From security@xbow.com Fri May 01 17:29:41 2026 Return-Path: Received: from mx10.schlittermann.de (mx10.ius [192.168.80.10]) by pop (Cyrus 3.6.1-Debian-3.6.1-4+deb12u4) with LMTPA; Fri, 01 May 2026 19:35:13 +0200 X-Cyrus-Session-Id: cyrus-1777656913-3903693-1-17743493290384033380 X-Sieve: CMU Sieve 3.0 Received: from hh.schlittermann.de ([213.128.132.49]:38506) by mx10.schlittermann.de with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.x) (envelope-from ) id 1wIrlg-00000005npt-1tOa for hs@schlittermann.de; Fri, 01 May 2026 19:35:13 +0200 Received: from cumin.exim.org ([2a00:11c0:5f:34c1::2]) by hh.schlittermann.de with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.x) (envelope-from ) id 1wIrgd-00000008fZR-478W for hs@schlittermann.de; Fri, 01 May 2026 19:30:00 +0200 ARC-Seal: i=2; cv=pass; a=rsa-sha256; d=exim.org; s=d202011; b=RSUVAxmjvDw+l1QDNY+a1gNQ8xIv6CPsQe1NFH/BQ9n3h5nWzHhf2nABYzWjaJP6iRGqqRCjTr 50sT/mew9hyKIP2Vh5TzX/4HOlxxzv3bZIjGnMMF+U3uxAxVRdLjooHCgxmqMMw6NIJ5QE00+X 2wVhqg7+VNv+QKMfpzrOiMds6iDbSKpw+MpMPrmX8dcujh69IekLS8yAz8040+SB0cDAF8OC2l LWuzm9fhb+oeCAxqT+lgAKzzYfoEbQ/+aPJB3CSMs1cO/kvtrrgw5219PKhDhvPgA8cdwmS6/P kRWTfpXSn956ZPiSP3Y2Aoj9Ft9htp9fH5jPCo8fPx3Fow==; ARC-Authentication-Results: i=2; exim.org; smtp.remote-ip=2607:f8b0:4864:20::f31; iprev=pass (mail-qv1-xf31.google.com) smtp.remote-ip=2607:f8b0:4864:20::f31; spf=pass smtp.mailfrom=xbow.com; dkim=pass header.d=xbow.com header.s=google header.a=rsa-sha256; dmarc=pass header.from=xbow.com; arc=pass (i=1) header.s=arc-20240605 arc.oldest-pass=1 smtp.remote-ip=2607:f8b0:4864:20::f31 ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed; d=exim.org; s=d202011; bh=XVUDk+u1h9BSyRRwLSfDPdRldm0pLPXdtSF0hF9FX58=; h=Content-Type:Cc:To:Subject:Message-ID:Date:From:MIME-Version:DKIM-Signature; b=TJ7xVFTNKTANmHqPSUzJu7aTiu+vqJmCQiVgqVYTo3ccLAh3EUB8hITkWJnVhhAOxIvOrZi9I2 sKKp5i/wkOsJwo8PiFBAX39Y4slOW2IDH2LI3/3aZRabglY9dVCWL6N8B2Ug6CCyMINL1BKzXP zcuxN6eT8UJMn6o5ExJouAW3ccE81pbTXDqT/c/cwSHO2kmtyMrfVwBV/Y9mBT0Ej30fsAtSBg 0ooZx3DmVpYI/4/2e9oyoOrWLP7V9Tfh2idZ9srDTSQGThfbJHfFIcvOHZp2vHUVNj952JDwA4 oguzyADrm7MbiWSo+TIEYgKGrcWkwlM8+z5LgLAM027zFQ==; Authentication-Results: exim.org; iprev=pass (mail-qv1-xf31.google.com) smtp.remote-ip=2607:f8b0:4864:20::f31; spf=pass smtp.mailfrom=xbow.com; dkim=pass header.d=xbow.com header.s=google header.a=rsa-sha256; dmarc=pass header.from=xbow.com; arc=pass (i=1) header.s=arc-20240605 arc.oldest-pass=1 smtp.remote-ip=2607:f8b0:4864:20::f31 Received: from mail-qv1-xf31.google.com ([2607:f8b0:4864:20::f31]:43254) by cumin.exim.org with esmtps (TLS1.3) tls TLS_AES_128_GCM_SHA256 (Exim 4.99.1) (envelope-from ) id 1wIrgY-00000005Cov-3NbE for security@exim.org; Fri, 01 May 2026 17:29:55 +0000 Received: by mail-qv1-xf31.google.com with SMTP id 6a1803df08f44-8b5cda2dab9so4342426d6.0 for ; Fri, 01 May 2026 10:29:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1777656593; cv=none; d=google.com; s=arc-20240605; b=CFE/xjc6Cw3n69eml/GnoopwHk1iyO0sXlhXUuNY/UIeJ/ecIS3Pp1zp0+2IFlbq8o OqGwY4LucT83vmB4NcPXn94YI5AlPpYZmzsH3S59RfXsoQuFKIhU15JIy+TLtmFIm7Tw 57a9xaLfKAoNmY27Ky2zJNM/j8etvtTTO9f1KTZmUcuEQJRGDtSxsdExPVLKjI6OviI1 AVFUO8drfUvyKg6FWzg2d/g5/1CxxTPN5TN4eWu21jIEMQqgOx4oDPcExQWYjh7Pk9KG bjDOeQDhAiWLpF5mwhOavzqTzIXDcBhaq23gQjt8Be5ahfILH0UToUoC95rNsXa8TMRK 8AJQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:mime-version:dkim-signature; bh=XVUDk+u1h9BSyRRwLSfDPdRldm0pLPXdtSF0hF9FX58=; fh=IfBSzH51CkdlEbHnv9D9+8s+36rfUiOsrYA/GEZlb2I=; b=WAE/i55xmfSiA4pB6EXRt+/qp/cb9HkRLRJUgAV5mPWUxVLY7cNxAC+Hx4m3FFW8mV jvfrmpAXB5mKpmMXjT69nYCBswe3rpNs5Hi9wharA95BrsOjkNXp8IRkWq3CPwsDsDWA bogvELjcXprNcIOvrxUrwgbk/cgi2wV/cXIOMKHhmlrSD2q4Aqvc0QuqCyLP3SD3S0yp M8V/g2H19Pw+Rfa16N2cZtR0J9kcA/mx+hKsiwFk5TNvcpnHyaid0BjBmTsvE2mkj+Wy GGhJfgPgjSzXnsZCefUFcGTYZB8UEagLYjFVBonrr+uJ+zzTR6rnIAj7TI7QGr7ONbq8 8B7A==; darn=exim.