.com/security/cve/CVE-2020-28021/", }, { category: "self", summary: "SUSE CVE CVE-2020-28022 page", url: "https://www.suse.com/security/cve/CVE-2020-28022/", }, { category: "self", summary: "SUSE CVE CVE-2020-28023 page", url: "https://www.suse.com/security/cve/CVE-2020-28023/", }, { category: "self", summary: "SUSE CVE CVE-2020-28024 page", url: "https://www.suse.com/security/cve/CVE-2020-28024/", }, { category: "self", summary: "SUSE CVE CVE-2020-28025 page", url: "https://www.suse.com/security/cve/CVE-2020-28025/", }, { category: "self", summary: "SUSE CVE CVE-2020-28026 page", url: "https://www.suse.com/security/cve/CVE-2020-28026/", }, { category: "self", summary: "SUSE CVE CVE-2020-8015 page", url: "https://www.suse.com/security/cve/CVE-2020-8015/", }, ], title: "Security update for exim", tracking: { current_release_date: "2021-05-20T08:50:28Z", generator: { date: "2021-05-20T08:50:28Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "openSUSE-SU-2021:0753-1", initial_release_date: "2021-05-20T08:50:28Z", revision_history: [ { date: "2021-05-20T08:50:28Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "exim-4.94.2-bp151.2.4.1.aarch64", product: { name: "exim-4.94.2-bp151.2.4.1.aarch64", product_id: "exim-4.94.2-bp151.2.4.1.aarch64", }, }, { category: "product_version", name: "eximon-4.94.2-bp151.2.4.1.aarch64", product: { name: "eximon-4.94.2-bp151.2.4.1.aarch64", product_id: "eximon-4.94.2-bp151.2.4.1.aarch64", }, }, { category: "product_version", name: "eximstats-html-4.94.2-bp151.2.4.1.aarch64", product: { name: "eximstats-html-4.94.2-bp151.2.4.1.aarch64", product_id: "eximstats-html-4.94.2-bp151.2.4.1.aarch64", }, }, { category: "product_version", name: "libspf2-2-1.2.10-bp151.4.1.aarch64", product: { name: "libspf2-2-1.2.10-bp151.4.1.aarch64", product_id: "libspf2-2-1.2.10-bp151.4.1.aarch64", }, }, { category: "product_version", name: "libspf2-devel-1.2.10-bp151.4.1.aarch64", product: { name: "libspf2-devel-1.2.10-bp151.4.1.aarch64", product_id: "libspf2-devel-1.2.10-bp151.4.1.aarch64", }, }, { category: "product_version", name: "libspf2-tools-1.2.10-bp151.4.1.aarch64", product: { name: "libspf2-tools-1.2.10-bp151.4.1.aarch64", product_id: "libspf2-tools-1.2.10-bp151.4.1.aarch64", }, }, ], category: "architecture", name: "aarch64", }, { branches: [ { category: "product_version", name: "exim-4.94.2-bp151.2.4.1.ppc64le", product: { name: "exim-4.94.2-bp151.2.4.1.ppc64le", product_id: "exim-4.94.2-bp151.2.4.1.ppc64le", }, }, { category: "product_version", name: "eximon-4.94.2-bp151.2.4.1.ppc64le", product: { name: "eximon-4.94.2-bp151.2.4.1.ppc64le", product_id: "eximon-4.94.2-bp151.2.4.1.ppc64le", }, }, { category: "product_version", name: "eximstats-html-4.94.2-bp151.2.4.1.ppc64le", product: { name: "eximstats-html-4.94.2-bp151.2.4.1.ppc64le", product_id: "eximstats-html-4.94.2-bp151.2.4.1.ppc64le", }, }, { category: "product_version", name: "libspf2-2-1.2.10-bp151.4.1.ppc64le", product: { name: "libspf2-2-1.2.10-bp151.4.1.ppc64le", product_id: "libspf2-2-1.2.10-bp151.4.1.ppc64le", }, }, { category: "product_version", name: "libspf2-devel-1.2.10-bp151.4.1.ppc64le", product: { name: "libspf2-devel-1.2.10-bp151.4.1.ppc64le", product_id: "libspf2-devel-1.2.10-bp151.4.1.ppc64le", }, }, { category: "product_version", name: "libspf2-tools-1.2.10-bp151.4.1.ppc64le", product: { name: "libspf2-tools-1.2.10-bp151.4.1.ppc64le", product_id: "libspf2-tools-1.2.10-bp151.4.1.ppc64le", }, }, ], category: "architecture", name: "ppc64le", }, { branches: [ { category: "product_version", name: "exim-4.94.2-bp151.2.4.1.s390x", product: { name: "exim-4.94.2-bp151.2.4.1.s390x", product_id: "exim-4.94.2-bp151.2.4.1.s390x", }, }, { category: "product_version", name: "eximon-4.94.2-bp151.2.4.1.s390x", product: { name: "eximon-4.94.2-bp151.2.4.1.s390x", product_id: "eximon-4.94.2-bp151.2.4.1.s390x", }, }, { category: "product_version", name: "eximstats-html-4.94.2-bp151.2.4.1.s390x", product: { name: "eximstats-html-4.94.2-bp151.2.4.1.s390x", product_id: "eximstats-html-4.94.2-bp151.2.4.1.s390x", }, }, { category: "product_version", name: "libspf2-2-1.2.10-bp151.4.1.s390x", product: { name: "libspf2-2-1.2.10-bp151.4.1.s390x", product_id: "libspf2-2-1.2.10-bp151.4.1.s390x", }, }, { category: "product_version", name: "libspf2-devel-1.2.10-bp151.4.1.s390x", product: { name: "libspf2-devel-1.2.10-bp151.4.1.s390x", product_id: "libspf2-devel-1.2.10-bp151.4.1.s390x", }, }, { category: "product_version", name: "libspf2-tools-1.2.10-bp151.4.1.s390x", product: { name: "libspf2-tools-1.2.10-bp151.4.1.s390x", product_id: "libspf2-tools-1.2.10-bp151.4.1.s390x", }, }, ], category: "architecture", name: "s390x", }, { branches: [ { category: "product_version", name: "exim-4.94.2-bp151.2.4.1.x86_64", product: { name: "exim-4.94.2-bp151.2.4.1.x86_64", product_id: "exim-4.94.2-bp151.2.4.1.x86_64", }, }, { category: "product_version", name: "eximon-4.94.2-bp151.2.4.1.x86_64", product: { name: "eximon-4.94.2-bp151.2.4.1.x86_64", product_id: "eximon-4.94.2-bp151.2.4.1.x86_64", }, }, { category: "product_version", name: "eximstats-html-4.94.2-bp151.2.4.1.x86_64", product: { name: "eximstats-html-4.94.2-bp151.2.4.1.x86_64", product_id: "eximstats-html-4.94.2-bp151.2.4.1.x86_64", }, }, { category: "product_version", name: "libspf2-2-1.2.10-bp151.4.1.x86_64", product: { name: "libspf2-2-1.2.10-bp151.4.1.x86_64", product_id: "libspf2-2-1.2.10-bp151.4.1.x86_64", }, }, { category: "product_version", name: "libspf2-devel-1.2.10-bp151.4.1.x86_64", product: { name: "libspf2-devel-1.2.10-bp151.4.1.x86_64", product_id: "libspf2-devel-1.2.10-bp151.4.1.x86_64", }, }, { category: "product_version", name: "libspf2-tools-1.2.10-bp151.4.1.x86_64", product: { name: "libspf2-tools-1.2.10-bp151.4.1.x86_64", product_id: "libspf2-tools-1.2.10-bp151.4.1.x86_64", }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_name", name: "SUSE Package Hub 15 SP1", product: { name: "SUSE Package Hub 15 SP1", product_id: "SUSE Package Hub 15 SP1", }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "exim-4.94.2-bp151.2.4.1.aarch64 as component of SUSE Package Hub 15 SP1", product_id: "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", }, product_reference: "exim-4.94.2-bp151.2.4.1.aarch64", relates_to_product_reference: "SUSE Package Hub 15 SP1", }, { category: "default_component_of", full_product_name: { name: "exim-4.94.2-bp151.2.4.1.ppc64le as component of SUSE Package Hub 15 SP1", product_id: "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", }, product_reference: "exim-4.94.2-bp151.2.4.1.ppc64le", relates_to_product_reference: "SUSE Package Hub 15 SP1", }, { category: "default_component_of", full_product_name: { name: "exim-4.94.2-bp151.2.4.1.s390x as component of SUSE Package Hub 15 SP1", product_id: "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", }, product_reference: "exim-4.94.2-bp151.2.4.1.s390x", relates_to_product_reference: "SUSE Package Hub 15 SP1", }, { category: "default_component_of", full_product_name: { name: "exim-4.94.2-bp151.2.4.1.x86_64 as component of SUSE Package Hub 15 SP1", product_id: "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", }, product_reference: "exim-4.94.2-bp151.2.4.1.x86_64", relates_to_product_reference: "SUSE Package Hub 15 SP1", }, { category: "default_component_of", full_product_name: { name: "eximon-4.94.2-bp151.2.4.1.aarch64 as component of SUSE Package Hub 15 SP1", product_id: "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", }, product_reference: "eximon-4.94.2-bp151.2.4.1.aarch64", relates_to_product_reference: "SUSE Package Hub 15 SP1", }, { category: "default_component_of", full_product_name: { name: "eximon-4.94.2-bp151.2.4.1.ppc64le as component of SUSE Package Hub 15 SP1", product_id: "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", }, product_reference: "eximon-4.94.2-bp151.2.4.1.ppc64le", relates_to_product_reference: "SUSE Package Hub 15 SP1", }, { category: "default_component_of", full_product_name: { name: "eximon-4.94.2-bp151.2.4.1.s390x as component of SUSE Package Hub 15 SP1", product_id: "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", }, product_reference: "eximon-4.94.2-bp151.2.4.1.s390x", relates_to_product_reference: "SUSE Package Hub 15 SP1", }, { category: "default_component_of", full_product_name: { name: "eximon-4.94.2-bp151.2.4.1.x86_64 as component of SUSE Package Hub 15 SP1", product_id: "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", }, product_reference: "eximon-4.94.2-bp151.2.4.1.x86_64", relates_to_product_reference: "SUSE Package Hub 15 SP1", }, { category: "default_component_of", full_product_name: { name: "eximstats-html-4.94.2-bp151.2.4.1.aarch64 as component of SUSE Package Hub 15 SP1", product_id: "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", }, product_reference: "eximstats-html-4.94.2-bp151.2.4.1.aarch64", relates_to_product_reference: "SUSE Package Hub 15 SP1", }, { category: "default_component_of", full_product_name: { name: "eximstats-html-4.94.2-bp151.2.4.1.ppc64le as component of SUSE Package Hub 15 SP1", product_id: "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", }, product_reference: "eximstats-html-4.94.2-bp151.2.4.1.ppc64le", relates_to_product_reference: "SUSE Package Hub 15 SP1", }, { category: "default_component_of", full_product_name: { name: "eximstats-html-4.94.2-bp151.2.4.1.s390x as component of SUSE Package Hub 15 SP1", product_id: "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", }, product_reference: "eximstats-html-4.94.2-bp151.2.4.1.s390x", relates_to_product_reference: "SUSE Package Hub 15 SP1", }, { category: "default_component_of", full_product_name: { name: "eximstats-html-4.94.2-bp151.2.4.1.x86_64 as component of SUSE Package Hub 15 SP1", product_id: "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", }, product_reference: "eximstats-html-4.94.2-bp151.2.4.1.x86_64", relates_to_product_reference: "SUSE Package Hub 15 SP1", }, { category: "default_component_of", full_product_name: { name: "libspf2-2-1.2.10-bp151.4.1.aarch64 as component of SUSE Package Hub 15 SP1", product_id: "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", }, product_reference: "libspf2-2-1.2.10-bp151.4.1.aarch64", relates_to_product_reference: "SUSE Package Hub 15 SP1", }, { category: "default_component_of", full_product_name: { name: "libspf2-2-1.2.10-bp151.4.1.ppc64le as component of SUSE Package Hub 15 SP1", product_id: "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", }, product_reference: "libspf2-2-1.2.10-bp151.4.1.ppc64le", relates_to_product_reference: "SUSE Package Hub 15 SP1", }, { category: "default_component_of", full_product_name: { name: "libspf2-2-1.2.10-bp151.4.1.s390x as component of SUSE Package Hub 15 SP1", product_id: "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", }, product_reference: "libspf2-2-1.2.10-bp151.4.1.s390x", relates_to_product_reference: "SUSE Package Hub 15 SP1", }, { category: "default_component_of", full_product_name: { name: "libspf2-2-1.2.10-bp151.4.1.x86_64 as component of SUSE Package Hub 15 SP1", product_id: "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", }, product_reference: "libspf2-2-1.2.10-bp151.4.1.x86_64", relates_to_product_reference: "SUSE Package Hub 15 SP1", }, { category: "default_component_of", full_product_name: { name: "libspf2-devel-1.2.10-bp151.4.1.aarch64 as component of SUSE Package Hub 15 SP1", product_id: "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", }, product_reference: "libspf2-devel-1.2.10-bp151.4.1.aarch64", relates_to_product_reference: "SUSE Package Hub 15 SP1", }, { category: "default_component_of", full_product_name: { name: "libspf2-devel-1.2.10-bp151.4.1.ppc64le as component of SUSE Package Hub 15 SP1", product_id: "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", }, product_reference: "libspf2-devel-1.2.10-bp151.4.1.ppc64le", relates_to_product_reference: "SUSE Package Hub 15 SP1", }, { category: "default_component_of", full_product_name: { name: "libspf2-devel-1.2.10-bp151.4.1.s390x as component of SUSE Package Hub 15 SP1", product_id: "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", }, product_reference: "libspf2-devel-1.2.10-bp151.4.1.s390x", relates_to_product_reference: "SUSE Package Hub 15 SP1", }, { category: "default_component_of", full_product_name: { name: "libspf2-devel-1.2.10-bp151.4.1.x86_64 as component of SUSE Package Hub 15 SP1", product_id: "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", }, product_reference: "libspf2-devel-1.2.10-bp151.4.1.x86_64", relates_to_product_reference: "SUSE Package Hub 15 SP1", }, { category: "default_component_of", full_product_name: { name: "libspf2-tools-1.2.10-bp151.4.1.aarch64 as component of SUSE Package Hub 15 SP1", product_id: "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", }, product_reference: "libspf2-tools-1.2.10-bp151.4.1.aarch64", relates_to_product_reference: "SUSE Package Hub 15 SP1", }, { category: "default_component_of", full_product_name: { name: "libspf2-tools-1.2.10-bp151.4.1.ppc64le as component of SUSE Package Hub 15 SP1", product_id: "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", }, product_reference: "libspf2-tools-1.2.10-bp151.4.1.ppc64le", relates_to_product_reference: "SUSE Package Hub 15 SP1", }, { category: "default_component_of", full_product_name: { name: "libspf2-tools-1.2.10-bp151.4.1.s390x as component of SUSE Package Hub 15 SP1", product_id: "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", }, product_reference: "libspf2-tools-1.2.10-bp151.4.1.s390x", relates_to_product_reference: "SUSE Package Hub 15 SP1", }, { category: "default_component_of", full_product_name: { name: "libspf2-tools-1.2.10-bp151.4.1.x86_64 as component of SUSE Package Hub 15 SP1", product_id: "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", }, product_reference: "libspf2-tools-1.2.10-bp151.4.1.x86_64", relates_to_product_reference: "SUSE Package Hub 15 SP1", }, ], }, vulnerabilities: [ { cve: "CVE-2017-1000369", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-1000369", }, ], notes: [ { category: "general", text: "Exim supports the use of multiple \"-p\" command line arguments which are malloc()'ed and never free()'ed, used in conjunction with other issues allows attackers to cause arbitrary code execution. This affects exim version 4.89 and earlier. Please note that at this time upstream has released a patch (commit 65e061b76867a9ea7aeeb535341b790b90ae6c21), but it is not known if a new point release is available that addresses this issue at this time.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2017-1000369", url: "https://www.suse.com/security/cve/CVE-2017-1000369", }, { category: "external", summary: "SUSE Bug 1037551 for CVE-2017-1000369", url: "https://bugzilla.suse.com/1037551", }, { category: "external", summary: "SUSE Bug 1044692 for CVE-2017-1000369", url: "https://bugzilla.suse.com/1044692", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 4, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, products: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:50:28Z", details: "low", }, ], title: "CVE-2017-1000369", }, { cve: "CVE-2017-16943", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-16943", }, ], notes: [ { category: "general", text: "The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2017-16943", url: "https://www.suse.com/security/cve/CVE-2017-16943", }, { category: "external", summary: "SUSE Bug 1069857 for CVE-2017-16943", url: "https://bugzilla.suse.com/1069857", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:50:28Z", details: "critical", }, ], title: "CVE-2017-16943", }, { cve: "CVE-2017-16944", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-16944", }, ], notes: [ { category: "general", text: "The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a '.' character signifying the end of the content, related to the bdat_getc function.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2017-16944", url: "https://www.suse.com/security/cve/CVE-2017-16944", }, { category: "external", summary: "SUSE Bug 1069859 for CVE-2017-16944", url: "https://bugzilla.suse.com/1069859", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:50:28Z", details: "important", }, ], title: "CVE-2017-16944", }, { cve: "CVE-2018-6789", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-6789", }, ], notes: [ { category: "general", text: "An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1. By sending a handcrafted message, a buffer overflow may happen. This can be used to execute code remotely.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2018-6789", url: "https://www.suse.com/security/cve/CVE-2018-6789", }, { category: "external", summary: "SUSE Bug 1079832 for CVE-2018-6789", url: "https://bugzilla.suse.com/1079832", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:50:28Z", details: "critical", }, ], title: "CVE-2018-6789", }, { cve: "CVE-2019-10149", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2019-10149", }, ], notes: [ { category: "general", text: "A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2019-10149", url: "https://www.suse.com/security/cve/CVE-2019-10149", }, { category: "external", summary: "SUSE Bug 1136587 for CVE-2019-10149", url: "https://bugzilla.suse.com/1136587", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:50:28Z", details: "critical", }, ], title: "CVE-2019-10149", }, { cve: "CVE-2019-13917", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2019-13917", }, ], notes: [ { category: "general", text: "Exim 4.85 through 4.92 (fixed in 4.92.1) allows remote code execution as root in some unusual configurations that use the ${sort } expansion for items that can be controlled by an attacker (e.g., $local_part or $domain).", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2019-13917", url: "https://www.suse.com/security/cve/CVE-2019-13917", }, { category: "external", summary: "SUSE Bug 1142207 for CVE-2019-13917", url: "https://bugzilla.suse.com/1142207", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:50:28Z", details: "critical", }, ], title: "CVE-2019-13917", }, { cve: "CVE-2019-15846", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2019-15846", }, ], notes: [ { category: "general", text: "Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via a trailing backslash.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2019-15846", url: "https://www.suse.com/security/cve/CVE-2019-15846", }, { category: "external", summary: "SUSE Bug 1149182 for CVE-2019-15846", url: "https://bugzilla.suse.com/1149182", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:50:28Z", details: "critical", }, ], title: "CVE-2019-15846", }, { cve: "CVE-2019-16928", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2019-16928", }, ], notes: [ { category: "general", text: "Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2019-16928", url: "https://www.suse.com/security/cve/CVE-2019-16928", }, { category: "external", summary: "SUSE Bug 1152507 for CVE-2019-16928", url: "https://bugzilla.suse.com/1152507", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:50:28Z", details: "critical", }, ], title: "CVE-2019-16928", }, { cve: "CVE-2020-12783", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-12783", }, ], notes: [ { category: "general", text: "Exim through 4.93 has an out-of-bounds read in the SPA authenticator that could result in SPA/NTLM authentication bypass in auths/spa.c and auths/auth-spa.c.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-12783", url: "https://www.suse.com/security/cve/CVE-2020-12783", }, { category: "external", summary: "SUSE Bug 1171490 for CVE-2020-12783", url: "https://bugzilla.suse.com/1171490", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:50:28Z", details: "important", }, ], title: "CVE-2020-12783", }, { cve: "CVE-2020-28007", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28007", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the log directory (owned by a non-root user), a symlink or hard link attack allows overwriting critical root-owned files anywhere on the filesystem.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28007", url: "https://www.suse.com/security/cve/CVE-2020-28007", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28007", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:50:28Z", details: "critical", }, ], title: "CVE-2020-28007", }, { cve: "CVE-2020-28008", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28008", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the spool directory (owned by a non-root user), an attacker can write to a /var/spool/exim4/input spool header file, in which a crafted recipient address can indirectly lead to command execution.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28008", url: "https://www.suse.com/security/cve/CVE-2020-28008", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28008", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:50:28Z", details: "critical", }, ], title: "CVE-2020-28008", }, { cve: "CVE-2020-28009", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28009", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow because get_stdinput allows unbounded reads that are accompanied by unbounded increases in a certain size variable. NOTE: exploitation may be impractical because of the execution time needed to overflow (multiple days).", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28009", url: "https://www.suse.com/security/cve/CVE-2020-28009", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28009", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:50:28Z", details: "critical", }, ], title: "CVE-2020-28009", }, { cve: "CVE-2020-28010", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28010", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Out-of-bounds Write because the main function, while setuid root, copies the current working directory pathname into a buffer that is too small (on some common platforms).", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28010", url: "https://www.suse.com/security/cve/CVE-2020-28010", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28010", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:50:28Z", details: "critical", }, ], title: "CVE-2020-28010", }, { cve: "CVE-2020-28011", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28011", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Heap-based Buffer Overflow in queue_run via two sender options: -R and -S. This may cause privilege escalation from exim to root.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28011", url: "https://www.suse.com/security/cve/CVE-2020-28011", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28011", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:50:28Z", details: "critical", }, ], title: "CVE-2020-28011", }, { cve: "CVE-2020-28012", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28012", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Exposure of File Descriptor to Unintended Control Sphere because rda_interpret uses a privileged pipe that lacks a close-on-exec flag.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28012", url: "https://www.suse.com/security/cve/CVE-2020-28012", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28012", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:50:28Z", details: "critical", }, ], title: "CVE-2020-28012", }, { cve: "CVE-2020-28013", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28013", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Heap-based Buffer Overflow because it mishandles \"-F '.('\" on the command line, and thus may allow privilege escalation from any user to root. This occurs because of the interpretation of negative sizes in strncpy.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28013", url: "https://www.suse.com/security/cve/CVE-2020-28013", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28013", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:50:28Z", details: "critical", }, ], title: "CVE-2020-28013", }, { cve: "CVE-2020-28014", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28014", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. The -oP option is available to the exim user, and allows a denial of service because root-owned files can be overwritten.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28014", url: "https://www.suse.com/security/cve/CVE-2020-28014", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28014", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:50:28Z", details: "critical", }, ], title: "CVE-2020-28014", }, { cve: "CVE-2020-28015", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28015", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. Local users can alter the behavior of root processes because a recipient address can have a newline character.