-
exim4 (4.93-13ubuntu1.10) focal-security; urgency=medium
* SECURITY UPDATE: SMTP smuggling
- debian/patches/CVE-2023-51766-1.patch: Reject "dot, LF" as
ending data phase in src/receive.c, src/smtp_in.c.
- debian/patches/CVE-2023-51766-2.patch: use enum for body data
input state-machine in src/receive.c.
- debian/patches/CVE-2023-51766-3.patch: fix in src/receive.c.
- CVE-2023-51766
-- Leonidas Da Silva Barbosa <email address hidden> Thu, 11 Jan 2024 10:28:33 -0300
-
exim4 (4.93-13ubuntu1.9) focal-security; urgency=medium
* SECURITY UPDATE: remote code execution
- debian/patches/CVE-2023-42117.patch: fixed string_is_ip_address()
in string.c
- CVE-2023-42117
* SECURITY UPDATE: information disclosure
- debian/patches/CVE-2023-42119.patch: hardened dnsdb.c against
crafted DNS responses.
- CVE-2023-42119
-- Allen Huang <email address hidden> Wed, 25 Oct 2023 01:39:47 +0100
-
exim4 (4.93-13ubuntu1.8) focal-security; urgency=medium
* SECURITY UPDATE: information disclosure
- debian/patches/CVE-2023-42114.patch: fix possible OOB read in
SPA authenticator
- CVE-2023-42114
* SECURITY UPDATE: remote code execution
- debian/patches/CVE-2023-42115.patch: fix possible OOB write in
external authenticator
- CVE-2023-42115
* SECURITY UPDATE: remote code execution
- debian/patches/CVE-2023-42116.patch: fix possible OOB write in
SPA authenticator
- CVE-2023-42116
* debian/patches/CVE-2023-42114_15_16.patch:
- use uschar more in spa authenticator
-- Allen Huang <email address hidden> Mon, 02 Oct 2023 17:21:29 +0100
-
exim4 (4.93-13ubuntu1.7) focal-security; urgency=medium
* SECURITY UPDATE: use after free in regex handler
- debian/patches/CVE-2022-3559-1.patch: properly clear references in
src/exim.c, src/expand.c, src/functions.h, src/globals.c,
src/regex.c, src/smtp_in.c.
- debian/patches/CVE-2022-3559-2.patch: fix non-WITH_CONTENT_SCAN build
in src/exim.c, src/regex.c.
- debian/patches/CVE-2022-3559-3.patch: fix non-WITH_CONTENT_SCAN build
in src/exim.c, src/functions.h, src/globals.h, src/regex.c,
src/smtp_in.c.
- debian/patches/CVE-2022-3559-4.patch: fix non-WITH_CONTENT_SCAN build
in src/expand.c.
- CVE-2022-3559
-- Marc Deslauriers <email address hidden> Wed, 23 Nov 2022 10:54:36 -0500
-
exim4 (4.93-13ubuntu1.6) focal-security; urgency=medium
* SECURITY UPDATE: Heap-based buffer overflow
- debian/patches/CVE-2022-37452.patch: Fix host_name_lookup
in src/host.c.
- CVE-2022-37452
-- Leonidas Da Silva Barbosa <email address hidden> Wed, 17 Aug 2022 08:04:06 -0300
-
exim4 (4.93-13ubuntu1.5) focal-security; urgency=medium
* SECURITY UPDATE: Multiple security issues
- debian/patches/sec-202105/*.patch: backport patches from upstream to
correct issues.
- CVE-2020-28007, CVE-2020-28008, CVE-2020-28009, CVE-2020-28010,
CVE-2020-28011, CVE-2020-28012, CVE-2020-28013, CVE-2020-28014,
CVE-2020-28015, CVE-2020-28016, CVE-2020-28017, CVE-2020-28018,
CVE-2020-28019, CVE-2020-28021, CVE-2020-28022, CVE-2020-28023,
CVE-2020-28024, CVE-2020-28025, CVE-2020-28026, CVE-2021-27216
-- Marc Deslauriers <email address hidden> Wed, 28 Apr 2021 09:19:17 -0400
-
exim4 (4.93-13ubuntu1.1) focal-security; urgency=medium
* SECURITY UPDATE: Out-of-bounds read
- debian/patches/CVE-2020-12783-*.patch: fix SPA
authenticator, checking client-supplied data before using it
in src/auths/spa.c, src/auths/spa-spa.c.