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=xbow.com; s=google; t=1777656593; x=1778261393; darn=exim.org; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=XVUDk+u1h9BSyRRwLSfDPdRldm0pLPXdtSF0hF9FX58=; b=YFD2L+5JNm+HDS6KmmXk7N0I0YM6gB0u9CX8Zd5v7kTvJQviJw0KHUgZ/Tyq8Q5aLs cv9npoRsCK6kmgTFfBFD3ZUm+ROh5Alw4fufK9hlQc5hpTSe/ubv/dEM7wdjQSy9C4UD KbPqrJCpXz1JhdnNIvrJuUfw4PCn40G08XvKQtxXgYvRogGG9Pc/iJBoxBYQyFeXW4rV 1lWKm0TotBzHWISwR0Pn2Yp90VjyRJzQSaXAYEM66IQAARUejgtU+lSizu7AnAWIBl3J +Rjuyn568yuyheaKqCK5M668cOIToXM+SxQ67CEKrNmh1IMD1trdz2hgmcAlLNgvR78F xnuQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777656593; x=1778261393; h=cc:to:subject:message-id:date:from:mime-version:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=XVUDk+u1h9BSyRRwLSfDPdRldm0pLPXdtSF0hF9FX58=; b=MJl98RwEvzrGfWbKJ1qrsc4QHgzxrMcuL+apQgvwFP9EZsW5zLiS3BPjBoZW54xtbC KhVXT/B4HLB7COjEnBpHCqkJHjs6n4T4qH1YIqXDuQ38UJDW4HOPylTXXAoOPX6EdDl5 x1R+ObR/W5aH+uvaUJRPTTa/dwbn2e4EBrlZsQFycRYJOaJBZrGl5crjEDy5IAPeMwp8 5vr4ux6Sl15Rivp/XrEc4D/4YwyKrbCuzsp7u7kM/2GbBmjMgwMl545TGA9If7hxarO4 uPOPdWqWxX5NBJl80WVDmgyONtXA9hzEOtH2ltqNqH/Z0x5UvMLyYD8qbe+xk7+CQK1M wywQ== X-Gm-Message-State: AOJu0YyqPQGzc63B4KCGDpDleBsGggSWt6DrLL6k659LIZp0hCSdiIMm wWdtBsUSeDsb+a/Siw3Pgwl2isDrkERMODObvVhBAKpwGuVLxXrPRv3G8F9gu8xPp97dHHUQttN sQf0BHj/fMFfsx2eXm8bgfROqCnrqwquYBnbRtW6AWjKBvgrDpJE1ewk= X-Gm-Gg: AeBDietNJhmUi7A3E9vM0z1WzgL0umGXMANFR4TSaIfqdU6Ze/FhQVESJ/kwwiS4nHH AYVnlY+WcZ0Sde8MfSBpquvHcB2mUGoxt/EACHfhkj6doYy1PMl6ImErYdmui0lMY95YUzcGfly uiBkog8aCeCbpw66bXdOg4BuiX8ir6cgYNetd734BVvhgOKdNoFo3QhErzUwX9Ee5swQNKZqh3a O+AcFWPwZiJnXm5EwRcDWphCCDklLXNJSo47xhMU7Xbl2K4cJ5fsbAphv0W45yekkxE6I0I2UHy aRqnevrgsUBkDWNMT24= X-Received: by 2002:ad4:5bcf:0:b0:8ac:b0d8:65f2 with SMTP id 6a1803df08f44-8b668735944mr6969666d6.19.1777656593139; Fri, 01 May 2026 10:29:53 -0700 (PDT) MIME-Version: 1.0 From: XBOW Security Date: Fri, 1 May 2026 14:29:41 -0300 X-Gm-Features: AVHnY4Je7FRU70YF6X7PXRw1ZeFk2xEXhxRiPrWo6h7lbdgAqOdFo-PJgN4Vcwg Message-ID: Subject: EXIM Security report To: security@exim.org Cc: =?UTF-8?Q?Andr=C3=A9s_Luksenberg?= , Federico Kirschbaum Content-Type: multipart/mixed; boundary="000000000000c4ce290650c4ed22" X-Spam-Score: -0.3 (/) X-IUS-DKIM-Status: signer=xbow.com status=pass Domain=xbow.com X-IUS-RSpamd-Bar: ++++ X-IUS-RSpamd-Score: 4.2 X-IUS-Spam-Score: -1.4 X-IUS-Spam-Bar: - X-IUS-Spam-Report: BAYES_00=-1.9,DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,DKIM_VALID_EF=-0.1,HTML_MESSAGE=0.001,SPF_HELO_PASS=-0.001,SPF_SOFTFAIL=0.665,lang=en,autolearn=no autolearn_force=no,via=XX XX --000000000000c4ce290650c4ed22 Content-Type: multipart/alternative; boundary="000000000000c4ce280650c4ed20" --000000000000c4ce280650c4ed20 Content-Type: text/plain; charset="UTF-8" Hello Exim Team, I'm Federico Kirschbaum, part of XBOW security team. During our research we found a security issues worth being reviewed by your team. We are sharing a full technical report, reproduction information, and supporting materials. Best regards, Federico Kirschbaum --000000000000c4ce280650c4ed20 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