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28015", url: "https://www.suse.com/security/cve/CVE-2020-28015", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28015", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:50:28Z", details: "critical", }, ], title: "CVE-2020-28015", }, { cve: "CVE-2020-28016", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28016", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows an off-by-two Out-of-bounds Write because \"-F ''\" is mishandled by parse_fix_phrase.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28016", url: "https://www.suse.com/security/cve/CVE-2020-28016", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28016", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:50:28Z", details: "critical", }, ], title: "CVE-2020-28016", }, { cve: "CVE-2020-28017", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28017", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow in receive_add_recipient via an e-mail message with fifty million recipients. NOTE: remote exploitation may be difficult because of resource consumption.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28017", url: "https://www.suse.com/security/cve/CVE-2020-28017", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28017", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:50:28Z", details: "critical", }, ], title: "CVE-2020-28017", }, { cve: "CVE-2020-28018", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28018", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Use After Free in smtp_reset in certain situations that may be common for builds with OpenSSL.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28018", url: "https://www.suse.com/security/cve/CVE-2020-28018", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28018", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:50:28Z", details: "critical", }, ], title: "CVE-2020-28018", }, { cve: "CVE-2020-28019", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28019", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 has Improper Initialization that can lead to recursion-based stack consumption or other consequences. This occurs because use of certain getc functions is mishandled when a client uses BDAT instead of DATA.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28019", url: "https://www.suse.com/security/cve/CVE-2020-28019", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28019", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:50:28Z", details: "critical", }, ], title: "CVE-2020-28019", }, { cve: "CVE-2020-28020", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28020", }, ], notes: [ { category: "general", text: "Exim 4 before 4.92 allows Integer Overflow to Buffer Overflow, in which an unauthenticated remote attacker can execute arbitrary code by leveraging the mishandling of continuation lines during header-length restriction.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28020", url: "https://www.suse.com/security/cve/CVE-2020-28020", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28020", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:50:28Z", details: "critical", }, ], title: "CVE-2020-28020", }, { cve: "CVE-2020-28021", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28021", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. An authenticated remote SMTP client can insert newline characters into a spool file (which indirectly leads to remote code execution as root) via AUTH= in a MAIL FROM command.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28021", url: "https://www.suse.com/security/cve/CVE-2020-28021", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28021", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 8.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:50:28Z", details: "critical", }, ], title: "CVE-2020-28021", }, { cve: "CVE-2020-28022", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28022", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 has Improper Restriction of Write Operations within the Bounds of a Memory Buffer. This occurs when processing name=value pairs within MAIL FROM and RCPT TO commands.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28022", url: "https://www.suse.com/security/cve/CVE-2020-28022", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28022", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:50:28Z", details: "critical", }, ], title: "CVE-2020-28022", }, { cve: "CVE-2020-28023", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28023", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Out-of-bounds Read. smtp_setup_msg may disclose sensitive information from process memory to an unauthenticated SMTP client.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28023", url: "https://www.suse.com/security/cve/CVE-2020-28023", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28023", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:50:28Z", details: "critical", }, ], title: "CVE-2020-28023", }, { cve: "CVE-2020-28024", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28024", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Buffer Underwrite that may result in unauthenticated remote attackers executing arbitrary commands, because smtp_ungetc was only intended to push back characters, but can actually push back non-character error codes such as EOF.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28024", url: "https://www.suse.com/security/cve/CVE-2020-28024", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28024", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:50:28Z", details: "critical", }, ], title: "CVE-2020-28024", }, { cve: "CVE-2020-28025", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28025", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Out-of-bounds Read because pdkim_finish_bodyhash does not validate the relationship between sig->bodyhash.len and b->bh.len; thus, a crafted DKIM-Signature header might lead to a leak of sensitive information from process memory.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28025", url: "https://www.suse.com/security/cve/CVE-2020-28025", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28025", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:50:28Z", details: "critical", }, ], title: "CVE-2020-28025", }, { cve: "CVE-2020-28026", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28026", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters, relevant in non-default configurations that enable Delivery Status Notification (DSN). Certain uses of ORCPT= can place a newline into a spool header file, and indirectly allow unauthenticated remote attackers to execute arbitrary commands as root.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28026", url: "https://www.suse.com/security/cve/CVE-2020-28026", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28026", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:50:28Z", details: "critical", }, ], title: "CVE-2020-28026", }, { cve: "CVE-2020-8015", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-8015", }, ], notes: [ { category: "general", text: "A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of exim in openSUSE Factory allows local attackers to escalate from user mail to root. This issue affects: openSUSE Factory exim versions prior to 4.93.0.4-3.1.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-8015", url: "https://www.suse.com/security/cve/CVE-2020-8015", }, { category: "external", summary: "SUSE Bug 1154062 for CVE-2020-8015", url: "https://bugzilla.suse.com/1154062", }, { category: "external", summary: "SUSE Bug 1154183 for CVE-2020-8015", url: "https://bugzilla.suse.com/1154183", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:exim-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximon-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.aarch64", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.ppc64le", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.s390x", "SUSE Package Hub 15 SP1:eximstats-html-4.94.2-bp151.2.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-2-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-devel-1.2.10-bp151.4.1.x86_64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.aarch64", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.ppc64le", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.s390x", "SUSE Package Hub 15 SP1:libspf2-tools-1.2.10-bp151.4.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-20T08:50:28Z", details: "important", }, ], title: "CVE-2020-8015", }, ], }
opensuse-su-2021:0677-1
Vulnerability from csaf_opensuse
Published
2021-05-07 09:03
Modified
2021-05-07 09:03
Summary
Security update for exim
Notes
Title of the patch
Security update for exim
Description of the patch
This update for exim fixes the following issues:
Exim was updated to exim-4.94.2
security update (boo#1185631)
* CVE-2020-28007: Link attack in Exim's log directory
* CVE-2020-28008: Assorted attacks in Exim's spool directory
* CVE-2020-28014: Arbitrary PID file creation
* CVE-2020-28011: Heap buffer overflow in queue_run()
* CVE-2020-28010: Heap out-of-bounds write in main()
* CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()
* CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()
* CVE-2020-28015: New-line injection into spool header file (local)
* CVE-2020-28012: Missing close-on-exec flag for privileged pipe
* CVE-2020-28009: Integer overflow in get_stdinput()
* CVE-2020-28017: Integer overflow in receive_add_recipient()
* CVE-2020-28020: Integer overflow in receive_msg()
* CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()
* CVE-2020-28021: New-line injection into spool header file (remote)
* CVE-2020-28022: Heap out-of-bounds read and write in extract_option()
* CVE-2020-28026: Line truncation and injection in spool_read_header()
* CVE-2020-28019: Failure to reset function pointer after BDAT error
* CVE-2020-28024: Heap buffer underflow in smtp_ungetc()
* CVE-2020-28018: Use-after-free in tls-openssl.c
* CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()
update to exim-4.94.1
* Fix security issue in BDAT state confusion.
Ensure we reset known-good where we know we need to not be reading BDAT
data, as a general case fix, and move the places where we switch to BDAT
mode until after various protocol state checks.
Fixes CVE-2020-BDATA reported by Qualys.
* Fix security issue in SMTP verb option parsing (CVE-2020-EXOPT)
* Fix security issue with too many recipients on a message (to remove a
known security problem if someone does set recipients_max to unlimited,
or if local additions add to the recipient list).
Fixes CVE-2020-RCPTL reported by Qualys.
* Fix CVE-2020-28016 (PFPZA): Heap out-of-bounds write in parse_fix_phrase()
* Fix security issue CVE-2020-PFPSN and guard against cmdline invoker
providing a particularly obnoxious sender full name.
* Fix Linux security issue CVE-2020-SLCWD and guard against PATH_MAX
better.
- bring back missing exim_db.8 manual page (fixes boo#1173693)
- bring in changes from current +fixes (lots of taint check fixes)
* Bug 1329: Fix format of Maildir-format filenames to match other mail-
related applications. Previously an 'H' was used where available info
says that 'M' should be, so change to match.
* Bug 2587: Fix pam expansion condition. Tainted values are commonly used
as arguments, so an implementation trying to copy these into a local
buffer was taking a taint-enforcement trap. Fix by using dynamically
created buffers.
* Bug 2586: Fix listcount expansion operator. Using tainted arguments is
reasonable, eg. to count headers. Fix by using dynamically created
buffers rather than a local. Do similar fixes for ACL actions 'dcc',
'log_reject_target', 'malware' and 'spam'; the arguments are expanded
so could be handling tainted values.
* Bug 2590: Fix -bi (newaliases). A previous code rearrangement had
broken the (no-op) support for this sendmail command. Restore it
to doing nothing, silently, and returning good status.
- update to exim 4.94
* some transports now refuse to use tainted data in constructing their delivery
location
this WILL BREAK configurations which are not updated accordingly.
In particular: any Transport use of $local_user which has been relying upon
check_local_user far away in the Router to make it safe, should be updated to
replace $local_user with $local_part_data.
