-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 02 May 2021 07:46:24 +0200 Source: exim4 Architecture: source Version: 4.94.2-1~bpo10+1 Distribution: buster-backports Urgency: high Maintainer: Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org> Changed-By: Andreas Metzler <ametzler@debian.org> Changes: exim4 (4.94.2-1~bpo10+1) buster-backports; urgency=high . * Rebuild for buster-backports. . exim4 (4.94.2-1) unstable; urgency=high . * New upstream security release. + Release based on +fixes branch, drop 74_*diff. + Unfuzz 75_04-acl.patch. + Merge in upstream configuration change rejecting all RCPT commands after too many (more than five out of the initial ten) bad recipients. Can be disabled by setting CHECK_RCPT_NO_FAIL_TOO_MANY_BAD_RCPT. + Fixes multiple security vulnerabilities reported by Qualys and adds related robustness improvements. (Special thanks to Heiko) CVE-2020-28023: Out-of-bounds read in smtp_setup_msg() CVE-2020-28007: Link attack in Exim's log directory CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase() CVE-2020-28012: Missing close-on-exec flag for privileged pipe CVE-2020-28024: Heap buffer underflow in smtp_ungetc() CVE-2020-28009: Integer overflow in get_stdinput() CVE-2020-28015, CVE-28021: New-line injection into spool header file CVE-2020-28026: Line truncation and injection in spool_read_header() CVE-2020-28022: Heap out-of-bounds read and write in extract_option() CVE-2020-28017: Integer overflow in receive_add_recipient() CVE-2020-28013: Heap buffer overflow in parse_fix_phrase() CVE-2020-28011: Heap buffer overflow in queue_run() CVE-2020-28010: Heap out-of-bounds write in main() CVE-2020-28018: Use-after-free in tls-openssl.c CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash() CVE-2020-28014, CVE-2021-27216: PID file handling CVE-2020-28008: Assorted attacks in Exim's spool directory CVE-2020-28019: Failure to reset function pointer after BDAT error * Update debian/upstream/signing-key.asc from <https://downloads.exim.org/Exim-Maintainers-Keyring.asc>. . exim4 (4.94-19) unstable; urgency=medium . * Further updates from heiko/exim-4.94+fixes+taintwarn: + 75_24-Silence-the-compiler.patch + 75_26-Disable-taintchecks-for-mkdir-this-isn-t-part-of-4.9.patch * Upload to unstable. . exim4 (4.94-18) experimental; urgency=medium . * Pull patches to temporarily add an option to turn taint errors into warnings. (See #987133) + 75_01-Introduce-main-config-option-allow_insecure_tainted_.patch + 75_02-search.patch + 75_03-dbstuff.patch + 75_04-acl.patch + 75_05-parse.patch + 75_06-rda.patch + 75_07-appendfile.patch + 75_08-autoreply.patch + 75_09-pipe.patch + 75_10-deliver.patch + 75_11-directory.patch + 75_12-expand.patch + 75_13-lf_sqlperform.patch + 75_14-rf_get_transport.patch + 75_15-deliver.patch + 75_16-smtp_out.patch + 75_17-smtp.patch + 75_18-update-doc.patch + 75_20-Set-mainlog_name-and-rejectlog_name-unconditionally.patch + 75_21-tidy-log.c.patch + 75_22-Silence-compiler.patch + 75_23-Do-not-close-the-main-_log-if-we-do-not-see-a-chance.patch * Update NEWS.Debian to describe the feature. Checksums-Sha1: 89393142fa30aa0cebef8de5f676541ebcf9a40a 2927 exim4_4.94.2-1~bpo10+1.dsc 5bdf0d70a4aa9f7abd79bf1d891920f3e43c8741 476236 exim4_4.94.2-1~bpo10+1.debian.tar.xz Checksums-Sha256: efa9ce0c9a87ac8efeabd30335d62d2bb4b0355a952da20ea503cc1f75082670 2927 exim4_4.94.2-1~bpo10+1.dsc c16278fe9226c6f24a0bfa096344f46fcd64ce3b03d6fe2a0e8ca29e00b648c6 476236 exim4_4.94.2-1~bpo10+1.debian.tar.xz Files: 1feeb5aa86b51e1fb0b4b3e00c182354 2927 mail standard exim4_4.94.2-1~bpo10+1.dsc 44b282f99d18065da81ab9fcefb88028 476236 mail standard exim4_4.94.2-1~bpo10+1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE0uCSA5741Jbt9PpepU8BhUOCFIQFAmCQTaYACgkQpU8BhUOC FIT5tw/9FM3ASGxP8ltw4BS3Ul8ZfsBpFTFh22gi2wmdqZJadTsnDpiZSOZ/tz/s 2guggv6ntPed9OoLmyyAU174vu7UvveUcWWvWngPaU11MQJzFWuuBAUgr2qW/l5+ atuuHKvQv57dUCDnbej2CcXbv9ougttPyW7OLhsplKUkoqTizPoAgMnd/H4ESz0I LnBINaD2Vb/LsYzsOvl/tkC/tY2brj5WiaSfHY73uGp3weKF81RmDywOLEtr4+4O XXKB/UKf9coXoP9X/6Ss63F1OPHOLMl0dEQq/5l3/PWHTiIPxTpoqEX1jbBo0bAn Ev7LUkbFyL33QtxAvSn+Hk3dRNz6Z2GF524tI5B63M2bISSoSAGzyrnBQZYs9XaZ yf24/61fEEzkGlnpbfI2Qdxha0OieRktghnCrOsP0wzpO1Kra1p3cnP3cSUElWX3 wUvS5nJ5yeYm5dExhw2o6Fhtw7vI2Vz72FzuvZE5LvsVrYDJA9AOuCoKq+Mm1xrS hzJJdlPvYjWkrR1rPH8zD+EBdAXZicH/y2OBymJBVeNFrF1skrodlaIkUFyB3he2 zo+mpWJb42dz4aRr+Qsv4RDG/TxWoj9BFOiVygcIN59TvBgHdANIEj9F5HxYWz7v OR+Vje0fj5tkVMeU1ueA9U+JEHU6q1hEctzbYI+suSLzopGm5Ms= =KXlc -----END PGP SIGNATURE-----