Hello Exim Team,

I'm Federico Kirschbaum, part of XBOW secur= ity team. During our research we found a security issues worth being review= ed by your team. We are sharing a full technical report, reproduction infor= mation, and supporting materials.

Best regards,
Federico Kirschbau= m

--000000000000c4ce280650c4ed20-- --000000000000c4ce290650c4ed22 Content-Type: application/octet-stream; name="package.tgz.asc" Content-Disposition: attachment; filename="package.tgz.asc" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_mon6gmsx0 LS0tLS1CRUdJTiBQR1AgTUVTU0FHRS0tLS0tCgpoRjREOERGbHhkakxaU3dTQVFkQUlWa2pQa25h UzNnQkVNRWUwRkJjOUlHL3RyY1I5MWl6YXgwc0pQWmd2VG93CkNFTXM1YmVxdk5nV0FDUDNrSHZ0 SUd1eUs3UjZ0ZnV3RmEwQlhFV1NHN2VjVWhOcy9ob2hVblhoWE05QUR1VmUKaFFHTUEyVEM2L1lG c3FyZkFRd0EwUnRjS296bVRFTzNKRmZCM1lxVFBKVGtBMHV0N2piNzFjME1pUjREMXkwUwo5VFZ6 QkJ5dVJjblRXWSthWGw0N1hoTUJEK1lDTUU4cVZXTStnNXBPUWVvczdpR3ljMDg4WDJHc3NJNHdN LzhVCmZQU3dtZmIwZEUwWUI4V3A4ZDc1bmFLZkhEWThPRUFZditCb1ZmVFBJemk0THBuUVk5Q2hl SXBUdys0VVFUTFoKb2VuNzBVOGRSN3RXQjZyRFVzVWRRMG9iRVN6Snh0UzU4VXhPcFZHUnNCN2tI R2hGeVRzcWd1S3NrYXA5dFZKRApSVHdWdDJlbGY5TTZ3c0RzT1pTU3A4bm9VWlh4NWpWNERNWWZM cDZhdXNESHdIMWUvM2QwaDRBZnA0OXlWU0daCngybm9HcUI0Kzdya1prRFY4K2RWYlJUQ2l6L2Ry QTErSkFTVlViUkowNGpzajM2TS9sOFBPTk9iWGV3R3JyZU4KeWlrM1JjRkFKcVVJSWVqdGVuNDRo cngzZXJ6aTVyUVlCaWlPZU1UM21wNVpjeGhZcm5OOUVVdXl6R1MzcldWTAp4cXpOcTdjR1M0ek9N UEszQlp5eFU4VUxZbFBQYnVmVmJHS3Y4MmJUVkF0bCtVOGibMDNlaXpRcmhQeSs0d3FFCldUUkYz M041MVkxUVdLVUpMMCt1aFFJTUE2Ym9ubjlhQ01WZ0FSQUFzcXVHNEFaditRR2ZTV0F3eFh0MU9I bW0Kenp1UHp6RHd5Y2lkZkwrQjVWZXF0WkRPcUxPUzNtWWpHTXZoenhQOHAvUE1Gd1p6ajRwSWYw Z01QNEFFaDlSVQpRZ25UNVNjUHdPMUU3aUNBeWJvRkJadEtNTmQyUWFGOXM2YngyUHNHUDJHL3Uw SkdoMEIvWUoxa2lQMGl1ZmxwCnVoWjg5eGxWMGNwWEJVQllYdDkzRXRHem1BMWpvNzh5Mmhsc201 alT1dSZVAzTS9KeFIyMU1kTGdDOHlvZFF2NU8KZkdIN21od0V5VEVQZXlraklxTllKWWVvWlFaYXJt WjhiZExZL0FJRHlmNFV2UEFkekgvRzRoS1ZYeE1lUHptUgozRDF5WFUzN0dGNlE2NFpwS2xPdXB0 TG9YQTlLNFpmQmM2TlJIRHl4d3VLY0Q3YVowUEJXUDd0MlFSdlVqU3hECjZBWnY0TytEbENpR3pI TUpZTTYrYmxKNzQzUStSMGZ2MTd1M1Brb2RRVVJXQjRpUGNqdk1sRjF2Q2hPS2N2YksKTVNydE5l Z3BQamYydWZQZWxFaFZuVFJvZEcxR0huVjrub1czVC9tc1JQSENSc1FxNWZmZTBUYzhyWHJRSmNB aiI= From federico.kirschbaum@xbow.com Mon May 04 20:00:54 2026 Return-Path: Received: from mx10.schlittermann.de (mx10.ius [192.168.80.10]) by pop (Cyrus 3.6.1-Debian-3.6.1-4+deb12u4) with LMTPA; Mon, 04 May 2026 22:01:23 +0200 X-Cyrus-Session-Id: cyrus-1777924883-237173-1-4762989564935268436 X-Sieve: CMU Sieve 3.0 Authentication-Results: mx10.schlittermann.de; iprev=pass (cumin.exim.org) smtp.remote-ip=152.53.204.32; spf=softfail smtp.mailfrom=xbow.com; dkim=pass header.d=xbow.com header.s=google header.a=rsa-sha256; dmarc=pass header.from=xbow.com Received-SPF: softfail (mx10.schlittermann.de: transitioning domain of xbow.com does not designate 152.53.204.32 as permitted sender) client-ip=152.53.204.32; envelope-from=federico.kirschbaum@xbow.com; helo=cumin.exim.org; Received: from cumin.exim.org ([152.53.204.32]:34990) by mx10.schlittermann.de with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.x) (envelope-from ) id 1wJzTh-00000006Tdn-3AR5 for hs@schlittermann.de; Mon, 04 May 2026 22:01:23 +0200 ARC-Seal: i=2; cv=pass; a=rsa-sha256; d=exim.org; s=d202011; b=CRdTqmfqcGZKStLdwtvrNUbjhVTfKjfuPyKEYDekrDQaZurGqNog4sDkTj5pW7ft76cWxUBXTP Ht3G0sAvyEdIC1X6OoKlxlwQR/g2RMjkvyh8x1N8b+LhLxDri5wnyqR2XB5fMO31a/DW9V5H4g jIEKNpPsi40xPHVlFFnfWamB0TIY7o31ug3Ff4Mn9OYmGS+yd/ZrePSZsjUf9SYUkfyCjes0Jx 8I4feP1JZOgQTULNlLmenkN2xwQ4ILOWcCuZfSewvHkGJYcSHIgITRiJxjVs11ZLnyzAz4b33h 1cAiQRMBnDRFhn0NYtVS5yv62S/HStCJd2XWzazusZGUog==; ARC-Authentication-Results: i=2; exim.org; smtp.remote-ip=2607:f8b0:4864:20::f2b; iprev=pass (mail-qv1-xf2b.google.com) smtp.remote-ip=2607:f8b0:4864:20::f2b; spf=pass smtp.mailfrom=xbow.com; dkim=pass header.d=xbow.com header.s=google header.a=rsa-sha256; dmarc=pass header.from=xbow.com; arc=pass (i=1) header.s=arc-20240605 arc.oldest-pass=1 smtp.remote-ip=2607:f8b0:4864:20::f2b ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed; d=exim.org; s=d202011; bh=bfzSAYOGJMnoXYod842bZiCZZR9l1fkJXk+b6OiKrlQ=; h=Content-Type:Cc:To:Subject:Message-ID:Date:From:In-Reply-To:References: MIME-Version:DKIM-Signature; b=dBELNaFs3vSVIIaU8U+Iwl7mqdqISO4qHiG+yadsbqBMtFJ6v3bR1Vf9xVoNqY8W69O6WV+UGL FG50SOgvVjSM+9Xdo5dAHb9AcVtqslbm60Wbk69Pvp7XnKZCqDeevxq8f1ObghQMiMrIOGB+V+ JboIIdoteX52wpkIIcYs8TSmj1YgCyzQCFXGM35Kd+vVHI/Xpnu+n2yH79TeZDMIpvr2JFpmmv iDqotbP/8ZKXaAoQtcY9dLaJaMqkqeaqFD0CFdEt/oqhZvo6TburlFnsxbMGattfJhwide+KZq k//Fvgk+uxO0dKq4MMShICloYeDEV3ZVoVjDCo1gHcdANQ==; Authentication-Results: exim.org; iprev=pass (mail-qv1-xf2b.google.com) smtp.remote-ip=2607:f8b0:4864:20::f2b; spf=pass smtp.mailfrom=xbow.com; dkim=pass header.d=xbow.com header.s=google header.a=rsa-sha256; dmarc=pass header.from=xbow.com; arc=pass (i=1) header.s=arc-20240605 arc.oldest-pass=1 smtp.remote-ip=2607:f8b0:4864:20::f2b Received: from mail-qv1-xf2b.google.com ([2607:f8b0:4864:20::f2b]:59763) by cumin.exim.org with esmtps (TLS1.3) tls TLS_AES_128_GCM_SHA256 (Exim 4.99.1) (envelope-from ) id 1wJzTZ-00000001Xdz-2Wqq for security@exim.org; Mon, 04 May 2026 20:01:16 +0000 Received: by mail-qv1-xf2b.google.com with SMTP id 6a1803df08f44-899a5db525cso29876836d6.3 for ; Mon, 04 May 2026 13:01:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1777924867; cv=none; d=google.com; s=arc-20240605; b=Eb8SoNLywaYvbF0GlmgMhl6bzmYZecPLXQIfJS6Vliu+I5kkw8RNtXaQwuQtcv6iMI M5X1KLI/uO7P7h+ul+jVKdGHbevYFYq6rODUFW1dtyp78AJ7JGVjpaxRD8iYd/hw0Z9X tLPOYc0Acah3bse0A7268ntL7neXg3xK1Qzzm19EvkuAlF4XuGqVD4oV1ej/dGPogxd4 vf5fbRQWoCzDLKxLsGPo5RA8k8pwPL1YQIJOEUjm/VsyDl+/bwMNKJOwtPhkE7G3InZu c/dRfk54pa5GC2A0QyIxwh23Zv5oouMHrdUV9iS8niO6gp3ExcdjFJ5pJ1XwD9unVP9j Hsog== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=qhAcNOOaN+q6HbIsil02vHyFeRJUPALB+Dz9gvLz3Dw=; fh=2PTfr67KDj7NQFCEwN1MEYiz2DXbBSAOiXMK3wUc8RE=; b=D82dZeuXD8fVSV3QDr32VCu9WM1uMD08R/2kwJvnmu1Dsm4M+nBurxIdKj8Q2TDH8C 4EklHicgqQbhKzKndmzDjs819QPb2URVX9UcpVty1v+24t0qet9y8DhTM68BTfgMGGGl Y8vdtiKuhErBLoblKaUxkqerY9vhAgFIQrgU3sh52oCm9cRepS80UT/ZDbjTmSyrTriQ bGbl9OcCvaVg1XeH8vCrL9rVoQjKmoRRafp49mW8LazdCKEAm6b0UvnDMyTNhapF9ezy LglD0RJMkC9rNjwBPIa233eakTwV3EphlJ+x1YBh/BRshUmKrXEOyXPulOUflb+iQA6n F9qw==; darn=exim.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=xbow.com; s=google; t=1777924867; x=1778529667; darn=exim.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=qhAcNOOaN+q6HbIsil02vHyFeRJUPALB+Dz9gvLz3Dw=; b=O7xucZQVaIQJOpbSrwab/VgOEo7dDwkDvn1aaTMKU5kJhc9TCqmyDUBhdiUYvIidBw V7oJ822XhkstTQLNgAxEfVrXz1oIkPgS0lL/AjjlAZgcBbB0QAPShuV0Y7yeJwpRH6aB AQFKNN97Ql5MG5rVC7hyE7UIYmC3ANi3aHBbJ/uPonWsx1xIfwbSTWPw0aDk70zdPikr CNFi4CZ97jMlfhLPxK4vygZj4k0EDhD6fCvEpp/gigLgaTji6IKaTWyXbaDHJ5GWaEtj LIWR2baI9wyO8AOcZt4m24yb8iOVUTr20Q3GF3Xymw8HAzOG57W+wjJHQ0/ljrOH21F s4Nw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777924867; x=1778529667; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=qhAcNOOaN+q6HbIsil02vHyFeRJUPALB+Dz9gvLz3Dw=; b=gBfdgusAGmlv9NmZJjcnPa0CajrJQkDUjXzQ5rXYwFe4ZByV9gsFNUt2/0Xj1Vyc1G EbnTZncj1gG2zJKCp49YP8FYxCXOuPxrnMkzjPxZIJx3xp6LrY7XFEubGqNr+spdUoKZ EkqbF0RH19o25Z+aiMmctH4fHj8PIfdaexvZJNrged4g2uU33cFm3xoA2+o5sQaBiyaD YU4GQB9Q9bghD9rnmAkAiR83/pYg3cbK3LSaRL/nqX9N2tKH7TJ9ZYtw99qsDcnfiPbL VxgJWv6nYoEPsgCcUPnh7jxFLyRaRNTWIBx9sNMopHphBBEmBbseBItuxDsT1IaXmApy UTHg== X-Forwarded-Encrypted: i=1; AFNElJ8a254phlASx4Gd6pxONttft8kZNvzoyGi9VXvAKDM92OlIByp/LcAfbTkiR63SAWQZUj33RzWAFg==@exim.org X-Gm-Message-State: AOJu0Yw1PG5WRuxCLMI1vUXF30GL2afDYrBc799nfw+C60IaESEtGAd5 xE0O+zFMx0d09iQPfiYVO6nd3zFf5lzVXD01jNeNvwhNMBmElCrLVd+JvsqsVqQuNTOAf24B4uC xpPzXueZ/jwRrBMk7g6X9qN8C3rAJMFaf+jyF0v73oA== X-Gm-Gg: AeBDievRN2qY2BVY0qcjIqZ19iGQ6IBNtyxuWKqVUna3vOqQJoovXnWCFc9l0N+IrVF dQBaAes8CP4frXD2HJgxSM9NRNgu0VivoCiXp/hdP/zkg6p/FpfiI2vqNB2XrSz/s3hs2SHe+69 QdpbpE6FQbLNlHcTI8at+14rcs3YaKBdBh6IWa1J4JCq2ZOtNcvtr+lOBY+GWEpz37b0S/R+dmz kUumkS22ug7nivP+v7yxrWNgPkRvHXfM07hFre6RZtgh4LT0Y/yDp6yUbL/40bT/IFHL/NMVM7F fFsTDmH6+73x/dzeCtk= X-Received: by 2002:a05:6214:460a:b0:8b6:6d70:aaac with SMTP id 6a1803df08f44-8b66d70acdemr201087386d6.30.1777924866930; Mon, 04 May 2026 13:01:06 -0700 (PDT) MIME-Version: 1.0 References: <13908687-236f-4d8c-b8ba-7033a9f4c7d0@wizmail.org> In-Reply-To: From: Federico Kirschbaum Date: Mon, 4 May 2026 17:00:54 -0300 X-Gm-Features: AVHnY4I88bMDBELNb8Aw_rxmf8pCY6xgiwDgIbZEtfbwYqIN-y7dfnrXL9XjHWQ Message-ID: Subject: Re: EXIM Security report To: XBOW Security Cc: Jeremy Harris , security@exim.org, =?UTF-8?Q?Andr=C3=A9s_Luksenberg?= Content-Type: multipart/alternative; boundary="000000000000218c0406510364b9" X-Spam-Score: -0.3 (/) X-IUS-DKIM-Status: signer=xbow.com status=pass Domain=xbow.com X-IUS-RSpamd-Bar: - X-IUS-RSpamd-Score: -1.9 X-IUS-Spam-Score: 0.5 X-IUS-Spam-Bar: / X-IUS-Spam-Report: BAYES_20=-0.001,DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,DKIM_VALID_EF=-0.1,HTML_MESSAGE=0.001,SPF_HELO_PASS=-0.001,SPF_SOFTFAIL=0.665,lang=en,autolearn=no autolearn_force=no,via=US XX --000000000000218c0406510364b9 Content-Type: text/plain; charset="UTF-8" Hi Jeremy & Team We were wondering if you and the team had a chance of reviewing our submission. Best, fede On Fri, 1 May 2026 at 15:41, XBOW Security wrote: > Jeremy, > > Probably my bad. Let me know if you are able to decrypt this new > attachment. > > best, > fede > > On Fri, 1 May 2026 at 15:04, Jeremy Harris wrote: > >> On 2026/05/01 6:29 PM, XBOW Security wrote: >> > I'm Federico Kirschbaum, part of XBOW security team. During our >> research we >> > found a security issues worth being reviewed by your team. We are >> sharing a >> > full technical report, reproduction information, and supporting >> materials. >> Rejected: Unfortunately, your email appears to have no useful content >> beyond a couple >> of PGP items. >> -- >> Cheers, >> Jeremy >> --000000000000218c0406510364b9 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Jeremy & Team