* Attempting to remove, in router or transport, a header name that ends with
an asterisk (which is a standards-legal name) will now result in all headers
named starting with the string before the asterisk being removed.
- switch pretrans to use lua
(fixes boo#1171877)
- bring changes from current in +fixes branch
(patch-exim-fixes-ee83de04d3087efaf808d1f2235a988275c2ee94)
* fixes CVE-2020-12783 (boo#1171490)
* Regard command-line recipients as tainted.
* Bug 2489: Fix crash in the 'pam' expansion condition.
* Use tainted buffers for the transport smtp context.
* Bug 2493: Harden ARC verify against Outlook, which has been seen to mix
the ordering of its ARC headers. This caused a crash.
* Bug 2492: Use tainted memory for retry record when needed. Previously when
a new record was being constructed with information from the peer, a trap
was taken.
* Bug 2494: Unset the default for dmarc_tld_file.
* Fix an uninitialised flag in early-pipelining. Previously connections
could, depending on the platform, hang at the STARTTLS response.
* Bug 2498: Reset a counter used for ARC verify before handling another
message on a connection. Previously if one message had ARC headers and
the following one did not, a crash could result when adding an
Authentication-Results: header.
* Bug 2500: Rewind some of the common-coding in string handling between the
Exim main code and Exim-related utities.
* Fix the variables set by the gsasl authenticator.
* Bug 2507: Modules: on handling a dynamic-module (lookups) open failure,
only retrieve the errormessage once.
* Bug 2501: Fix init call in the heimdal authenticator. Previously it
adjusted the size of a major service buffer; this failed because the
buffer was in use at the time. Change to a compile-time increase in the
buffer size, when this authenticator is compiled into exim.
- update to exim 4.93.0.4 (+fixes release)
* Avoid costly startup code when not strictly needed. This reduces time
for some exim process initialisations. It does mean that the logging
of TLS configuration problems is only done for the daemon startup.
* Early-pipelining support code is now included unless disabled in Makefile.
* DKIM verification defaults no long accept sha1 hashes, to conform to
RFC 8301. They can still be enabled, using the dkim_verify_hashes main
option.
* Support CHUNKING from an smtp transport using a transport_filter, when
DKIM signing is being done. Previously a transport_filter would always
disable CHUNKING, falling back to traditional DATA.
* Regard command-line receipients as tainted.
* Bug 340: Remove the daemon pid file on exit, whe due to SIGTERM.
* Bug 2489: Fix crash in the 'pam' expansion condition. It seems that the
PAM library frees one of the arguments given to it, despite the
documentation. Therefore a plain malloc must be used.
* Bug 2491: Use tainted buffers for the transport smtp context. Previously
on-stack buffers were used, resulting in a taint trap when DSN information
copied from a received message was written into the buffer.
* Bug 2493: Harden ARC verify against Outlook, whick has been seen to mix
the ordering of its ARC headers. This caused a crash.
* Bug 2492: Use tainted memory for retry record when needed. Previously when
a new record was being constructed with information from the peer, a trap
was taken.
* Bug 2494: Unset the default for dmarc_tld_file. Previously a naiive
installation would get error messages from DMARC verify, when it hit the
nonexistent file indicated by the default. Distros wanting DMARC enabled
should both provide the file and set the option.
Also enforce no DMARC verification for command-line sourced messages.
* Fix an uninitialised flag in early-pipelining. Previously connections
could, depending on the platform, hang at the STARTTLS response.
* Bug 2498: Reset a counter used for ARC verify before handling another
message on a connection. Previously if one message had ARC headers and
the following one did not, a crash could result when adding an
Authentication-Results: header.
* Bug 2500: Rewind some of the common-coding in string handling between the
Exim main code and Exim-related utities. The introduction of taint
tracking also did many adjustments to string handling. Since then, eximon
frequently terminated with an assert failure.
* When PIPELINING, synch after every hundred or so RCPT commands sent and
check for 452 responses. This slightly helps the inefficieny of doing
a large alias-expansion into a recipient-limited target. The max_rcpt
transport option still applies (and at the current default, will override
the new feature). The check is done for either cause of synch, and forces
a fast-retry of all 452'd recipients using a new MAIL FROM on the same
connection. The new facility is not tunable at this time.
* Fix the variables set by the gsasl authenticator. Previously a pointer to
library live data was being used, so the results became garbage. Make
copies while it is still usable.
* Logging: when the deliver_time selector ise set, include the DT= field
on delivery deferred (==) and failed (**) lines (if a delivery was
attemtped). Previously it was only on completion (=>) lines.
* Authentication: the gsasl driver not provides the $authN variables in time
for the expansion of the server_scram_iter and server_scram_salt options.
spec file cleanup to make update work
- add docdir to spec
- update to exim 4.93
* SUPPORT_DMARC replaces EXPERIMENTAL_DMARC
* DISABLE_TLS replaces SUPPORT_TLS
* Bump the version for the local_scan API.
* smtp transport option hosts_try_fastopen defaults to '*'.
* DNSSec is requested (not required) for all queries. (This seemes to
ask for trouble if your resolver is a systemd-resolved.)
* Generic router option retry_use_local_part defaults to 'true' under specific
pre-conditions.
* Introduce a tainting mechanism for values read from untrusted sources.
* Use longer file names for temporary spool files (this avoids
name conflicts with spool on a shared file system).
* Use dsn_from main config option (was ignored previously).
- update to exim 4.92.3
* CVE-2019-16928: fix against Heap-based buffer overflow in string_vformat,
remote code execution seems to be possible
- update to exim 4.92.2
* CVE-2019-15846: fix against remote attackers executing arbitrary code as
root via a trailing backslash
- update to exim 4.92.1
* CVE-2019-13917: Fixed an issue with ${sort} expansion which could
allow remote attackers to execute other programs with root privileges
(boo#1142207)
- spec file cleanup
* fix DANE inclusion guard condition
* re-enable i18n and remove misleading comment
* EXPERIMENTAL_SPF is now SUPPORT_SPF
* DANE is now SUPPORT_DANE
- update to exim 4.92
* ${l_header:<name>} expansion
* ${readsocket} now supports TLS
* 'utf8_downconvert' option (if built with SUPPORT_I18N)
* 'pipelining' log_selector
* JSON variants for ${extract } expansion
* 'noutf8' debug option
* TCP Fast Open support on MacOS
* CVE-2019-10149: Fixed a Remote Command Execution (boo#1136587)
- add workaround patch for compile time error on missing printf
format annotation (gnu_printf.patch)
- update to 4.91
* DEFER rather than ERROR on redis cluster MOVED response.
* Catch and remove uninitialized value warning in exiqsumm
* Disallow '/' characters in queue names specified for the 'queue=' ACL
modifier. This matches the restriction on the commandline.
* Fix pgsql lookup for multiple result-tuples with a single column.
Previously only the last row was returned.
* Bug 2217: Tighten up the parsing of DKIM signature headers.
* Bug 2215: Fix crash associated with dnsdb lookup done from DKIM ACL.
* Fix issue with continued-connections when the DNS shifts unreliably.
* Bug 2214: Fix SMTP responses resulting from non-accept result of MIME ACL.
* The 'support for' informational output now, which built with Content
Scanning support, has a line for the malware scanner interfaces compiled
in. Interface can be individually included or not at build time.
* The 'aveserver', 'kavdaemon' and 'mksd' interfaces are now not included
by the template makefile 'src/EDITME'. The 'STREAM' support for an older
ClamAV interface method is removed.
* Bug 2223: Fix mysql lookup returns for the no-data case (when the number of
rows affected is given instead).
* The runtime Berkeley DB library version is now additionally output by
'exim -d -bV'. Previously only the compile-time version was shown.
* Bug 2230: Fix cutthrough routing for nonfirst messages in an initiating
SMTP connection.
* Bug 2229: Fix cutthrough routing for nonstandard port numbers defined by
routers.
* Bug 2174: A timeout on connect for a callout was also erroneously seen as
a timeout on read on a GnuTLS initiating connection, resulting in the
initiating connection being dropped.
* Relax results from ACL control request to enable cutthrough, in
unsupported situations, from error to silently (except under debug)
ignoring.
* Fix Buffer overflow in base64d() (CVE-2018-6789)
* Fix bug in DKIM verify: a buffer overflow could corrupt the malloc
metadata, resulting in a crash in free().
* Fix broken Heimdal GSSAPI authenticator integration.
* Bug 2113: Fix conversation closedown with the Avast malware scanner.
* Bug 2239: Enforce non-usability of control=utf8_downconvert in the mail ACL.
* Speed up macro lookups during configuration file read, by skipping non-
macro text after a replacement (previously it was only once per line) and
by skipping builtin macros when searching for an uppercase lead character.
* DANE support moved from Experimental to mainline. The Makefile control
for the build is renamed.
* Fix memory leak during multi-message connections using STARTTLS.
* Bug 2236: When a DKIM verification result is overridden by ACL, DMARC
reported the original. Fix to report (as far as possible) the ACL
result replacing the original.
* Fix memory leak during multi-message connections using STARTTLS under
OpenSSL
* Bug 2242: Fix exim_dbmbuild to permit directoryless filenames.
* Fix utf8_downconvert propagation through a redirect router.
* Bug 2253: For logging delivery lines under PRDR, append the overall
DATA response info to the (existing) per-recipient response info for
the 'C=' log element.
* Bug 2251: Fix ldap lookups that return a single attribute having zero-
length value.
* Support Avast multiline protocol, this allows passing flags to
newer versions of the scanner.
* Ensure that variables possibly set during message acceptance are marked
dead before release of memory in the daemon loop.
* Bug 2250: Fix a longstanding bug in heavily-pipelined SMTP input (such
as a multi-recipient message from a mailinglist manager).
* The (EXPERIMENTAL_DMARC) variable $dmarc_ar_header is withdrawn, being
replaced by the ${authresults } expansion.
* Bug 2257: Fix pipe transport to not use a socket-only syscall.
* Set a handler for SIGTERM and call exit(3) if running as PID 1. This
allows proper process termination in container environments.
* Bug 2258: Fix spool_wireformat in combination with LMTP transport.
Previously the 'final dot' had a newline after it; ensure it is CR,LF.
* SPF: remove support for the 'spf' ACL condition outcome values 'err_temp'
and 'err_perm', deprecated since 4.83 when the RFC-defined words
' temperror' and 'permerror' were introduced.
* Re-introduce enforcement of no cutthrough delivery on transports having
transport-filters or DKIM-signing.
* Cutthrough: for a final-dot response timeout (and nonunderstood responses)
in defer=pass mode supply a 450 to the initiator. Previously the message
would be spooled.
