Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted exim4 4.99.2-1 (source) into unstable
Date: Thu, 30 Apr 2026 01:35:11 +0000
Signed by: Andreas Metzler <ametzler@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 29 Apr 2026 18:31:55 +0200
Source: exim4
Architecture: source
Version: 4.99.2-1
Distribution: unstable
Urgency: high
Maintainer: Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>
Changed-By: Andreas Metzler <ametzler@debian.org>
Changes:
 exim4 (4.99.2-1) unstable; urgency=high
 .
   * Update Jeremy's key to get new signing subkey.
     Adds 745A3503EC71104253C5D4490F04D14A28EAFA16
   * New upstream security release.
     +CVE-2026-40684  Possible crash with malicious DNS data when using musl
      libc On systems using musl libc (not glibc) due to an oddity in octal
      printing it is possible to crash the connection instance when malformed
      DNS data is present in PTR records.
     +CVE-2026-40685  Possible OOB read/write on corrupt JSON in header
      configurations using json operators on invalid externally-provided input
      could trigger heap corruption.
     +CVE-2026-40686  Possible OOB read with large UTF8 trailing characters
      configurations using utf8 operators on malformed utf8 in headers could
      trigger OOB reads and might trigger some data leak if error messages are
      required for subsequent emails in the current connection and similar
      malformed headers are present.
     +CVE-2026-40687  Possible OOB read/write with SPA authenticator in
      configurations using the SPA authentication driver to a
      hostile/compromised external SPA/NTLM connection it is possible to
      trigger an OOB read/write and crash the connection instance or possibly
      leak heap data to the instance.
Checksums-Sha1: 
 13e65d90f72a7cb45572bb778cc362e988358116 3382 exim4_4.99.2-1.dsc
 f981106764a1e28584755933eb02eee1963a4abd 1962424 exim4_4.99.2.orig.tar.xz
 87e17d6d24af8ab4258ea28fc9086a2edca2a561 252 exim4_4.99.2.orig.tar.xz.asc
 88e298abd9bae5eda4e21d6accb12bf1a2455356 494892 exim4_4.99.2-1.debian.tar.xz
Checksums-Sha256: 
 ea466cb5b0018b749cd7bf96eae02d69129130a8b7b57a1883f3d397ab362c28 3382 exim4_4.99.2-1.dsc
 25364f19988270d846965689dd29c662cf5de152639875d0d5352a69fd753a47 1962424 exim4_4.99.2.orig.tar.xz
 bd6dd537a25bb509c31f97b0558eaa7d7546dc216c04dc65daf0c90984e8872c 252 exim4_4.99.2.orig.tar.xz.asc
 d515128cd87773779ca33ffa83d5f27c475d49843c3e411b5a9b071c26bc5c26 494892 exim4_4.99.2-1.debian.tar.xz
Files: 
 af56f9a5bb53236bf4c72b2003235cf6 3382 mail standard exim4_4.99.2-1.dsc
 8e8fa4ac154e29468b33db973b4d488b 1962424 mail standard exim4_4.99.2.orig.tar.xz
 f94cb1085596d263853a3eec0659e0f7 252 mail standard exim4_4.99.2.orig.tar.xz.asc
 594c10931cd8bb6db27b92dfd337b0c7 494892 mail standard exim4_4.99.2-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE0uCSA5741Jbt9PpepU8BhUOCFIQFAmnyM8UACgkQpU8BhUOC
FISvYg//Rjd3lUp6b2H+qXfQvedXCJUlFytDxDJcO8yjObJ3iBW4NBvyjwcBgwmV
y1n3+bnHgo77uBeerJJGuNlkbHpQT4ZvdAiVdgyYUGBp0MFeEJPY/r/urCk4Amtl
SIfRIVGWBM9zJqQ8kJ/JljL9ebiBIAPWGN8VvOKwJVXltmSlgKP8XbkeA7hgYl3t
q2qcAyvfL66GVBydSh2DoiY2G1li0Vt9ARBbR3jSpPHL5Y+CzGfXoZsl1IXUVBYY
4jTY7nc5WzPUUD8tC388P5ePh0Rlsp4Hq0YOdgPHy7R5/HWX4lkFIz9mpBqsqQv8
rQCvSrLES3Q404QNo5MJ/Ba9LwImQcevN5LHrNQExRe+0QLKYGjzpv/HE4FdPtHJ
GTbRu9LPG6sbE/wAYd7dpD2EhKtcEHnm0IsDbQyamGVvT2BOlv5qJgR5qxlOSbi1
bvzM4Uz8TQCMbmU3Y58xc87WtFfDJ/V5pkP3fEI4GvhgG1Qz2WfrWO+eFaSeZ+oa
vqT2X5BThl137J40ZilSLXmDeZwBQpLd8JwZ+kxm/e3J9sT3gc+h9x+h3Yl0Fgpl
VpUA/q0N7bsQUd9+ZrwFKF3kvJ8KQYTuAMs61Y0QIWeNAJJMElSA8ddnvpGJZ/oX
R85LV752LtU5qQ2+7kvzYVuj6SwtoGqH/rb+/Ul+Obp0joYQwCY=
=8l4p
-----END PGP SIGNATURE-----
News for package exim4