We were wondering = if you and the team had a chance of reviewing our submission.=C2=A0

Best,

fede

On Fri, 1 May 2026 at 15:41, XBOW Security <security@xbow.com> wrote:
Jeremy,

Probably my bad. Let me know if you are able to decrypt this new attachme= nt.=C2=A0

best,
fede

On Fri, 1 May = 2026 at 15:04, Jeremy Harris <jgh@wizmail.org> wrote:
On 2026/05/01 6:29 PM, XBOW Security wrote:
> I'm Federico Kirschbaum, part of XBOW security team. During our re= search we
> found a security issues worth being reviewed by your team. We are shar= ing a
> full technical report, reproduction information, and supporting materi= als.
Rejected:=C2=A0 Unfortunately, your email appears to have no useful content= beyond a couple
of PGP items.
--
Cheers,
=C2=A0 =C2=A0Jeremy
--000000000000218c0406510364b9-- --000000000000c4ce290650c4ed22 Content-Type: application/octet-stream; name="package.tgz.asc" Content-Disposition: attachment; filename="package.tgz.asc" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_mon6gmsx0 LS0tLS1CRUdJTiBQR1AgTUVTU0FHRS0tLS0tCgpoRjREOERGbHhkakxaU3dTQVFkQUlWa2pQa25h UzNnQkVNRWUwRkJjOUlHL3RyY1I5MWl6YXgwc0pQWmd2VG93CkNFTXM1YmVxdk5nV0FDUDNrSHZ0 SUd1eUs3UjZ0ZnV3RmEwQlhFV1NHN2VjVWhOcy9ob2hVblhoWE05QUR1VmUKaFFHTUEyVEM2L1lG c3FyZkFRd0EwUnRjS296bVRFTzNKRmZCM1lxVFBKVGtBMHV0N2piNzFjME1pUjREMXkwUwo5VFZ6 QkJ5dVJjblRXWSthWGw0N1hoTUJEK1lDTUU4cVZXTStnNXBPUWVvczdpR3ljMDg4WDJHc3NJNHdN LzhVCmZQU3dtZmIwZEUwWUI4V3A4ZDc1bmFLZkhEWThPRUFZditCb1ZmVFBJemk0THBuUVk5Q2hl SXBUdys0VVFUTFoKb2VuNzBVOGRSN3RXQjZyRFVzVWRRMG9iRVN6Snh0UzU4VXhPcFZHUnNCN2tI R2hGeVRzcWd1S3NrYXA5dFZKRApSVHdWdDJlbGY5TTZ3c0RzT1pTU3A4bm9VWlh4NWpWNERNWWZM cDZhdXNESHdIMWUvM2QwaDRBZnA0OXlWU0daCngybm9HcUI0Kzdya1prRFY4K2RWYlJUQ2l6L2Ry QTErSkFTVlViUkowNGpzajM2TS9sOFBPTk9iWGV3R3JyZU4KeWlrM1JjRkFKcVVJSWVqdGVuNDRo cngzZXJ6aTVyUVlCaWlPZU1UM21wNVpjeGhZcm5OOUVVdXl6R1MzcldWTAp4cXpOcTdjR1M0ek9N UEszQlp5eFU4VUxZbFBQYnVmVmJHS3Y4MmJUVkF0bCtVOGibMDNlaXpRcmhQeSs0d3FFCldUUkYz M041MVkxUVdLVUpMMCt1aFFJTUE2Ym9ubjlhQ01WZ0FSQUFzcXVHNEFaditRR2ZTV0F3eFh0MU9I bW0Kenp1UHp6RHd5Y2lkZkwrQjVWZXF0WkRPcUxPUzNtWWpHTXZoenhQOHAvUE1Gd1p6ajRwSWYw Z01QNEFFaDlSVQpRZ25UNVNjUHdPMUU3aUNBeWJvRkJadEtNTmQyUWFGOXM2YngyUHNHUDJHL3Uw SkdoMEIvWUoxa2lQMGl1ZmxwCnVoWjg5eGxWMGNwWEJVQllYdDkzRXRHem1BMWpvNzh5Mmhsc201 alT1dSZVAzTS9KeFIyMU1kTGdDOHlvZFF2NU8KZkdIN21od0V5VEVQZXlraklxTllKWWVvWlFaYXJt WjhiZExZL0FJRHlmNFV2UEFkekgvRzRoS1ZYeE1lUHptUgozRDF5WFUzN0dGNlE2NFpwS2xPdXB0 TG9YQTlLNFpmQmM2TlJIRHl4d3VLY0Q3YVowUEJXUDd0MlFSdlVqU3hECjZBWnY0TytEbENpR3pI TUpZTTYrYmxKNzQzUStSMGZ2MTd1M1Brb2RRVVJXQjRpUGNqdk1sRjF2Q2hPS2N2YksKTVNydE5l Z3BQamYydWZQZWxFaFZuVFJvZEcxR0huVjrub1czVC9tc1JQSENSc1FxNWZmZTBUYzhyWHJRSmNB aiI= From hs@schlittermann.de Tue May 05 07:53:24 2026 Date: Tue, 5 May 2026 09:53:24 +0200 From: Heiko Schlittermann To: Federico Kirschbaum Cc: XBOW Security , Jeremy Harris , security@exim.org, =?utf-8?Q?Andr=C3=A9s?= Luksenberg Subject: Re: EXIM Security report Message-ID: References: <13908687-236f-4d8c-b8ba-7033a9f4c7d0@wizmail.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="C2noLeON2UnbLMyN" Content-Disposition: inline In-Reply-To: Organization: schlittermann -- internet & unix support X-Face: =y#&-VlCH8uT|8#-#JE_^c<:+qPbYxFD`}8`m)xjyA$93tpwm-vKsa(V,0?906(2VIVNQbU QzD%zhE+~-AA? -v.HY6]ebO4_$vY`l|||Q!EZT5*Xx/>Fj{8E_a.;;#<4S$>&T%n5()2Yt=R5FSC y:Na&@T{Rf`kPq^'ffPFA%`mP~>%-LU$d*]]{-%>j={&MsMND.">]H)&#AoSI~(U8Jk;v*;,Pf+l85 X?H&` X-Telegram: @HeikoSchlittermann X-Threema: T5RPWMSS X-Signal: +49.172.7909055 X-Phone: +49.172.7909055 X-SMS: +49.172.7909055 X-GPG-Fingerprint: E5CA 331D 44AB 8E4C 806F DBEE 2610 1B62 F693 76CE X-GPG-Key-ID: F69376CE --C2noLeON2UnbLMyN Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Federico Kirschbaum (Mo 04 Mai 2026 22:00:54= CEST): > We were wondering if you and the team had a chance of