Summary
-------
Six 0day exploits were filed against Exim.

None of these issues is related to transport security (TLS) being
on or off.

* 3 of them are related to SPA/NTLM, and EXTERNAL auth. If you do not
  use SPA/NTLM, or EXTERNAL authentication, you're not affected.  These
  issues are fixed.

* One issue is related to data received from a proxy-protocol proxy. If
  you do not use a proxy in front of Exim, you're not affected. If your
  proxy is trustworthy, you're not affected. We're working on a fix.

* One is related to libspf2. If you do not use the `spf` lookup type or
  the `spf` ACL condition, you are not affected.

* The last one is related to DNS lookups. If you use a trustworthy
  resolver (which does validation of the data it receives), you're not
  affected. We're working on a fix.

Timeline
--------
- 2023-10-03 12:00 UTC 
  - The available fixes are published.
  - A security release exim-4.96.1 is published.
  - The major distributions follow.

More patches will follow (coordinated with the major distros) as soon as
they're available.

Distribution points:
--------------------
- git://git.exim.org
  branches:
  - spa-auth-fixes (based on the current master) [commit IDs: 7bb5bc2c6 0519dcfb5 e17b8b0f1 04107e98d]
  - exim-4.96+security (based on exim-4.96) [gpg signed]
  - exim-4.96.1+fixes (based on exim-4.96.1 with the fixes from exim-4.96+fixes) [gpg signed]
  tags:
  - exim-4.96.1 [gpg signed]

- tarballs for exim-4.96.1: https://ftp.exim.org/pub/exim/exim4/ [gpg signed]

GPG signatures are made by me (hs@schlittermann.de, or Jeremy Harris
jgh@wizmail.org).


More Details
------------

ZDI-23-1468 | ZDI-CAN-17433 | CVE-2023-42114 | Exim bug 3001
------------------------------------------------------------
Subject:    NTLM Challenge Out-Of-Bounds Read
CVSS Score: 3.7
Mitigation: Do not use SPA (NTLM) authentication
Subsystem:  SPA auth
Fixed:      04107e98d, 4.96.1, 4.97

ZDI-23-1469 | ZDI-CAN-17434 | CVE-2023-42115 | Exim bug 2999
------------------------------------------------------------
Subject:    AUTH Out-Of-Bounds Write
CVSS Score: 9.8
Mitigation: Do not offer EXTERNAL authentication.
Subsystem:  EXTERNAL auth
Fixed:      7bb5bc2c6, 4.96.1, 4.97

ZDI-23-1470 | ZDI-CAN-17515 | CVE-2023-42116 | Exim bug 3000
------------------------------------------------------------
Subject:    SMTP Challenge Stack-based Buffer Overflow
CVSS Score: 8.1
Mitigation: Do not use SPA (NTLM) authentication
Subsystem:  SPA auth
Fixed:      e17b8b0f1, 4.96.1, 4.97

ZDI-23-1471 | ZDI-CAN-17554 | CVE-2023-42117 | Exim Bug 3031
-------------------------------------------------------------
Subject:    Improper Neutralization of Special Elements
CVSS Score: 8.1
Mitigation: Do not use Exim behind an untrusted proxy-protocol proxy
Subsystem:  proxy protocol (not socks!)
Fix:        not yet

ZDI-23-1472 | ZDI-CAN-17578 | CVE-2023-42118 | Exim Bug 3032
------------------------------------------------------------
Subject:    libspf2 Integer Underflow
CVSS Score: 7.5
Mitigation: Do not use the `spf` condition in your ACL
Subsystem:  spf
Remark:     This CVE should be filed against libspf2.
            See: https://github.com/shevek/libspf2/issues/45

ZDI-23-1473 | ZDI-CAN-17643 | CVE-2023-42119 | Exim Bug 3033
------------------------------------------------------------
Subject:    dnsdb Out-Of-Bounds Read
CVSS Score: 3.1
Mitigation: Use a trustworthy DNS resolver which is able to
            validate the data according to the DNS record types.
Subsystem:  dns lookups
Fix:        not yet
Remark:     It is still under consideration.