* DANE: add dane_require_tls_ciphers SMTP Transport option; if unset,
tls_require_ciphers is used as before.
* Malware Avast: Better match the Avast multiline protocol.
* Fix reinitialisation of DKIM logging variable between messages.
* Bug 2255: Revert the disable of the OpenSSL session caching.
* Add util/renew-opendmarc-tlds.sh script for safe renewal of public
suffix list.
* DKIM: accept Ed25519 pubkeys in SubjectPublicKeyInfo-wrapped form,
since the IETF WG has not yet settled on that versus the original
'bare' representation.
* Fix syslog logging for syslog_timestamp=no and log_selector +millisec.
Previously the millisecond value corrupted the output.
Fix also for syslog_pid=no and log_selector +pid, for which the pid
corrupted the output.
- Replace xorg-x11-devel by individual pkgconfig() buildrequires.
- update to 4.90.1
* Allow PKG_CONFIG_PATH to be set in Local/Makefile and use it correctly
during configuration. Wildcards are allowed and expanded.
* Shorten the log line for daemon startup by collapsing adjacent sets of
identical IP addresses on different listening ports. Will also affect
'exiwhat' output.
* Tighten up the checking in isip4 (et al): dotted-quad components larger
than 255 are no longer allowed.
* Default openssl_options to include +no_ticket, to reduce load on peers.
Disable the session-cache too, which might reduce our load. Since we
currrectly use a new context for every connection, both as server and
client, there is no benefit for these.
* Add $SOURCE_DATE_EPOCH support for reproducible builds, per spec at
<https://reproducible-builds.org/specs/source-date-epoch/>.
* Fix smtp transport use of limited max_rcpt under mua_wrapper. Previously
the check for any unsuccessful recipients did not notice the limit, and
erroneously found still-pending ones.
* Pipeline CHUNKING command and data together, on kernels that support
MSG_MORE. Only in-clear (not on TLS connections).
* Avoid using a temporary file during transport using dkim. Unless a
transport-filter is involved we can buffer the headers in memory for
creating the signature, and read the spool data file once for the
signature and again for transmission.
* Enable use of sendfile in Linux builds as default. It was disabled in
4.77 as the kernel support then wasn't solid, having issues in 64bit
mode. Now, it's been long enough. Add support for FreeBSD also.
* Add commandline_checks_require_admin option.
* Do pipelining under TLS.
* For the 'sock' variant of the malware scanner interface, accept an empty
cmdline element to get the documented default one. Previously it was
inaccessible.
* Prevent repeated use of -p/-oMr
* DKIM: enforce the DNS pubkey record 'h' permitted-hashes optional field,
if present.
* DKIM: when a message has multiple signatures matching an identity given
in dkim_verify_signers, run the dkim acl once for each.
* Support IDNA2008.
* The path option on a pipe transport is now expanded before use
* Have the EHLO response advertise VRFY, if there is a vrfy ACL defined.
- Several bug fixes
- Fix for buffer overflow in base64decode() (boo#1079832 CVE-2018-6789)
Patchnames
openSUSE-2021-677
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "critical", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Security update for exim", title: "Title of the patch", }, { category: "description", text: "This update for exim fixes the following issues:\n\n\nExim was updated to exim-4.94.2\n\nsecurity update (boo#1185631)\n\n * CVE-2020-28007: Link attack in Exim's log directory\n * CVE-2020-28008: Assorted attacks in Exim's spool directory\n * CVE-2020-28014: Arbitrary PID file creation\n * CVE-2020-28011: Heap buffer overflow in queue_run()\n * CVE-2020-28010: Heap out-of-bounds write in main()\n * CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()\n * CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()\n * CVE-2020-28015: New-line injection into spool header file (local)\n * CVE-2020-28012: Missing close-on-exec flag for privileged pipe\n * CVE-2020-28009: Integer overflow in get_stdinput()\n * CVE-2020-28017: Integer overflow in receive_add_recipient()\n * CVE-2020-28020: Integer overflow in receive_msg()\n * CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()\n * CVE-2020-28021: New-line injection into spool header file (remote)\n * CVE-2020-28022: Heap out-of-bounds read and write in extract_option()\n * CVE-2020-28026: Line truncation and injection in spool_read_header()\n * CVE-2020-28019: Failure to reset function pointer after BDAT error\n * CVE-2020-28024: Heap buffer underflow in smtp_ungetc()\n * CVE-2020-28018: Use-after-free in tls-openssl.c\n * CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()\n\nupdate to exim-4.94.1\n\n * Fix security issue in BDAT state confusion.\n Ensure we reset known-good where we know we need to not be reading BDAT\n data, as a general case fix, and move the places where we switch to BDAT\n mode until after various protocol state checks.\n Fixes CVE-2020-BDATA reported by Qualys.\n * Fix security issue in SMTP verb option parsing (CVE-2020-EXOPT)\n * Fix security issue with too many recipients on a message (to remove a\n known security problem if someone does set recipients_max to unlimited,\n or if local additions add to the recipient list).\n Fixes CVE-2020-RCPTL reported by Qualys.\n * Fix CVE-2020-28016 (PFPZA): Heap out-of-bounds write in parse_fix_phrase()\n * Fix security issue CVE-2020-PFPSN and guard against cmdline invoker\n providing a particularly obnoxious sender full name.\n * Fix Linux security issue CVE-2020-SLCWD and guard against PATH_MAX\n better.\n\n- bring back missing exim_db.8 manual page (fixes boo#1173693)\n\n- bring in changes from current +fixes (lots of taint check fixes)\n * Bug 1329: Fix format of Maildir-format filenames to match other mail-\n related applications. Previously an 'H' was used where available info\n says that 'M' should be, so change to match.\n * Bug 2587: Fix pam expansion condition. Tainted values are commonly used\n as arguments, so an implementation trying to copy these into a local\n buffer was taking a taint-enforcement trap. Fix by using dynamically\n created buffers.\n * Bug 2586: Fix listcount expansion operator. Using tainted arguments is\n reasonable, eg. to count headers. Fix by using dynamically created\n buffers rather than a local. Do similar fixes for ACL actions 'dcc',\n 'log_reject_target', 'malware' and 'spam'; the arguments are expanded\n so could be handling tainted values.\n * Bug 2590: Fix -bi (newaliases). A previous code rearrangement had\n broken the (no-op) support for this sendmail command. Restore it\n to doing nothing, silently, and returning good status.\n\n- update to exim 4.94\n * some transports now refuse to use tainted data in constructing their delivery\n location\n this WILL BREAK configurations which are not updated accordingly.\n In particular: any Transport use of $local_user which has been relying upon\n check_local_user far away in the Router to make it safe, should be updated to\n replace $local_user with $local_part_data.\n * Attempting to remove, in router or transport, a header name that ends with\n an asterisk (which is a standards-legal name) will now result in all headers\n named starting with the string before the asterisk being removed.\n\n- switch pretrans to use lua\n (fixes boo#1171877)\n \n\n- bring changes from current in +fixes branch\n (patch-exim-fixes-ee83de04d3087efaf808d1f2235a988275c2ee94)\n * fixes CVE-2020-12783 (boo#1171490)\n * Regard command-line recipients as tainted.\n * Bug 2489: Fix crash in the 'pam' expansion condition.\n * Use tainted buffers for the transport smtp context.\n * Bug 2493: Harden ARC verify against Outlook, which has been seen to mix\n the ordering of its ARC headers. This caused a crash.\n * Bug 2492: Use tainted memory for retry record when needed. Previously when\n a new record was being constructed with information from the peer, a trap\n was taken.\n * Bug 2494: Unset the default for dmarc_tld_file.\n * Fix an uninitialised flag in early-pipelining. Previously connections\n could, depending on the platform, hang at the STARTTLS response.\n * Bug 2498: Reset a counter used for ARC verify before handling another\n message on a connection. Previously if one message had ARC headers and\n the following one did not, a crash could result when adding an\n Authentication-Results: header.\n * Bug 2500: Rewind some of the common-coding in string handling between the\n Exim main code and Exim-related utities.\n * Fix the variables set by the gsasl authenticator.\n * Bug 2507: Modules: on handling a dynamic-module (lookups) open failure,\n only retrieve the errormessage once.\n * Bug 2501: Fix init call in the heimdal authenticator. Previously it\n adjusted the size of a major service buffer; this failed because the\n buffer was in use at the time. Change to a compile-time increase in the\n buffer size, when this authenticator is compiled into exim.\n\n- update to exim 4.93.0.4 (+fixes release)\n * Avoid costly startup code when not strictly needed. This reduces time\n for some exim process initialisations. It does mean that the logging\n of TLS configuration problems is only done for the daemon startup.\n * Early-pipelining support code is now included unless disabled in Makefile.\n * DKIM verification defaults no long accept sha1 hashes, to conform to\n RFC 8301. They can still be enabled, using the dkim_verify_hashes main\n option.\n * Support CHUNKING from an smtp transport using a transport_filter, when\n DKIM signing is being done. Previously a transport_filter would always\n disable CHUNKING, falling back to traditional DATA.\n * Regard command-line receipients as tainted.\n * Bug 340: Remove the daemon pid file on exit, whe due to SIGTERM.\n * Bug 2489: Fix crash in the 'pam' expansion condition. It seems that the\n PAM library frees one of the arguments given to it, despite the\n documentation. Therefore a plain malloc must be used.\n * Bug 2491: Use tainted buffers for the transport smtp context. Previously\n on-stack buffers were used, resulting in a taint trap when DSN information\n copied from a received message was written into the buffer.\n * Bug 2493: Harden ARC verify against Outlook, whick has been seen to mix\n the ordering of its ARC headers. This caused a crash.\n * Bug 2492: Use tainted memory for retry record when needed. Previously when\n a new record was being constructed with information from the peer, a trap\n was taken.\n * Bug 2494: Unset the default for dmarc_tld_file. Previously a naiive\n installation would get error messages from DMARC verify, when it hit the\n nonexistent file indicated by the default. Distros wanting DMARC enabled\n should both provide the file and set the option.\n Also enforce no DMARC verification for command-line sourced messages.\n * Fix an uninitialised flag in early-pipelining. Previously connections\n could, depending on the platform, hang at the STARTTLS response.\n * Bug 2498: Reset a counter used for ARC verify before handling another\n message on a connection. Previously if one message had ARC headers and\n the following one did not, a crash could result when adding an\n Authentication-Results: header.\n * Bug 2500: Rewind some of the common-coding in string handling between the\n Exim main code and Exim-related utities. The introduction of taint\n tracking also did many adjustments to string handling. Since then, eximon\n frequently terminated with an assert failure.\n * When PIPELINING, synch after every hundred or so RCPT commands sent and\n check for 452 responses. This slightly helps the inefficieny of doing\n a large alias-expansion into a recipient-limited target. The max_rcpt\n transport option still applies (and at the current default, will override\n the new feature). The check is done for either cause of synch, and forces\n a fast-retry of all 452'd recipients using a new MAIL FROM on the same\n connection. The new facility is not tunable at this time.\n * Fix the variables set by the gsasl authenticator. Previously a pointer to\n library live data was being used, so the results became garbage. Make\n copies while it is still usable.\n * Logging: when the deliver_time selector ise set, include the DT= field\n on delivery deferred (==) and failed (**) lines (if a delivery was\n attemtped). Previously it was only on completion (=>) lines.\n * Authentication: the gsasl driver not provides the $authN variables in time\n for the expansion of the server_scram_iter and server_scram_salt options.