Re: CVE Request - Exim 4.69-4.87 - disclosure of private information

[<cve-assign () mitre org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Heiko Schlittermann              - Exim developer
> https://bugs.exim.org/show_bug.cgi?id=1996
> Versions:   4.69 -> 4.87
> If several conditions are met, Exim leaks private information to
> a remote attacker.

Our guess is that a vendor's disclosure of an impact, product
name, and affected versions means that this can be interpreted
as a public security issue.

Use CVE-2016-9963.

http://oss-security.openwall.org/wiki/mailing-lists/oss-security says
"List Content Guidelines ... Any security issues that you post to
oss-security should be either already public or to be made public by
your posting." It is uncommon to use oss-security as a CVE request
channel when the amount of public information is minimal. (For other
options, see the https://cveform.mitre.org and
https://cve.mitre.org/cve/data_sources_product_coverage.html pages.)

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYU3xCAAoJEHb/MwWLVhi2qBcP/jPSJbi/fUupYnmT0UOE6bCl
dcqr+7WdI4cuyBOtZiKtJbB5JsaPhuJlY2j+a1Qj9j/cPr03QjNcFuhX66hLFcvJ
I7dJtvvSiLFZ49Ozr5r3HJi6FTmPbOaqRYgAZjcL3sMrn45al0dBY19NWUMZIpym
NtSgkMEhnnABzOsyM3yMEircofLnZv9r3KPYkB1bKt4H3Zgo3/6j6dHZRd5ON+iT
LN1d0fXLFUZABeanmWi1ccFlm83J0oaTFnU1U7MLuJtDaYxTSN8vYUpiPSVkctDL
EFdNJokCOfQcn67wtgjW3871EuRqWanYptBgQuQmq4j51i0MKktxQnRzom8qNnKz
6faWLL6xIxgRsIBM0hVJBjWYyg6SAGb/V5i3b+tAJhyCxse+PHfXg4WHofQip9BN
ZoM8UcQDhDn01TLHaTvsd5H3pucxlk0jdDoum9CWcZBOfcc5NUnKkYuYntJDQ/rR
Us+5Aaw8X+B8ZPE47NEwX7hAXHU5PzHU48fg+j6x3yYl3N9nwyhVsSbSxIQjjRd6
iqAIMXGQGJ2KMZluEBjkhNNGAYSfXrLxi8rx6x0qj4y7RLBIp9B9M4eH5f3H/to4
4BtIzUA5ZYdP20YE8VtGyRFd2aOGUMFf7BuoPgXgDXzflxGLMs4tmLNeTxxpyhMB
ooGshm7DABkZ59MHc1ww
=Q/MO
-----END PGP SIGNATURE-----