- CVE-2020-12783
-- <email address hidden> (Leonidas S. Barbosa) Thu, 14 May 2020 10:29:45 -0300
-
exim4 (4.93-13ubuntu1) focal; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Show Ubuntu distribution in SMTP banner
+ Build-Depends on lsb-release to detect Distribution.
+ d/p/fix_smtp_banner.patch: Show Ubuntu distribution in SMTP banner.
exim4 (4.93-13) unstable; urgency=medium
* Update from exim-4.93+fixes:
+ 74_29-Fix-mime_part_count-for-non-mime-message-on-multi-me.patch
+ 74_31-Taint-track-in-utf8clean-operator.patch
+ 74_32-Fix-spurious-detection-of-timeout-while-writing-to-t.patch
+ 74_33-Fix-segfault-on-bad-cmdline-f-sender-argument.-Bug-2.patch
* [lintian] Move eximon.bin from /usr/lib/exim4 to /usr/libexec/exim4.
-- Bryce Harrington <email address hidden> Fri, 27 Mar 2020 16:00:03 -0700
-
exim4 (4.93-12ubuntu1) focal; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Show Ubuntu distribution in SMTP banner
+ Build-Depends on lsb-release to detect Distribution.
+ d/p/fix_smtp_banner.patch: Show Ubuntu distribution in SMTP banner.
exim4 (4.93-12) unstable; urgency=low
* Update from exim-4.93+fixes:
+ 74_28-Fix-tr-expansion-item.-Bug-2533.patch
* Recover more gracefull from half installed state after trying to install
without util-linux (essential) installed. Closes: #952451 (Thanks, James
Le Cuirot for the patch)
* Use macro ("ROUTER_DNSLOOKUP_IGNORE_TARGET_HOSTS") for ignore_target_hosts
list setting on dnslookup router. Extend list by corresponding IPv6
entries (Thanks, C Snover) Closes: #950973
* Add REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE to allow setting headers_remove
on both remote_smtp and remote_smtp_smarthost transports. Closes: #927741
-- Bryce Harrington <email address hidden> Fri, 13 Mar 2020 14:25:38 -0700
-
exim4 (4.93-12ubuntu1~focal1) focal; urgency=medium
* ppa build for focal
exim4 (4.93-12ubuntu1) focal; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Show Ubuntu distribution in SMTP banner
+ Build-Depends on lsb-release to detect Distribution.
+ d/p/fix_smtp_banner.patch: Show Ubuntu distribution in SMTP banner.
exim4 (4.93-12) unstable; urgency=low
* Update from exim-4.93+fixes:
+ 74_28-Fix-tr-expansion-item.-Bug-2533.patch
* Recover more gracefull from half installed state after trying to install
without util-linux (essential) installed. Closes: #952451 (Thanks, James
Le Cuirot for the patch)
* Use macro ("ROUTER_DNSLOOKUP_IGNORE_TARGET_HOSTS") for ignore_target_hosts
list setting on dnslookup router. Extend list by corresponding IPv6
entries (Thanks, C Snover) Closes: #950973
* Add REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE to allow setting headers_remove
on both remote_smtp and remote_smtp_smarthost transports. Closes: #927741
-- Bryce Harrington <email address hidden> Fri, 13 Mar 2020 14:27:29 -0700
-
exim4 (4.93-11ubuntu1) focal; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Show Ubuntu distribution in SMTP banner
+ Build-Depends on lsb-release to detect Distribution.
+ d/p/fix_smtp_banner.patch: Show Ubuntu distribution in SMTP banner.
exim4 (4.93-11) unstable; urgency=medium
* Update from exim-4.93+fixes:
+ 74_26-Auths-fix-cyrus-sasl-driver-for-gssapi-use.-Bug-2524.patch
+ 74_27-GnuTLS-fix-hanging-callout-connections.patch
exim4 (4.93-10) unstable; urgency=medium
* Refresh debian/upstream/signing-key.asc from
https://downloads.exim.org/Exim-Maintainers-Keyring.asc.