reviewing our > submission. Yes, it has been reviewed and a fix is in our private repos. We're preparing a security release, which probably will happen during the next about 7 days or so. Currently nothing is published yet, to avoid unnecessary pressure during testing. Best regards from Dresden/Germany Viele Gr=C3=BC=C3=9Fe aus Dresden Heiko Schlittermann --=20 SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --------------- key ID: F69376CE - --C2noLeON2UnbLMyN Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE3ZjZI1nenjwmY/KRaX8O3WgJn28FAmn5ofAACgkQaX8O3WgJ n2943A/+PrwYlqaXRZwDx3f7e5/ZD02pussdE8dEkHrt3QvOUBM/9CRLSWviTQPD 3OIAUHPdtHsXO3cN5+nQIUNzpVvmvFte/GkpfX6KDFa6CJPTjTt474aoX8kkk9JK 0pn6VCRiYA2zhIDh2bU7jFkWvj2zk6dyurbO++kaYhEHzKEKH0QBfEAkM/GWEJGd mSAplbQw2QBf7bVc/qYkj+z5AJ4aqSZj5j9srctEc4Twr46pbiu9bWdKorKpUkXZ 2b2ywKz7gV2/WJg7WeNmGsD+6bCveKTyH/vvXskg5TZoSonUnuI2HiR4XhfIYuGZ 4wX+1qZ92MgT+NEnvPUOF88q3vSqh5URPOj5kKmvdjVh2JWmifFk+/ka2mpwJZcE zsN6gNqAanFbMoO9E0PZOB+7dv028EloAgAWhAT7D7utAUwUFVu09Y481r3r+M7q pXqWIVXiwcB2mRvaMOLVtqgjuvUruMpBR7Jl5a2jFdNPrmlWh7ntdUl/nN4TPh2O pJC+Ffj3Fw7IbHayUVTmxw8IUs4XW9R2cQ+hTs2GVk5BquT3StoeW914rN2eMDp0 j3NiO6NlAorNpcLNnQNb99m1h1PtfS1qPm5mn9MHN0xNtgKGzkUJSJ2V/+f8YO67 22IJTuRl73hMUp0QjG0Xyu+WZH/JKBMLDRQJoVevgIdB+7h1lN0= =FPRm -----END PGP SIGNATURE----- --C2noLeON2UnbLMyN-- From federico.kirschbaum@xbow.com Thu May 07 14:14:23 2026 Return-Path: Received: from mx10.schlittermann.de (mx10.ius [192.168.80.10]) by pop (Cyrus 3.6.1-Debian-3.6.1-4+deb12u4) with LMTPA; Thu, 07 May 2026 16:14:42 +0200 X-Cyrus-Session-Id: cyrus-1778163282-714118-1-17859971217486563485 X-Sieve: CMU Sieve 3.0 Authentication-Results: mx10.schlittermann.de; iprev=pass (mail-qv1-f54.google.com) smtp.remote-ip=209.85.219.54; spf=pass smtp.mailfrom=xbow.com; dkim=pass header.d=xbow.com header.s=google header.a=rsa-sha256; dmarc=pass header.from=xbow.com Received-SPF: pass (mx10.schlittermann.de: domain of xbow.com designates 209.85.219.54 as permitted sender) client-ip=209.85.219.54; envelope-from=federico.kirschbaum@xbow.com; helo=mail-qv1-f54.google.com; Received: from mail-qv1-f54.google.com ([209.85.219.54]:58437) by mx10.schlittermann.de with esmtps (TLS1.3) tls TLS_AES_128_GCM_SHA256 (Exim 4.x) (envelope-from ) id 1wKzUq-00000007Di2-22Wm for hs@schlittermann.de; Thu, 07 May 2026 16:14:42 +0200 Received: by mail-qv1-f54.google.com with SMTP id 6a1803df08f44-8b7f937ef44so4787696d6.0 for ; Thu, 07 May 2026 07:14:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1778163275; cv=none; d=google.com; s=arc-20240605; b=f5gRjn1gEX7qyIMO5tYJGTqTZedHjl0qwEk/uOJ5JwGDkBtJlGg7y7q4p3Xrbm3f4+ 9eiO0VQP7ox5HJJPZnsFldGJrzLTgTJxYlYwze/92ak5sres06DzQX9gtnh32vYyRnbO pVszb/X2uhsmWGPkUqDkUV6jlMJmwpweqvkvaZpboss38uABg01wgbmT/KBwDh6mW+VI lhKUoipewxBkWs/H+L9oBiuJtmjViCJ/ym9NcC1QgsahyVP1PiQNVhN8X2GBVC9snVm4 9IkJi8TbLmKime94MNXX0ZQ/kNr2VyoHHhsp36qFvZ2Go5YaMELoiKrbfk3uyzjWNQMI U5gg==; ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=KEsLq7Wtde5c6lKCDn/IrhYEZTdu8C7vXX2tJci86EY=; fh=9T0XD1/6nynboD9/J1QsdyebxfCa1VopKUm6r7W/R1Y=; b=BEvg0EVAa6lt41mV9Fs6Qw3pMn1hB7tWMc80zDD+igDUmyrtKoL4AHJ+HWgp+jOn4u xB9COPpTbz3ClRx0j6TI2hvDBapLGJAcIGqB+Irob27QEd+cebjXpNSnxnCmExJKE4iv ujviW0J5HtyIMhZCnrZcEyVqlfcanTbt76NlAuiqoezMvqKAUc+H8A//Dmzw5ukCS+Hb E8SyBYnJfnCl7LGXd/Sx7/I0YsPHOMgDSkwpBJRHq3MHXmgmmaMcBRem+TApoPUao5Yd OZlp3by6BMd0PbjaD1nloMpWZGAVbTym40pFUru25e3cpB2uEE7pfhGqEcZaLJVJvhi cMLg==; darn=schlittermann.de ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=xbow.com; s=google; t=1778163275; x=1778768075; darn=schlittermann.de; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=KEsLq7Wtde5c6lKCDn/IrhYEZTdu8C7vXX2tJci86EY=; b=O7xucZQVaIQJOpbSrwab/VgOEo7dDwkDvn1aaTMKU5kJhc9TCqmyDUBhdiUYvIidBw V7oJ822XhkstTQLNgAxEfVrXz1oIkPgS0lL/AjjlAZgcBbB0QAPShuV0Y7yeJwpRH6aB