-
exim4 (4.90.1-1ubuntu1.10) bionic-security; urgency=medium
* SECURITY UPDATE: use after free in regex handler
- debian/patches/CVE-2022-3559-1.patch: properly clear references in
src/exim.c, src/expand.c, src/functions.h, src/globals.c,
src/regex.c, src/smtp_in.c.
- debian/patches/CVE-2022-3559-2.patch: fix non-WITH_CONTENT_SCAN build
in src/exim.c, src/regex.c.
- debian/patches/CVE-2022-3559-3.patch: fix non-WITH_CONTENT_SCAN build
in src/exim.c, src/functions.h, src/globals.h, src/regex.c,
src/smtp_in.c.
- debian/patches/CVE-2022-3559-4.patch: fix non-WITH_CONTENT_SCAN build
in src/expand.c.
- CVE-2022-3559
-- Marc Deslauriers <email address hidden> Wed, 23 Nov 2022 10:55:59 -0500
-
exim4 (4.90.1-1ubuntu1.9) bionic-security; urgency=medium
* SECURITY UPDATE: Heap-based buffer overflow
- debian/patches/CVE-2022-37452.patch: Fix host_name_lookup
in src/host.c.
- CVE-2022-37452
-- Leonidas Da Silva Barbosa <email address hidden> Wed, 17 Aug 2022 08:12:18 -0300
-
exim4 (4.90.1-1ubuntu1.8) bionic-security; urgency=medium
* SECURITY UPDATE: Multiple security issues
- debian/patches/sec-may2021-*.patch: backport patches from upstream to
correct issues.
- CVE-2020-28007, CVE-2020-28008, CVE-2020-28009, CVE-2020-28010,
CVE-2020-28011, CVE-2020-28012, CVE-2020-28013, CVE-2020-28014,
CVE-2020-28015, CVE-2020-28016, CVE-2020-28017, CVE-2020-28018,
CVE-2020-28019, CVE-2020-28020, CVE-2020-28021, CVE-2020-28022,
CVE-2020-28023, CVE-2020-28024, CVE-2020-28025, CVE-2020-28026,
CVE-2021-27216
-- Marc Deslauriers <email address hidden> Fri, 30 Apr 2021 10:15:04 -0400
-
exim4 (4.90.1-1ubuntu1.5) bionic-security; urgency=medium
* SECURITY UPDATE: Out-of-bounds read
- debian/patches/CVE-2020-12783-*.patch: fix SPA
authenticator, checking client-supplied data before using it
in src/auths/spa.c, src/auths/spa-spa.c.
- CVE-2020-12783
-- <email address hidden> (Leonidas S. Barbosa) Thu, 14 May 2020 10:10:01 -0300
-
exim4 (4.90.1-1ubuntu1.4) bionic-security; urgency=medium
* SECURITY UPDATE: remote command execution
- debian/patches/CVE-2019-15846.patch: ensure not to interpret '\\'
before '\0' in src/string.c
- CVE-2019-15846
-- Alex Murray <email address hidden> Wed, 04 Sep 2019 21:14:01 +0930
-
exim4 (4.90.1-1ubuntu1.3) bionic-security; urgency=medium
* SECURITY UPDATE: code execution via ${sort }
- debian/patches/CVE-2019-13917.patch: avoid re-expansion in ${sort }
in src/expand.c.
- CVE-2019-13917
-- Marc Deslauriers <email address hidden> Fri, 19 Jul 2019 07:13:51 -0400
-
exim4 (4.90.1-1ubuntu1.2) bionic-security; urgency=medium
* SECURITY UPDATE: remote command execution
- debian/patches/CVE-2019-10149.patch: fix parsing logic in
src/deliver.c.
- CVE-2019-10149
-- Marc Deslauriers <email address hidden> Tue, 04 Jun 2019 14:44:51 -0400
-
exim4 (4.90.1-1ubuntu1.1) bionic; urgency=medium
* d/p/eximstats_unitialized_value.patch: Fix uninitialized value error in
eximstats. (LP: #1786508)
-- Andreas Hasenack <email address hidden> Wed, 10 Oct 2018 15:25:04 -0300
-
exim4 (4.90.1-1ubuntu1) bionic; urgency=medium
* Merge from Debian testing, Remaining changes:
- Show Ubuntu distribution in SMTP banner
- Build-Depends on lsb-release to detect Distribution.
