We'd love to hear about it! Click here to go to the product suggestion community
any news about new CVE-2018-6789?
Is there a patch release on the air for UTM?
In 9.508 version seems not present.
The alert is reported also in nakedsecurity
Interesting, but I wonder if the stripped-down, hardened version of Exim in use in the UTM has this exposure. Since it deals with base64d, I would think that the Proxy would have to use that before it could do antivirus or antispam. Still, I think any exploit would be limited to Exim because the Proxy is chroot'd.
Let's hope a Sophos person sees this and gets a comment from their specialist.
Cheers - Bob
Hi MassimoDalla Giustina
There is currently a patch in development to address this vulnerability, I will update this thread with the latest news I receive.
FloSupport | Community Support Engineer
In reply to FloSupport:
This is one of the cases where I would wish Sophos had a different approach to patches.Suppose there is then a 9.509 patch that fixes this problem.Due to the incremental strategy, I am forced to install 9.508 as well, knowing that I will have problems with SMIME, as this problem is probably not solved by then. Therefore, I can choose safety or functionality.Is the concept of the XG the same as that of the UTM? If not, that might be an argument for it.It's not a wish list, but sometimes separating functional and security updates would have great advantages.If so, a 9.506-3 would be desirable.But now enough of the criticism.
Wanted to update this thread. Please see the recently posted KBA regarding this. A prefix patch is now available. Customers who want this patch should contact Sophos Support.
Many thanks for your support.
it's quit more than a week now, and the bug is critical: Do you have reliable news about the official release?
In reply to pebo:
This patch should be included in the next UTM 9.509 release, which is tentatively scheduled to be released next week. However, if you require this patch immediately, I would advise that you open a support case to request this to be installed for you.
The patch has been included in the UTM 9.509 release. The release will be rolled out in phases. In phase 1 you can download the update package from our FTP server, in phase 2 we will spread it via our Up2Date servers.
Many thanks for the support.
I confirm today the fix with new update 9.509-3:
NUTM-9619 [Email] CVE-2018-6789: buffer overflow in base64d function in SMTP listener