AQFKNN97Ql5MG5rVC7hyE7UIYmC3ANi3aHBbJ/uPonWsx1xIfwbSTWPw0aDk70zdPikr CNFi4CZ97jMlfhLPxK4vygZj4k0EDhD6fCvEpp/gigLgaTji6IKaTWyXbaDHJ5GWaEtj LIWR2baI9wyO8AOcZt4m24yb8iOVUTr20Q3GF3Xymw8HAzOG57W+wjJHQ0/ljrOH21F s4Nw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778163275; x=1778768075; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=KEsLq7Wtde5c6lKCDn/IrhYEZTdu8C7vXX2tJci86EY=; b=WY262UEyQbMhlGupSB2nlsKDLW9YEjQAZt7lQkivJkQIttDDsFe6+mxFkKfKssSp1I /SVYXHZ3eJqW73KwWMFyQ7FX+T2TrpPCYP2acvBakAig9WLJrv10HuQBdAtWbV9sFF+2 wfKkk5hGZqRNQd3Fi0OYIUxOxTCl3+8wc7dXDmcnuY4aX/+5Q6HMOeDyE2m/TJG00GGy 98ldELVv5fOAuIrL72vo0IPCP2rq9xn3f3CzOo86DmQ8sCA1VdDZU5rKtPk18CJucvm KnRYJk/i1VrUi+1TXPeAo+72UzuOBwsScdcHbM8lkymvPGXAacQGwvptV8M9zGZ0eS7W 0Mlg== X-Gm-Message-State: AOJu0Yzdvhfj0WiJqa1jW+nL26YP7+NYuhCDq5k1kbMvnRokyPSLnbqn Rz2jNtzcCdh2MEMANQgipy8Po1pRlIybDiegq6TTCKhYrBdwcBqjcr2rVMr7DZO/6AlJt616z4+ 0oFF11GebceQ1qg4JuMGzH5pTNhK8MN1lFK6BA5mJJVYzeiXtFlCzxgg= X-Gm-Gg: AeBDiev2vlTF/UKtpVmZDhJH6LEBXmN/kC+QE2ED/04SHRY/pIJoACZqrCSk/Z8D8dk j7G7M8n/qQdllAROtVzcni4mNtPfCqRhSwgaa4SgXxkToDcB3kdaxXHJBtJryrrKuwWZvFzXx11 1hyfkwZaNIdcBvelF0Vdi9di9trpLm3hi4xr0q7YcAPBgA7VPsruvUq4C063ZYAvZoGHhhLT7hKPZ7 /Ro0P3cnOk3j/xDJg5pHxlWVre+qY8TmO1a+tMDhBPVWU2WQ55JuNkJA8i0xZJ/quVK01wOicrN p8wQjS+1U4hvmO2q+IRuotG3lHUi7Q== X-Received: by 2002:a05:6214:3f87:b0:8ba:b699:9e54 with SMTP id 6a1803df08f44-8bc462ff3edmr111960836d6.47.1778163275016; Thu, 07 May 2026 07:14:35 -0700 (PDT) MIME-Version: 1.0 From: Federico Kirschbaum Date: Thu, 7 May 2026 11:14:23 -0300 X-Gm-Features: AVHnY4JgAdCJF3x34D9_vaOm1GCHn-4BwtsNXPd8F0bLoNof1OETOjIworhqwd8 Message-ID: Subject: Re: EXIM Security report To: Heiko Schlittermann Cc: XBOW Security , Jeremy Harris , security@exim.org, =?UTF-8?Q?Andr=C3=A9s_Luksenberg?= Content-Type: multipart/alternative; boundary="0000000000005c3f6206513ae66d" X-IUS-DKIM-Status: signer=xbow.com status=pass Domain=xbow.com X-IUS-RSpamd-Bar: ---- X-IUS-RSpamd-Score: -5.0 X-IUS-Spam-Score: -2.1 X-IUS-Spam-Bar: -- X-IUS-Spam-Report: BAYES_00=-1.9,DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,DKIM_VALID_EF=-0.1,HTML_MESSAGE=0.001,RCVD_IN_DNSWL_NONE=-0.0001,RCVD_IN_MSPIKE_H2=0.001,SPF_HELO_NONE=0.001,SPF_PASS=-0.001,lang=en,autolearn=ham autolearn_force=no,via=US --0000000000005c3f6206513ae66d Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Heiko & Team, In order to plan a disclosure we would like to know release dates, CVE number and severity assigned and if you plan some sort of early-notice to distros. On our end we are writing a blogpost of this vulnerability, that we intend to make public after the security release and patches are available. Best fede On Tue, 5 May 2026 at 08:59, Federico Kirschbaum < federico.kirschbaum@xbow.com> wrote: > Heiko, > > Thanks for your prompt reply. Let us know if you require more information > from our side on the subject. > > Best, > > fede > > On Tue, 5 May 2026 at 04:53, Heiko Schlittermann > wrote: > >> Federico Kirschbaum (Mo 04 Mai 2026 >> 22:00:54 CEST): >> > We were wondering if you and the team had a chance of reviewing our >> > submission. >> >> Yes, it has been reviewed and a fix is in our private repos. We're >> preparing a security release, which probably will happen during the next >> about 7 days or so. >> >> Currently nothing is published yet, to avoid unnecessary pressure during >> testing. >> >> Best regards from Dresden/Germany >> Viele Gr=C3=BC=C3=9Fe aus Dresden >> Heiko Schlittermann >> -- >> SCHLITTERMANN.de ---------------------------- internet & unix support - >> Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - >> gnupg encrypted messages are welcome --------------- key ID: F69376CE - >> --0000000000005c3f6206513ae66d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Heiko & Team,