- d/p/fix_smtp_banner.patch: Show Ubuntu distribution in SMTP banner.
exim4 (4.90.1-1) unstable; urgency=high
* New upstream version, fixing CVE-2018-6789. Closes: #890000
+ Drop 75_*.patch.
exim4 (4.90-7) unstable; urgency=medium
* Update from exim-4_90+fixes branch. (exim-4.90.0.27)
+ 75_21-DKIM-fix-buffer-overflow-in-verify.patch
+ 75_22-Repair-Heimdal-GSSAPI-authenticator-init.patch
+ 75_23-Repair-Heimdal-GSSAPI-authenticator-init-part-2.patch
* Typo fixes in old patch descriptions. (Thanks, lintian!)
exim4 (4.90-6) unstable; urgency=medium
* Update from exim-4_90+fixes branch.
+ 75_17-Cutthrough-fix-for-port-number-defined-by-router.-Bu.patch
+ 75_18-GnuTLS-fix-to-ignore-timeout-on-unrelated-callout-co.patch
Closes: #887489
+ 75_19-Build-.git-may-be-a-file-when-this-repo-is-a-submodu.patch
+ 75_20-Debugging-fix-potential-null-derefs-in-DSN-debug_pri.patch
exim4 (4.90-5) unstable; urgency=low
* Add 75_16-Cutthrough-fix-multi-message-initiating-connections.patch from
exim-4_90+fixes branch.
* Improved exim4-daemon-custom documentation by Gedalya. Closes: #887971
* [update-exim4.conf] stop converting variables set to an empty value in
/etc/exim4/update-exim4.conf.conf to exim macros with a literal value of
"empty" in the generated configuration. Thanks, Gedalya. Closes: #887972
exim4 (4.90-4) unstable; urgency=low
* Update from exim-4_90+fixes branch.
75_13-Lookups-fix-mysql-lookup-returns-for-no-data-queries.patch
75_14-Fix-D-string-expansion-to-not-use-millisec.patch
75_15-DKIM-DNS-records-having-no-v-tag-are-acceptable.-Bug.patch
exim4 (4.90-3) unstable; urgency=medium
* Three more patches from exim-4_90+fixes branch:
75_10-Fix-issue-with-continued-connections-when-the-DNS-sh.patch
75_11-MIME-ACL-fix-SMTP-response-for-non-accept-result-of-.patch
75_12-DKIM-permit-dkim_private_key-to-override-dkim_strict.patch
exim4 (4.90-2) unstable; urgency=medium
* Update to exim-4_90+fixes branch:
+ Replace 75_Lookups-fix-pgsql-multiple-row-single-column-return.patch.
+ 75_01-TLS-Fix-excessive-calling-of-smtp_auth_acl-under-AUT.patch
+ 75_02-TLS-avoid-calling-smtp_auth_acl-on-client-cert-when-.patch
+ 75_03-Debug-fix-coding-in-dnssec-reporting.-Bug-2205.patch
+ 75_04-DKIM-Ignore-non-DKIM-TXT-records-in-DNS-response.-Bu.patch
+ 75_05-Fix-build-of-nisplus-lookup.patch
+ 75_06-Fix-const-issue-in-nisplus-lookup.patch
+ 75_08-DKIM-tighter-checking-while-parsing-signature-header.patch
+ 75_09-Fix-crash-associated-with-dnsdb-lookup-done-from-DKI.patch
exim4 (4.90-1) unstable; urgency=low
* rc4 released as 4.90.
* Point watchfile to release directory again.
* 75_Lookups-fix-pgsql-multiple-row-single-column-return.patch from upstream
GIT master branch. Fix pgsql lookup for multiple result-tuples with a
single column. Previously only the last row was returned.
https://lists.exim.org/lurker/message/20171223.102237.a53dd5bd.en.html
* Simplify debian/rules and make it usable with dh v10 compat. The
fine-grained support for selecting the to be built packages (-custom with
or without -base) was dropped. The build process is now controlled by
attaching tasks to dh-override hooks instead of using file dependencies,
makefile-style. The latter broke with dh v10 due to upstream's
build-system which always has the main targets out-of-date inter alia due
to the compile-number feature.
* Use hardening=+all instead of hardening=+bindnow,+pie. (Does not change
buildflags ATM.)
* Use debhelper v10 compat.
* Drop override_dh_strip-arch, we have had enough toolchain and
source changes to prevent file conflicts.
exim4 (4.90~RC4-1) unstable; urgency=medium
* New upstream version.
exim4 (4.90~RC3-2) unstable; urgency=low
* Upload to unstable.
* Point homepage to https URL.
exim4 (4.90~RC3-1) experimental; urgency=medium
* New upstream version.
+ Fix a use-after-free while reading smtp input for header lines.