* Update from exim-4.93+fixes:
+ 74_23-Fix-taint-hybrid-checking-on-BSD.patch
+ 74_24-TFO-even-in-binary-built-for-modern-Linux-handle-err.patch
+ 74_25-Taint-slow-mode-checking-only.patch
-- Bryce Harrington <email address hidden> Wed, 26 Feb 2020 02:34:11 +0000
-
exim4 (4.93-9ubuntu1) focal; urgency=medium
* Merge with Debian unstable (LP: #1860051). Remaining changes:
- Show Ubuntu distribution in SMTP banner
- Build-Depends on lsb-release to detect Distribution.
- d/p/fix_smtp_banner.patch: Show Ubuntu distribution in SMTP banner.
exim4 (4.93-9) unstable; urgency=medium
* Add 74_22-Taint-hybrid-checking-mode.patch.
exim4 (4.93-8) unstable; urgency=medium
* Refresh debian/upstream/signing-key.asc from
https://downloads.exim.org/Exim-Maintainers-Keyring.asc.
* More updates from exim-4.93+fixes:
+ 74_19-SPF-fix-result-for-case-of-only-non-spf-TXT-RRs.-Bug.patch
+ 74_20-Fix-error-logging-for-dynamically-loaded-modules.-Bu.patch
+ 74_21-heimdal-auth-fix-the-increase-of-big_buffer-size.-Bu.patch
Closes: #949034
exim4 (4.93-7) unstable; urgency=medium
* README.Debian: Expand a little bit on how macros work. (See #948308)
* Upload to unstable.
exim4 (4.93-6) experimental; urgency=low
* Improve on reproducible build, set EXIM_ARCHTYPE=DEB_TARGET_GNU_CPU to
override/avoid CPU detection with uname -m.
* More updates from exim-4.93+fixes:
74_18-SPF-fix-handling-mix-of-spf-and-other-txt-records.-B.patch
* Polish debian/rules. (Use CURDIR instead of executing `pwd`, avoid :=
assignments with $(shell).
* Build with SMTPUTF8 support. (SUPPORT_I18N_2008 and SUPPORT_I18N)
Closes: #885149
In configuration set smtputf8_advertise_hosts to '' instead of '*'.
exim4 (4.93-5) unstable; urgency=medium
* More updates from exim-4.93+fixes:
74_14-SPF-only-require-v-spf1-on-TXT-DNS-records-during-lo.patch
74_15-Eximon-fix-string-handling.-Bug-2500.patch
74_16-Fix-build-with-heimdal-gssapi.-Bug-2501.patch
74_17-Fix-the-variables-set-by-gsasl-authenticator.patch
exim4 (4.93-4) unstable; urgency=medium
* Improve on TLS info in README.Debian.
* More updates from exim-4.93+fixes:
74_10-DMARC-default-dmarc_tld_file-to-unset.-Bug-2494.patch
74_11-Zero-smtp-context-structure-after-allocation.patch
74_13-ARC-Reset-received-ARC-instance-counter-before-next-.patch
exim4 (4.93-3) unstable; urgency=medium
* More updates (4.93.0.3) from exim-4.93+fixes:
74_08-ARC-fix-crash-induced-by-misordered-headers.-Bug-249.patch
74_09-Fix-taint-issue-with-retry-records.-Bug-2492.patch
exim4 (4.93-2) unstable; urgency=medium
* Update to exim-4.93+fixes branch
74_01-PAM-fix-crash-in-the-pam-expansion-condition.-Bug-24.patch
74_02-Regard-command-line-recipients-as-tainted.patch
74_03-TFO-disable-for-FreeBSD.patch
74_04-Hurd-errno-really-uses-more-than-a-short-sized-value.patch
74_06-local_scan-align-local_scan.h-and-docs-re.-store_get.patch
74_07-Fix-taint-issue-in-transport-with-DSN.-Bug-2491.patch
exim4 (4.93-1) unstable; urgency=low
* Point watchfile to release directory again.
* New upstream version.
exim4 (4.93~RC7-1) unstable; urgency=low
* New upstream version.
+ Update md5 hash for upstream example configuration. (Change not relevant
for Debian)
* 75_01-Build-Enable-GNU-Hurd-Bug-2476.patch and
75_02-TFO-disable-for-FreeBSD.patch from upstream 4.next branch: Re-enable
build on GNU/hurd. (Thanks. Samuel Thibault) Closes: #945943
exim4 (4.93~RC5-1) unstable; urgency=low
* New upstream version.
