There is a heap-based buffer overflow in string_vformat (string.c). The currently known exploit uses a extraordinary long EHLO string to crash the Exim process that is receiving the message.
This is allready the third time this year, EXIM is vulnerable.
From my point of view, sophos UTM and XG shouldn't be vulnerable because of the same reasons, they have not been vulnerable for CVE-2019-15846.
Maybe anybody can confirm anyways?
This thread was automatically locked due to age.