In order to plan a di= sclosure we would like to know release dates, CVE number and severity assig= ned and if you plan some sort of early-notice to distros.=C2=A0
O= n our end we are writing a blogpost of this vulnerability, that we intend t= o make public after the security release and patches are available.

Best
fede

On Tue, 5 = May 2026 at 08:59, Federico Kirschbaum <federico.kirschbaum@xbow.com> wrote:
Heiko,
Thanks for your prompt reply. Let us know if you require more i= nformation from our side on the subject.

Best,

fede

On Tue, 5 May 2026 at 04:53, Heiko Schlitte= rmann <hs@schli= ttermann.de> wrote:
Federico Kirschbaum <federico.kirschbaum@xbow.com> (Mo 04 Mai 2= 026 22:00:54 CEST):
> We were wondering if you and the team had a chance of reviewing our
> submission.

Yes, it has been reviewed and a fix is in our private repos. We're
preparing a security release, which probably will happen during the next
about 7 days or so.

Currently nothing is published yet, to avoid unnecessary pressure during
testing.

=C2=A0 =C2=A0 Best regards from Dresden/Germany
=C2=A0 =C2=A0 Viele Gr=C3=BC=C3=9Fe aus Dresden
=C2=A0 =C2=A0 Heiko Schlittermann
--
=C2=A0SCHLITTERMANN.de ---------------------------- internet & unix sup= port -
=C2=A0Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3}= -
=C2=A0gnupg encrypted messages are welcome --------------- key ID: F69376CE= -
--0000000000005c3f6206513ae66d--