+ Bump exim4-localscanap Provides.
exim4 (4.93~RC4-1) unstable; urgency=low
* New upstream version.
exim4 (4.93~RC3-1) unstable; urgency=low
* Drop (dead) link to openspf.org in rcpt ACL message string.
Closes: #944786
* New upstream version.
+ Unfuzz 90_localscan_dlopen.dpatch.
-- Christian Ehrhardt <email address hidden> Fri, 17 Jan 2020 09:39:13 +0100
-
exim4 (4.93~RC2-1ubuntu1) focal; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Show Ubuntu distribution in SMTP banner
+ Build-Depends on lsb-release to detect Distribution.
+ d/p/fix_smtp_banner.patch: Show Ubuntu distribution in SMTP banner.
* Dropped:
- SECURITY UPDATE: remote command execution
+ d/p/CVE-2019-15846.patch: ensure not to interpret '\\'
before '\0' in src/string.c
+ CVE-2019-15846
[Now in upstream as of 4.92.2-1]
- SECURITY UPDATE: heap-based buffer overflow in string_vformat
+ debian/patches/CVE-2019-16928.patch: fix overflow in src/string.c.
+ CVE-2019-16928
[Now upstream as of 4.92.3-1]
exim4 (4.93~RC2-1) unstable; urgency=low
* New upstream beta version.
+ Drop patches/75*.
* Allow overriding cron.daily paniclog report recipient. Closes: #611085
* Add REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES and
REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS to set tls_verify_certificates and
tls_verify_hosts respectively on the remote_smtp_smarthost transport.
Closes: #823831
In addition to that add REMOTE_SMTP_HOSTS_REQUIRE_TLS to set
hosts_require_tls for the remote_smtp transport. Closes: #780033
exim4 (4.93~RC1-4) unstable; urgency=low
* Add libnet-ssleay-perl dependency to "basic" autopkg test. We do not need
it yet but will forget for sure to add it when we do.
* Following upstream defaults do not disable incoming TLS by default - i.e.
if MAIN_TLS_ENABLE is not set - but use a self-signed certificate.
(Relevant upstream changes: tls_advertise_hosts defaults to * for TLS
builds since 4.87_JH/18, on-demand generation of self-signed certificate
for inbound SMTP since 4.88_JH/05, 4.93_JH/23 TLS enabled build by
default.)
* 75_02-Revert-preallocate-store-for-config-which-appears-to.patch: Fix
mismerge which triggered a test error on mipsel. Closes: #944060
exim4 (4.93~RC1-3) unstable; urgency=low
* 75_01-Dsearch-Fix-taint-handling-in-lookup.-Bug-2465.patch: Untaint
dsearch lookup. Closes: #944199
exim4 (4.93~RC1-2) unstable; urgency=low
* autopkg test: Drop (python2) test for ancient vulnerability and do some
basic testing with swaks instead. Closes: #943006
* Upload to unstable.
exim4 (4.93~RC1-1) experimental; urgency=low
* New upstream beta version.
+ Drop 75_01-Fix-HAVE_LOCAL_SCAN-build.-Bug-2457.patch,
75_02-CHUNKING-fix-all-RCPTs-rejected-non-pipelined.-Bug-2.patch and
75_03_Fix-local-scan-ABI.-Bug-2458.patch.
+ Update debian/example.conf.md5 (Removal of dnssec_request_domains was
already implemented in 4.93~RC0-1.)
* exigrep does case sensitive *option* processing (as it did for all
versions <4.90). Notably -M, -m, --invert, -I may be affected.
Closes: #927280
(This change was already present in RC0.)
exim4 (4.93~RC0-2) experimental; urgency=low
* 75_03_Fix-local-scan-ABI.-Bug-2458.patch: Fix function prototypes in
local_scan.h.
* 90_localscan_dlopen.dpatch: Unfuzz, mark
string_copy_function/string_copy_taint_function/string_copyn_function in
string.c as visible.
* Provide exim4-localscanapi-2.1.
* Drop sa-exim Breaks, the localscanapi version bump makes this superfluous.
exim4 (4.93~RC0-1) experimental; urgency=low
* Point watchfile to test-subdirectory.
