Hi,

in the course of the current CVEs regarding Exim there is claimed to be
an issue with libspf2. We (the Exim developers) are not sure, if this
is something *we* can on our side. We're not even sure about the
details, as of now we do not have any further information.

But, it *may* be related to this PR: https://github.com/shevek/libspf2/pull/44/files
An individual "simon" told so in the #Exim IRC channel on librachat.

Do you see any chance to check this? And, if necessary, to release a
security update too?

If it turns out to be an issue, what do you think, should we at least
notify oss-security on that, to help other distros to fixing it?

Abstract of the knowledge we have so far:

ZDI-23-1472 | ZDI-CAN-17578 | CVE-2023-42118 | Exim Bug 3032 ------------------------------------------------------------
Subject: libspf2 Integer Underflow
CVSS Score: 7.5
Mitigation: Do not use the `spf` condition in your ACL
Subsystem: spf
Remark: It is debatable if this should be filed against
libspf2.



Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -

-----BEGIN PGP SIGNATURE-----

iQEzBAABCgAdFiEE0L/WueylaUpvFJ3Or0zGdqa2wUIFAmUaZcsACgkQr0zGdqa2 wULHcwf/S1KmldB8CmwUPlh8fWY3SEcogJojFq+EtKTZHO8OG5MQkpgIIhf6Cg6i BlujOgYu1Rp6a8x/gdWquoCCCRlPg6sWo2yxprZ1qVth4QFLI2QNN/aKCl5qsuqM S2HT+0q6oYYMf3ENToM11QCBSyaerCyegkivknBZSYo3EhY5/iHkiJMMC3LbN0n2 Gjn7ns24BDi5I+mkx5z7X+Fsm45ywnqrZWAUTT8nm6QvTPZZ06YN4s5DebrcBgSV PsivWrvusxajpmIm8lgDz2JGA65Nc0quM5ScLFWV2gG22gLUEHzJsmSOSWWxC49F e4A2ULGfltJ7yDC4vIMATS1jJh2s2Q==
=HPSl
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)