\n\nspec file cleanup to make update work\n- add docdir to spec\n\n- update to exim 4.93\n * SUPPORT_DMARC replaces EXPERIMENTAL_DMARC\n * DISABLE_TLS replaces SUPPORT_TLS\n * Bump the version for the local_scan API.\n * smtp transport option hosts_try_fastopen defaults to '*'.\n * DNSSec is requested (not required) for all queries. (This seemes to\n ask for trouble if your resolver is a systemd-resolved.)\n * Generic router option retry_use_local_part defaults to 'true' under specific\n pre-conditions.\n * Introduce a tainting mechanism for values read from untrusted sources.\n * Use longer file names for temporary spool files (this avoids\n name conflicts with spool on a shared file system).\n * Use dsn_from main config option (was ignored previously).\n\n- update to exim 4.92.3\n * CVE-2019-16928: fix against Heap-based buffer overflow in string_vformat,\n remote code execution seems to be possible\n\n- update to exim 4.92.2\n * CVE-2019-15846: fix against remote attackers executing arbitrary code as\n root via a trailing backslash\n\n- update to exim 4.92.1\n * CVE-2019-13917: Fixed an issue with ${sort} expansion which could \n allow remote attackers to execute other programs with root privileges \n (boo#1142207)\n\n- spec file cleanup\n * fix DANE inclusion guard condition\n * re-enable i18n and remove misleading comment\n * EXPERIMENTAL_SPF is now SUPPORT_SPF\n * DANE is now SUPPORT_DANE\n\n- update to exim 4.92\n * ${l_header:<name>} expansion\n * ${readsocket} now supports TLS\n * 'utf8_downconvert' option (if built with SUPPORT_I18N)\n * 'pipelining' log_selector\n * JSON variants for ${extract } expansion\n * 'noutf8' debug option\n * TCP Fast Open support on MacOS\n * CVE-2019-10149: Fixed a Remote Command Execution (boo#1136587)\n- add workaround patch for compile time error on missing printf\n format annotation (gnu_printf.patch)\n\n- update to 4.91\n * DEFER rather than ERROR on redis cluster MOVED response.\n * Catch and remove uninitialized value warning in exiqsumm\n * Disallow '/' characters in queue names specified for the 'queue=' ACL\n modifier. This matches the restriction on the commandline.\n * Fix pgsql lookup for multiple result-tuples with a single column.\n Previously only the last row was returned.\n * Bug 2217: Tighten up the parsing of DKIM signature headers.\n * Bug 2215: Fix crash associated with dnsdb lookup done from DKIM ACL.\n * Fix issue with continued-connections when the DNS shifts unreliably.\n * Bug 2214: Fix SMTP responses resulting from non-accept result of MIME ACL.\n * The 'support for' informational output now, which built with Content\n Scanning support, has a line for the malware scanner interfaces compiled\n in. Interface can be individually included or not at build time.\n * The 'aveserver', 'kavdaemon' and 'mksd' interfaces are now not included\n by the template makefile 'src/EDITME'. The 'STREAM' support for an older\n ClamAV interface method is removed.\n * Bug 2223: Fix mysql lookup returns for the no-data case (when the number of\n rows affected is given instead).\n * The runtime Berkeley DB library version is now additionally output by\n 'exim -d -bV'. Previously only the compile-time version was shown.\n * Bug 2230: Fix cutthrough routing for nonfirst messages in an initiating\n SMTP connection.\n * Bug 2229: Fix cutthrough routing for nonstandard port numbers defined by\n routers.\n * Bug 2174: A timeout on connect for a callout was also erroneously seen as\n a timeout on read on a GnuTLS initiating connection, resulting in the\n initiating connection being dropped.\n * Relax results from ACL control request to enable cutthrough, in\n unsupported situations, from error to silently (except under debug)\n ignoring.\n * Fix Buffer overflow in base64d() (CVE-2018-6789)\n * Fix bug in DKIM verify: a buffer overflow could corrupt the malloc\n metadata, resulting in a crash in free().\n * Fix broken Heimdal GSSAPI authenticator integration.\n * Bug 2113: Fix conversation closedown with the Avast malware scanner.\n * Bug 2239: Enforce non-usability of control=utf8_downconvert in the mail ACL.\n * Speed up macro lookups during configuration file read, by skipping non-\n macro text after a replacement (previously it was only once per line) and\n by skipping builtin macros when searching for an uppercase lead character.\n * DANE support moved from Experimental to mainline. The Makefile control\n for the build is renamed.\n * Fix memory leak during multi-message connections using STARTTLS.\n * Bug 2236: When a DKIM verification result is overridden by ACL, DMARC\n reported the original. Fix to report (as far as possible) the ACL\n result replacing the original.\n * Fix memory leak during multi-message connections using STARTTLS under\n OpenSSL\n * Bug 2242: Fix exim_dbmbuild to permit directoryless filenames.\n * Fix utf8_downconvert propagation through a redirect router.\n * Bug 2253: For logging delivery lines under PRDR, append the overall\n DATA response info to the (existing) per-recipient response info for\n the 'C=' log element.\n * Bug 2251: Fix ldap lookups that return a single attribute having zero-\n length value.\n * Support Avast multiline protocol, this allows passing flags to\n newer versions of the scanner.\n * Ensure that variables possibly set during message acceptance are marked\n dead before release of memory in the daemon loop.\n * Bug 2250: Fix a longstanding bug in heavily-pipelined SMTP input (such\n as a multi-recipient message from a mailinglist manager).\n * The (EXPERIMENTAL_DMARC) variable $dmarc_ar_header is withdrawn, being\n replaced by the ${authresults } expansion.\n * Bug 2257: Fix pipe transport to not use a socket-only syscall.\n * Set a handler for SIGTERM and call exit(3) if running as PID 1. This\n allows proper process termination in container environments.\n * Bug 2258: Fix spool_wireformat in combination with LMTP transport.\n Previously the 'final dot' had a newline after it; ensure it is CR,LF.\n * SPF: remove support for the 'spf' ACL condition outcome values 'err_temp'\n and 'err_perm', deprecated since 4.83 when the RFC-defined words\n ' temperror' and 'permerror' were introduced.\n * Re-introduce enforcement of no cutthrough delivery on transports having\n transport-filters or DKIM-signing.\n * Cutthrough: for a final-dot response timeout (and nonunderstood responses)\n in defer=pass mode supply a 450 to the initiator. Previously the message\n would be spooled.\n * DANE: add dane_require_tls_ciphers SMTP Transport option; if unset,\n tls_require_ciphers is used as before.\n * Malware Avast: Better match the Avast multiline protocol.\n * Fix reinitialisation of DKIM logging variable between messages.\n * Bug 2255: Revert the disable of the OpenSSL session caching.\n * Add util/renew-opendmarc-tlds.sh script for safe renewal of public\n suffix list.\n * DKIM: accept Ed25519 pubkeys in SubjectPublicKeyInfo-wrapped form,\n since the IETF WG has not yet settled on that versus the original\n 'bare' representation.\n * Fix syslog logging for syslog_timestamp=no and log_selector +millisec.\n Previously the millisecond value corrupted the output.\n Fix also for syslog_pid=no and log_selector +pid, for which the pid\n corrupted the output.\n- Replace xorg-x11-devel by individual pkgconfig() buildrequires. \n- update to 4.90.1\n * Allow PKG_CONFIG_PATH to be set in Local/Makefile and use it correctly\n during configuration. Wildcards are allowed and expanded.\n * Shorten the log line for daemon startup by collapsing adjacent sets of\n identical IP addresses on different listening ports. Will also affect\n 'exiwhat' output.\n * Tighten up the checking in isip4 (et al): dotted-quad components larger\n than 255 are no longer allowed.\n * Default openssl_options to include +no_ticket, to reduce load on peers.\n Disable the session-cache too, which might reduce our load. Since we\n currrectly use a new context for every connection, both as server and\n client, there is no benefit for these.\n * Add $SOURCE_DATE_EPOCH support for reproducible builds, per spec at\n <https://reproducible-builds.org/specs/source-date-epoch/>.\n * Fix smtp transport use of limited max_rcpt under mua_wrapper. Previously\n the check for any unsuccessful recipients did not notice the limit, and\n erroneously found still-pending ones.\n * Pipeline CHUNKING command and data together, on kernels that support\n MSG_MORE. Only in-clear (not on TLS connections).\n * Avoid using a temporary file during transport using dkim. Unless a\n transport-filter is involved we can buffer the headers in memory for\n creating the signature, and read the spool data file once for the\n signature and again for transmission.\n * Enable use of sendfile in Linux builds as default. It was disabled in\n 4.77 as the kernel support then wasn't solid, having issues in 64bit\n mode. Now, it's been long enough. Add support for FreeBSD also.\n * Add commandline_checks_require_admin option.\n * Do pipelining under TLS.\n * For the 'sock' variant of the malware scanner interface, accept an empty\n cmdline element to get the documented default one. Previously it was\n inaccessible.\n * Prevent repeated use of -p/-oMr\n * DKIM: enforce the DNS pubkey record 'h' permitted-hashes optional field,\n if present.\n * DKIM: when a message has multiple signatures matching an identity given\n in dkim_verify_signers, run the dkim acl once for each.\n * Support IDNA2008.\n * The path option on a pipe transport is now expanded before use\n * Have the EHLO response advertise VRFY, if there is a vrfy ACL defined.\n- Several bug fixes\n- Fix for buffer overflow in base64decode() (boo#1079832 CVE-2018-6789)\n ", title: "Description of the patch", }, { category: "details", text: "openSUSE-2021-677", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2021_0677-1.json", }, { category: "self", summary: "URL for openSUSE-SU-2021:0677-1", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4UGIR4NXSH3ADTQNJZHHL5EVSFNXRGTQ/", }, { category: "self", summary: "E-Mail link for openSUSE-SU-2021:0677-1", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4UGIR4NXSH3ADTQNJZHHL5EVSFNXRGTQ/", }, { category: "self", summary: "SUSE Bug 1079832", url: "https://bugzilla.suse.com/1079832", }, { category: "self", summary: "SUSE Bug 1171490", url: "https://bugzilla.suse.com/1171490", }, { category: "self", summary: "SUSE Bug 1171877", url: "https://bugzilla.suse.com/1171877", }, { category: "self", summary: "SUSE Bug 1173693", url: "https://bugzilla.suse.com/1173693", }, { category: "self", summary: "SUSE Bug 1185631", url: "https://bugzilla.suse.com/1185631", }, { category: "self", summary: "SUSE CVE CVE-2017-1000369 page", url: "https://www.suse.com/security/cve/CVE-2017-1000369/", }, { category: "self", summary: "SUSE CVE CVE-2017-16943 page", url: "https://www.suse.com/security/cve/CVE-2017-16943/", }, { category: "self", summary: "SUSE CVE CVE-2017-16944 page", url: "https://www.suse.com/security/cve/CVE-2017-16944/", }, { category: "self", summary: "SUSE CVE CVE-2018-6789 page", url: "https://www.suse.com/security/cve/CVE-2018-6789/", }, { category: "self", summary: "SUSE CVE CVE-2019-16928 page", url: "https://www.suse.com/security/cve/CVE-2019-16928/", }, { category: "self", summary: "SUSE CVE CVE-2020-12783 page", url: "https://www.suse.com/security/cve/CVE-2020-12783/", }, { category: "self", summary: "SUSE CVE CVE-2020-28007 page", url: "https://www.suse.com/security/cve/CVE-2020-28007/", }, { category: "self", summary: "SUSE CVE CVE-2020-28008 page", url: "https://www.suse.com/security/cve/CVE-2020-28008/", }, { category: "self", summary: "SUSE CVE CVE-2020-28009 page", url: "https://www.suse.com/security/cve/CVE-2020-28009/", }, { category: "self", summary: "SUSE CVE CVE-2020-28010 page", url: "https://www.suse.com/security/cve/CVE-2020-28010/", }, { category: "self", summary: "SUSE CVE CVE-2020-28011 page", url: "https://www.suse.com/security/cve/CVE-2020-28011/", }, { category: "self", summary: "SUSE CVE CVE-2020-28012 page", url: "https://www.suse.com/security/cve/CVE-2020-28012/", }, { category: "self", summary: "SUSE CVE CVE-2020-28013 page", url: "https://www.suse.com/security/cve/CVE-2020-28013/", }, { category: "self", summary: "SUSE CVE CVE-2020-28014 page", url: "https://www.suse.com/security/cve/CVE-2020-28014/", }, { category: "self", summary: "SUSE CVE CVE-2020-28015 page", url: "https://www.suse.com/security/cve/CVE-2020-28015/", }, { category: "self", summary: "SUSE CVE CVE-2020-28016 page", url: "https://www.suse.com/security/cve/CVE-2020-28016/", }, { category: "self", summary: "SUSE CVE CVE-2020-28017 page", url: "https://www.suse.com/security/cve/CVE-2020-28017/", }, { category: "self", summary: "SUSE CVE CVE-2020-28018 page", url: "https://www.suse.com/security/cve/CVE-2020-28018/", }, { category: "self", summary: "SUSE CVE CVE-2020-28019 page", url: "https://www.suse.com/security/cve/CVE-2020-28019/", }, { category: "self", summary: "SUSE CVE CVE-2020-28020 page", url: "https://www.suse.com/security/cve/CVE-2020-28020/", }, { category: "self", summary: "SUSE CVE CVE-2020-28021 page", url: "https://www.suse.com/security/cve/CVE-2020-28021/", }, { category: "self", summary: "SUSE CVE CVE-2020-28022 page", url: "https://www.suse.com/security/cve/CVE-2020-28022/", }, { category: "self", summary: "SUSE CVE CVE-2020-28023 page", url: "https://www.suse.com/security/cve/CVE-2020-28023/", }, { category: "self", summary: "SUSE CVE CVE-2020-28024 page", url: "https://www.suse.com/security/cve/CVE-2020-28024/", }, { category: "self", summary: "SUSE CVE CVE-2020-28025 page", url: "https://www.suse.com/security/cve/CVE-2020-28025/", }, { category: "self", summary: "SUSE CVE CVE-2020-28026 page", url: "https://www.suse.com/security/cve/CVE-2020-28026/", }, ], title: "Security update for exim", tracking: { current_release_date: "2021-05-07T09:03:52Z", generator: { date: "2021-05-07T09:03:52Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "openSUSE-SU-2021:0677-1", initial_release_date: "2021-05-07T09:03:52Z", revision_history: [ { date: "2021-05-07T09:03:52Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "exim-4.94.2-lp152.8.3.1.x86_64", product: { name: "exim-4.94.2-lp152.8.3.1.x86_64", product_id: "exim-4.94.2-lp152.8.3.1.x86_64", }, }, { category: "product_version", name: "eximon-4.94.2-lp152.8.3.1.x86_64", product: { name: "eximon-4.94.2-lp152.8.3.1.x86_64", product_id: "eximon-4.94.2-lp152.8.3.1.x86_64", }, }, { category: "product_version", name: "eximstats-html-4.94.2-lp152.8.3.1.x86_64", product: { name: "eximstats-html-4.94.2-lp152.8.3.1.x86_64", product_id: "eximstats-html-4.94.2-lp152.8.3.1.x86_64", }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_name", name: "openSUSE Leap 15.2", product: { name: "openSUSE Leap 15.2", product_id: "openSUSE Leap 15.2", product_identification_helper: { cpe: "cpe:/o:opensuse:leap:15.2", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "exim-4.94.2-lp152.8.3.1.x86_64 as component of openSUSE Leap 15.2", product_id: "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", }, product_reference: "exim-4.94.2-lp152.8.3.1.x86_64", relates_to_product_reference: "openSUSE Leap 15.2", }, { category: "default_component_of", full_product_name: { name: "eximon-4.94.2-lp152.8.3.1.x86_64 as component of openSUSE Leap 15.2", product_id: "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", }, product_reference: "eximon-4.94.2-lp152.8.3.1.x86_64", relates_to_product_reference: "openSUSE Leap 15.2", }, { category: "default_component_of", full_product_name: { name: "eximstats-html-4.94.2-lp152.8.3.1.x86_64 as component of openSUSE Leap 15.2", product_id: "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", }, product_reference: "eximstats-html-4.94.2-lp152.8.3.1.x86_64", relates_to_product_reference: "openSUSE Leap 15.2", }, ], }, vulnerabilities: [ { cve: "CVE-2017-1000369", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-1000369", }, ], notes: [ { category: "general", text: "Exim supports the use of multiple \"-p\" command line arguments which are malloc()'ed and never free()'ed, used in conjunction with other issues allows attackers to cause arbitrary code execution. This affects exim version 4.89 and earlier. Please note that at this time upstream has released a patch (commit 65e061b76867a9ea7aeeb535341b790b90ae6c21), but it is not known if a new point release is available that addresses this issue at this time.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2017-1000369", url: "https://www.suse.com/security/cve/CVE-2017-1000369", }, { category: "external", summary: "SUSE Bug 1037551 for CVE-2017-1000369", url: "https://bugzilla.suse.com/1037551", }, { category: "external", summary: "SUSE Bug 1044692 for CVE-2017-1000369", url: "https://bugzilla.suse.com/1044692", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 4, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, products: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-07T09:03:52Z", details: "low", }, ], title: "CVE-2017-1000369", }, { cve: "CVE-2017-16943", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-16943", }, ], notes: [ { category: "general", text: "The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2017-16943", url: "https://www.suse.com/security/cve/CVE-2017-16943", }, { category: "external", summary: "SUSE Bug 1069857 for CVE-2017-16943", url: "https://bugzilla.suse.com/1069857", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-07T09:03:52Z", details: "critical", }, ], title: "CVE-2017-16943", }, { cve: "CVE-2017-16944", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-16944", }, ], notes: [ { category: "general", text: "The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a '.' character signifying the end of the content, related to the bdat_getc function.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2017-16944", url: "https://www.suse.com/security/cve/CVE-2017-16944", }, { category: "external", summary: "SUSE Bug 1069859 for CVE-2017-16944", url: "https://bugzilla.suse.com/1069859", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-07T09:03:52Z", details: "important", }, ], title: "CVE-2017-16944", }, { cve: "CVE-2018-6789", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-6789", }, ], notes: [ { category: "general", text: "An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1. By sending a handcrafted message, a buffer overflow may happen. This can be used to execute code remotely.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2018-6789", url: "https://www.suse.com/security/cve/CVE-2018-6789", }, { category: "external", summary: "SUSE Bug 1079832 for CVE-2018-6789", url: "https://bugzilla.suse.com/1079832", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-07T09:03:52Z", details: "critical", }, ], title: "CVE-2018-6789", }, { cve: "CVE-2019-16928", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2019-16928", }, ], notes: [ { category: "general", text: "Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2019-16928", url: "https://www.suse.com/security/cve/CVE-2019-16928", }, { category: "external", summary: "SUSE Bug 1152507 for CVE-2019-16928", url: "https://bugzilla.suse.com/1152507", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-07T09:03:52Z", details: "critical", }, ], title: "CVE-2019-16928", }, { cve: "CVE-2020-12783", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-12783", }, ], notes: [ { category: "general", text: "Exim through 4.93 has an out-of-bounds read in the SPA authenticator that could result in SPA/NTLM authentication bypass in auths/spa.c and auths/auth-spa.c.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-12783", url: "https://www.suse.com/security/cve/CVE-2020-12783", }, { category: "external", summary: "SUSE Bug 1171490 for CVE-2020-12783", url: "https://bugzilla.suse.com/1171490", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-07T09:03:52Z", details: "important", }, ], title: "CVE-2020-12783", }, { cve: "CVE-2020-28007", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28007", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the log directory (owned by a non-root user), a symlink or hard link attack allows overwriting critical root-owned files anywhere on the filesystem.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28007", url: "https://www.suse.com/security/cve/CVE-2020-28007", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28007", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-07T09:03:52Z", details: "critical", }, ], title: "CVE-2020-28007", }, { cve: "CVE-2020-28008", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28008", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the spool directory (owned by a non-root user), an attacker can write to a /var/spool/exim4/input spool header file, in which a crafted recipient address can indirectly lead to command execution.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28008", url: "https://www.suse.com/security/cve/CVE-2020-28008", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28008", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-07T09:03:52Z", details: "critical", }, ], title: "CVE-2020-28008", }, { cve: "CVE-2020-28009", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28009", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow because get_stdinput allows unbounded reads that are accompanied by unbounded increases in a certain size variable. NOTE: exploitation may be impractical because of the execution time needed to overflow (multiple days).", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28009", url: "https://www.suse.com/security/cve/CVE-2020-28009", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28009", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-07T09:03:52Z", details: "critical", }, ], title: "CVE-2020-28009", }, { cve: "CVE-2020-28010", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28010", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Out-of-bounds Write because the main function, while setuid root, copies the current working directory pathname into a buffer that is too small (on some common platforms).", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28010", url: "https://www.suse.com/security/cve/CVE-2020-28010", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28010", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-07T09:03:52Z", details: "critical", }, ], title: "CVE-2020-28010", }, { cve: "CVE-2020-28011", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28011", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Heap-based Buffer Overflow in queue_run via two sender options: -R and -S. This may cause privilege escalation from exim to root.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28011", url: "https://www.suse.com/security/cve/CVE-2020-28011", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28011", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-07T09:03:52Z", details: "critical", }, ], title: "CVE-2020-28011", }, { cve: "CVE-2020-28012", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28012", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Exposure of File Descriptor to Unintended Control Sphere because rda_interpret uses a privileged pipe that lacks a close-on-exec flag.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28012", url: "https://www.suse.com/security/cve/CVE-2020-28012", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28012", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-07T09:03:52Z", details: "critical", }, ], title: "CVE-2020-28012", }, { cve: "CVE-2020-28013", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28013", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Heap-based Buffer Overflow because it mishandles \"-F '.('\" on the command line, and thus may allow privilege escalation from any user to root. This occurs because of the interpretation of negative sizes in strncpy.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28013", url: "https://www.suse.com/security/cve/CVE-2020-28013", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28013", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-07T09:03:52Z", details: "critical", }, ], title: "CVE-2020-28013", }, { cve: "CVE-2020-28014", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28014", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. The -oP option is available to the exim user, and allows a denial of service because root-owned files can be overwritten.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28014", url: "https://www.suse.com/security/cve/CVE-2020-28014", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28014", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", version: "3.1", }, products: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-07T09:03:52Z", details: "critical", }, ], title: "CVE-2020-28014", }, { cve: "CVE-2020-28015", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28015", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. Local users can alter the behavior of root processes because a recipient address can have a newline character.