* New upstream beta version.
+ Drop debian/patches/7[56]*.
+ Unfuzz 90_localscan_dlopen.dpatch.
+ Unfuzz/update (explicit -lnsl) debian/EDITME*
+ Update configuration, mirorring upstream changes.
Both dnssec_request_domains and hosts_try_dane now default to '*', drop
these settings. REMOTE_SMTP_DISABLE_DANE is a noop, now.
+ Exim DH param configuration (tls_dhparam) now makes use of the current
GnuTLS (> 3.6) functionality, which implements rfc 7919. Drop
unnecessary packaging bits.
+ Pull post release fix from upstream GIT
(75_01-Fix-HAVE_LOCAL_SCAN-build.-Bug-2457.patch) to fix build error
with HAVE_LOCAL_SCAN=yes.
+ Update 90_localscan_dlopen.dpatch to #include documented interface
(local_scan.h) instead of exim.h.
* debian/rules: Do not try to build -heavy if -light failed.
* 75_02-CHUNKING-fix-all-RCPTs-rejected-non-pipelined.-Bug-2.patch:
Post-release hix from upstream GIT.
https://bugs.exim.org/show_bug.cgi?id=2454
* The localscan dlopen functionality is broken, (temporarily) drop
exim4-localscanapi-2.0 from Provides.
exim4 (4.92.3-1) unstable; urgency=medium
* Fix (commented) examples in configuration for clamd and courier authdaemon
to refer to /run instead of /var/run. Closes: #942292
* While we are at it also fix exim pid file path in exim(8).
* New upstream version (identical to 4.92.2 +
75_36-Fix-buffer-overflow-in-string_vformat.-Bug-2449.patch, i.e.
4.92.2-3).
* Use patches from exim-4.92.3+fixes, add
75_36-Fix-errorcheck-in-smtp-transport.patch.
* [lintian] Set Rules-Requires-Root: binary-targets.
exim4 (4.92.2-3) unstable; urgency=critical
* 75_36-Fix-buffer-overflow-in-string_vformat.-Bug-2449.patch: Fix buffer
overflow in string_vformat. CVE-2019-16928
exim4 (4.92.2-2) unstable; urgency=medium
* Upload to unstable.
exim4 (4.92.2-1) experimental; urgency=medium
* New upstream security release (identical except for the version number to
4.92.1 + 77_01-string.c-do-not-interpret-before-0-CVE-2019-15846.patch).
+ Drop 77_01-string.c-do-not-interpret-before-0-CVE-2019-15846.patch.
* Refresh from exim-4.92.2+fixes branch:
+ 75_32-Fix-domain-for-a-bare-local-part-input.-Bug-2375.patch
+ 75_33-exim_dbmbuild-handle-0-sequence.patch
+ 75_34-fixup-exim_dbmbuild-handle-0-sequence.patch
exim4 (4.92.1-3) unstable; urgency=high
* 77_01-string.c-do-not-interpret-before-0-CVE-2019-15846.patch - Fix SNI
related buffer overflow. CVE-2019-15846
exim4 (4.92.1-2) unstable; urgency=medium
* Pulled from exim-4.92+fixes branch:
+ 75_30-Fix-crash-after-TLS-channel-shutdown.patch
+ 75_31-Auth-handle-socket-read-errors-in-Dovecot-authentica.patch
* Add Breaks: sa-exim (<< 4.2.1-17) to -heavy, see #930648.
* Change *.logrotate to nocreate to work around #400198.
Closes: #399930
-- Bryce Harrington <email address hidden> Wed, 13 Nov 2019 18:56:58 -0800
-
exim4 (4.92.1-1ubuntu4) focal; urgency=medium
* No-change rebuild for the perl update.
-- Matthias Klose <email address hidden> Fri, 18 Oct 2019 19:27:29 +0000
-
exim4 (4.92.1-1ubuntu3) eoan; urgency=medium
* SECURITY UPDATE: heap-based buffer overflow in string_vformat
- debian/patches/CVE-2019-16928.patch: fix overflow in src/string.c.
- CVE-2019-16928
-- Marc Deslauriers <email address hidden> Sat, 28 Sep 2019 11:05:50 -0400