A crafted sequence of BDAT commands could result in in-use memory
being freed. CVE-2017-16943. Closes: #882648
+ Fix checking for leading-dot on a line during headers reading
from SMTP input. Previously it was always done; now only done for
DATA and not BDAT commands. CVE-2017-16944 Closes: #882671
* Drop 78_Disable-chunking-BDAT-by-default.patch again.
exim4 (4.90~RC2-3) experimental; urgency=medium
* As a workaround for the yet-unfixed security vulnerability resurrect (and
adapt for 4.90) 78_Disable-chunking-BDAT-by-default.patch (dropped in
4.89-4) to disable both incoming and outgoing BDAT/CHUNKING. #882648
https://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html
exim4 (4.90~RC2-2) experimental; urgency=low
* B-d on lynx, instead of lynx-cur | lynx.
exim4 (4.90~RC2-1) experimental; urgency=low
* New upstream release candidate.
+ Unfuzz patches, drop 40_reproducible_build.diff and
75_fix_ftbfs_SOURCE_DATE_EPOCH.diff.
+ Refresh debian/example.conf.md5, No changes to Debian's configuration
needed, upstream added a (commented) entry to change OpenSSL ciphers.
exim4 (4.90~RC1-1) experimental; urgency=low
* New upstream release candidate.
+ Point watchfile to test subdirectory.
+ Update 40_reproducible_build.diff
+ Drop 75_fixes*.patch and
80_Repair-manualroute-transport-name-not-last-option.patch.
+ Unfuzz EDITME*.diff
+ 75_fix_ftbfs_SOURCE_DATE_EPOCH.diff Fix build-error when
SOURCE_DATE_EPOCH is set.
* Drop trailing whitespace in debian/README.source, debian/changelog and
debian/rules. (Thanks, lintian)
* Drop debian/README.source and outdated parts of debian/copyright.
exim4 (4.89-13) unstable; urgency=high
* 75_fixes_21-Chunking-do-not-treat-the-first-lonely-dot-special.-.patch
from exim-4_89+fixes branch. Closes: #882671 CVE-2017-16944
exim4 (4.89-12) unstable; urgency=high
* Sync with exim-4_89+fixes branch:
+ 75_fixes_19-Fix-mariadb-mysql-macro-confusion.patch
+ 75_fixes_20-Avoid-release-of-store-if-there-have-been-later-allo.patch
Closes: #882648 (use-after-free, remote-code-execution) CVE-2017-16943
* Update EDITME* for 75_fixes_19-Fix-mariadb-mysql-macro-confusion.patch.
exim4 (4.89-11) unstable; urgency=critical
* B-d on lynx, instead of lynx-cur | lynx.
exim4 (4.89-10) unstable; urgency=critical
* As a workaround for the yet-unfixed security vulnerability resurrect
78_Disable-chunking-BDAT-by-default.patch (dropped in 4.89-4) to disable
both incoming and outgoing BDAT/CHUNKING. #882648
https://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html
-- Christian Ehrhardt <email address hidden> Wed, 14 Feb 2018 17:01:14 +0100
-
exim4 (4.89-9ubuntu4) bionic; urgency=medium
* debian/control: build-depend on lynx instead of the deprecated lynx-cur
transitional package.
-- Ćukasz 'sil2100' Zemczak <email address hidden> Fri, 15 Dec 2017 08:39:16 +0100
-
exim4 (4.89-9ubuntu3) bionic; urgency=medium
* SECURITY UPDATE: stack-exhaustion remote DoS
- debian/patches/CVE-2017-16944.patch: do not treat the first lonely
dot special in src/receive.c, src/smtp_in.c.
- CVE-2017-16944
-- Marc Deslauriers <email address hidden> Wed, 29 Nov 2017 08:57:57 -0500
-
exim4 (4.89-9ubuntu2) bionic; urgency=medium
* SECURITY UPDATE: remote code execution via use-after-free
- debian/patches/CVE-2017-16943.patch: avoid release of store if there
have been later allocations in src/receive.c.
- CVE-2017-16943
-- Marc Deslauriers <email address hidden> Mon, 27 Nov 2017 07:35:53 -0500
-
exim4 (4.89-9ubuntu1) bionic; urgency=medium
* Merge from Debian unstable, Remaining changes:
- Show Ubuntu distribution in SMTP banner
- Build-Depends on lsb-release to detect Distribution.
- d/p/fix_smtp_banner.patch: Show Ubuntu distribution in SMTP banner.
-- Christian Ehrhardt <email address hidden> Thu, 16 Nov 2017 10:02:23 +0100
-
exim4 (4.89-5ubuntu1) artful; urgency=medium
* Merge from Debian testing.
Remaining changes:
- Show Ubuntu distribution in SMTP banner
- Build-Depends on lsb-release to detect Distribution.
- d/p/fix_smtp_banner.patch: Show Ubuntu distribution in SMTP banner.
-- Christian Ehrhardt <email address hidden> Wed, 16 Aug 2017 15:42:47 +0200
