-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 02 May 2021 07:22:06 +0200
Source: exim4
Architecture: source
Version: 4.94.2-1
Distribution: unstable
Urgency: high
Maintainer: Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>
Changed-By: Andreas Metzler <ametzler@debian.org>
Changes:
exim4 (4.94.2-1) unstable; urgency=high
.
* New upstream security release.
+ Release based on +fixes branch, drop 74_*diff.
+ Unfuzz 75_04-acl.patch.
+ Merge in upstream configuration change rejecting all RCPT commands after
too many (more than five out of the initial ten) bad recipients. Can be
disabled by setting CHECK_RCPT_NO_FAIL_TOO_MANY_BAD_RCPT.
+ Fixes multiple security vulnerabilities reported by Qualys and adds
related robustness improvements. (Special thanks to Heiko)
CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()
CVE-2020-28007: Link attack in Exim's log directory
CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()
CVE-2020-28012: Missing close-on-exec flag for privileged pipe
CVE-2020-28024: Heap buffer underflow in smtp_ungetc()
CVE-2020-28009: Integer overflow in get_stdinput()
CVE-2020-28015, CVE-28021: New-line injection into spool header file
CVE-2020-28026: Line truncation and injection in spool_read_header()
CVE-2020-28022: Heap out-of-bounds read and write in extract_option()
CVE-2020-28017: Integer overflow in receive_add_recipient()
CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()
CVE-2020-28011: Heap buffer overflow in queue_run()
CVE-2020-28010: Heap out-of-bounds write in main()
CVE-2020-28018: Use-after-free in tls-openssl.c
CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()
CVE-2020-28014, CVE-2021-27216: PID file handling
CVE-2020-28008: Assorted attacks in Exim's spool directory
CVE-2020-28019: Failure to reset function pointer after BDAT error
* Update debian/upstream/signing-key.asc from
<https://downloads.exim.org/Exim-Maintainers-Keyring.asc>.
Checksums-Sha1:
cb3dd1f144684dacb2b5d19ba9f75752efae915f 2895 exim4_4.94.2-1.dsc
4854541833583d82c6e667d3dde566d41162eec3 1838076 exim4_4.94.2.orig.tar.xz
a042b2dcaee770d7a5c54c8434b27cf10a902aa3 488 exim4_4.94.2.orig.tar.xz.asc
212cee0aa8b073516429400b46bc682c89ab4f1c 476256 exim4_4.94.2-1.debian.tar.xz
Checksums-Sha256:
4d12351debb131a8f35f27a51c2a1f261b04a3b18443037a9dd05cead71947b3 2895 exim4_4.94.2-1.dsc
051861fc89f06205162f12129fb7ebfe473383bb6194bf8642952bfd50329274 1838076 exim4_4.94.2.orig.tar.xz
5546fb401d778bc8c8df35d9584612d10a4a896cde5f130c119f98297a18df73 488 exim4_4.94.2.orig.tar.xz.asc
6e06b69debd150b2a60981ff326fc2c3fa6cfb3ecf97157e101312ba6f581bca 476256 exim4_4.94.2-1.debian.tar.xz
Files:
2f475fee610f9f6bfb437d65d13a277f 2895 mail standard exim4_4.94.2-1.dsc
4fbf1ebb36f0f43bb94ed0848eb13256 1838076 mail standard exim4_4.94.2.orig.tar.xz
ceddf936e03226c4364c4c59e7461788 488 mail standard exim4_4.94.2.orig.tar.xz.asc
27956e55a282d674d0ff71311f67222a 476256 mail standard exim4_4.94.2-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE0uCSA5741Jbt9PpepU8BhUOCFIQFAmCQTagACgkQpU8BhUOC
FIQqFg/+Kyj7SK79J6+43YUTJOChTc2QZu9/hjg5fednLbzayID42l6VRFYnZTT4
PnsMB2h2WACSYdXLUXjEb6yPS+Ix44v1FT4tHZteSaiVDD24qf8TLZDhqOejJCZ0
v2cF/9QKeaiCobnoLxbq1MJhA23+4BpRCXJgTmLxnSmbGRBrmkyzeMjRCiq+L5el
A13K7rh8JbaPhOoKgq9vp1R8zVgXw1wdT02WGE6HTiK+ChahkJXhUX4KchcLunVq
huQ8a3eI+Zw73VTn2oEms22EIJ64FXpQE4k593szHoo//Jg87U6Ydm0s2cuTG6gx
BR5PcoybZvSG1UvM1+m1yRDRmc+goQYEDmY+EDsLakfeux10DIRkhmM9lKlhKoLE
DlQUxOS4Xkh+eptQqyHFq0wMEfh318qRsQhZK7k15w6pxfa7LgTLVEKxzmuYZzJm
AW2iXzYm/eArnP0XF201z1gVv/f4SlYI7yQqhcN/pQPzuEY21es4sDuo+AN6i+QA
yu8tj3lXL4f0JOpSffbsMPEkwYL9lbkqo5/4m9BCahkKt3GJDXi5kX4olnB7B1Mk
Kd5+BqbRVvyF1jinYCLXVaVgCSfJwxFnnEYviQ+i39v10+gYc/defL6l5+56wxc8
57/s7Ud1FGWb/5plBFvfG2BGdUsgmWOKC/ZZ3lcYWyF0XexlEi0=
=EOpS
-----END PGP SIGNATURE-----