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28015", url: "https://www.suse.com/security/cve/CVE-2020-28015", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28015", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-07T09:03:52Z", details: "critical", }, ], title: "CVE-2020-28015", }, { cve: "CVE-2020-28016", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28016", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows an off-by-two Out-of-bounds Write because \"-F ''\" is mishandled by parse_fix_phrase.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28016", url: "https://www.suse.com/security/cve/CVE-2020-28016", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28016", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-07T09:03:52Z", details: "critical", }, ], title: "CVE-2020-28016", }, { cve: "CVE-2020-28017", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28017", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow in receive_add_recipient via an e-mail message with fifty million recipients. NOTE: remote exploitation may be difficult because of resource consumption.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28017", url: "https://www.suse.com/security/cve/CVE-2020-28017", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28017", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-07T09:03:52Z", details: "critical", }, ], title: "CVE-2020-28017", }, { cve: "CVE-2020-28018", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28018", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Use After Free in smtp_reset in certain situations that may be common for builds with OpenSSL.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28018", url: "https://www.suse.com/security/cve/CVE-2020-28018", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28018", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-07T09:03:52Z", details: "critical", }, ], title: "CVE-2020-28018", }, { cve: "CVE-2020-28019", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28019", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 has Improper Initialization that can lead to recursion-based stack consumption or other consequences. This occurs because use of certain getc functions is mishandled when a client uses BDAT instead of DATA.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28019", url: "https://www.suse.com/security/cve/CVE-2020-28019", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28019", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-07T09:03:52Z", details: "critical", }, ], title: "CVE-2020-28019", }, { cve: "CVE-2020-28020", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28020", }, ], notes: [ { category: "general", text: "Exim 4 before 4.92 allows Integer Overflow to Buffer Overflow, in which an unauthenticated remote attacker can execute arbitrary code by leveraging the mishandling of continuation lines during header-length restriction.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28020", url: "https://www.suse.com/security/cve/CVE-2020-28020", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28020", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-07T09:03:52Z", details: "critical", }, ], title: "CVE-2020-28020", }, { cve: "CVE-2020-28021", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28021", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. An authenticated remote SMTP client can insert newline characters into a spool file (which indirectly leads to remote code execution as root) via AUTH= in a MAIL FROM command.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28021", url: "https://www.suse.com/security/cve/CVE-2020-28021", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28021", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 8.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-07T09:03:52Z", details: "critical", }, ], title: "CVE-2020-28021", }, { cve: "CVE-2020-28022", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28022", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 has Improper Restriction of Write Operations within the Bounds of a Memory Buffer. This occurs when processing name=value pairs within MAIL FROM and RCPT TO commands.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28022", url: "https://www.suse.com/security/cve/CVE-2020-28022", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28022", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-07T09:03:52Z", details: "critical", }, ], title: "CVE-2020-28022", }, { cve: "CVE-2020-28023", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28023", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Out-of-bounds Read. smtp_setup_msg may disclose sensitive information from process memory to an unauthenticated SMTP client.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28023", url: "https://www.suse.com/security/cve/CVE-2020-28023", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28023", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-07T09:03:52Z", details: "critical", }, ], title: "CVE-2020-28023", }, { cve: "CVE-2020-28024", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28024", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Buffer Underwrite that may result in unauthenticated remote attackers executing arbitrary commands, because smtp_ungetc was only intended to push back characters, but can actually push back non-character error codes such as EOF.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28024", url: "https://www.suse.com/security/cve/CVE-2020-28024", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28024", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-07T09:03:52Z", details: "critical", }, ], title: "CVE-2020-28024", }, { cve: "CVE-2020-28025", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28025", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 allows Out-of-bounds Read because pdkim_finish_bodyhash does not validate the relationship between sig->bodyhash.len and b->bh.len; thus, a crafted DKIM-Signature header might lead to a leak of sensitive information from process memory.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28025", url: "https://www.suse.com/security/cve/CVE-2020-28025", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28025", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-07T09:03:52Z", details: "critical", }, ], title: "CVE-2020-28025", }, { cve: "CVE-2020-28026", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-28026", }, ], notes: [ { category: "general", text: "Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters, relevant in non-default configurations that enable Delivery Status Notification (DSN). Certain uses of ORCPT= can place a newline into a spool header file, and indirectly allow unauthenticated remote attackers to execute arbitrary commands as root.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-28026", url: "https://www.suse.com/security/cve/CVE-2020-28026", }, { category: "external", summary: "SUSE Bug 1185631 for CVE-2020-28026", url: "https://bugzilla.suse.com/1185631", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Leap 15.2:exim-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximon-4.94.2-lp152.8.3.1.x86_64", "openSUSE Leap 15.2:eximstats-html-4.94.2-lp152.8.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-05-07T09:03:52Z", details: "critical", }, ], title: "CVE-2020-28026", }, ], }
fkie_cve-2019-16928
Vulnerability from fkie_nvd
Published
2019-09-27 21:15
Modified
2025-03-07 14:41
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| exim | exim | * | |
| canonical | ubuntu_linux | 19.04 | |
| debian | debian_linux | 10.0 | |
| fedoraproject | fedora | 29 | |
| fedoraproject | fedora | 30 | |
| fedoraproject | fedora | 31 |
{ cisaActionDue: "2022-03-17", cisaExploitAdd: "2022-03-03", cisaRequiredAction: "Apply updates per vendor instructions.", cisaVulnerabilityName: "Exim Out-of-bounds Write Vulnerability", configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:exim:exim:*:*:*:*:*:*:*:*", matchCriteriaId: "A6833B54-69D3-428C-8D54-50FFDE6154D2", versionEndIncluding: "4.92.2", versionStartIncluding: "4.92", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*", matchCriteriaId: "CD783B0C-9246-47D9-A937-6144FE8BFF0F", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", matchCriteriaId: "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*", matchCriteriaId: "D100F7CE-FC64-4CC6-852A-6136D72DA419", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", matchCriteriaId: "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", matchCriteriaId: "80F0FA5D-8D3B-4C0E-81E2-87998286AF33", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.", }, { lang: "es", value: "Exim versiones 4.92 hasta 4.92.2, permite una ejecución de código remota, una vulnerabilidad diferente de CVE-2019-15846. Se presenta un desbordamiento del buffer basado en memoria dinámica (heap) en la función string_vformat en el archivo string.c que implica un comando EHLO largo.", }, ], id: "CVE-2019-16928", lastModified: "2025-03-07T14:41:33.507", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }, published: "2019-09-27T21:15:10.017", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Mailing List", "Mitigation", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2019/09/28/1", }, { source: "cve@mitre.org", tags: [ "Exploit", "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2019/09/28/2", }, { source: "cve@mitre.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2019/09/28/3", }, { source: "cve@mitre.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2019/09/28/4", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", "Patch", "Vendor Advisory", ], url: "https://bugs.exim.org/show_bug.cgi?id=2449", }, { source: "cve@mitre.org", tags: [ "Patch", ], url: "https://git.exim.org/exim.git/commit/478effbfd9c3cc5a627fc671d4bf94d13670d65f", }, { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "https://lists.exim.org/lurker/message/20190927.032457.c1044d4c.en.html", }, { source: "cve@mitre.org", tags: [ "Release Notes", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EED7HM3MFIBAP5OIMJAFJ35JAJABTVSC/", }, { source: "cve@mitre.org", tags: [ "Release Notes", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T3TJW4HPYH3O5HZCWGD6NSHTEBTTAPDC/", }, { source: "cve@mitre.org", tags: [ "Release Notes", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UY6HPRW7MR3KBQ5JFHH6OXM7YCZBJCOB/", }, { source: "cve@mitre.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://seclists.org/bugtraq/2019/Sep/60", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202003-47", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://usn.ubuntu.com/4141-1/", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2019/dsa-4536", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Mailing List", "Mitigation", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2019/09/28/1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2019/09/28/2", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2019/09/28/3", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2019/09/28/4", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", "Vendor Advisory", ], url: "https://bugs.exim.org/show_bug.cgi?id=2449", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://git.exim.org/exim.git/commit/478effbfd9c3cc5a627fc671d4bf94d13670d65f", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://lists.exim.org/lurker/message/20190927.032457.c1044d4c.en.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EED7HM3MFIBAP5OIMJAFJ35JAJABTVSC/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T3TJW4HPYH3O5HZCWGD6NSHTEBTTAPDC/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UY6HPRW7MR3KBQ5JFHH6OXM7YCZBJCOB/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://seclists.org/bugtraq/2019/Sep/60", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202003-47", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://usn.ubuntu.com/4141-1/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2019/dsa-4536", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-787", }, ], source: "nvd@nist.gov", type: "Primary", }, { description: [ { lang: "en", value: "CWE-787", }, ], source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.