Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <>
Subject: Accepted exim4 4.96-15+deb12u10 (source) into oldstable-security
Date: Fri, 29 May 2026 15:34:37 +0000
Signed by: Andreas Metzler <ametzler@debian.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 27 May 2026 18:52:26 +0200
Source: exim4
Architecture: source
Version: 4.96-15+deb12u10
Distribution: bookworm-security
Urgency: high
Maintainer: Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>
Changed-By: Andreas Metzler <ametzler@debian.org>
Changes:
 exim4 (4.96-15+deb12u10) bookworm-security; urgency=high
 .
   * Cherry-pick fix for EXIM-Security-2026-05-19.1 from 4.99.4.
     Security: PROXYv2 parser: reject PROXY frames whose declared payload
     length is too short for the claimed address family (12 bytes for
     TCPv4/0x11, 36 bytes for TCPv6/0x21).  Previously a frame with
     family=0x21 and len=0 caused 16 bytes of uninitialized stack to be
     formatted as the sender's IPv6 address and disclosed in the SMTP
     greeting banner.  Affects configurations with SUPPORT_PROXY and
     `hosts_proxy` set.  Reported by Warisjeet Singh (sin99xx).
Checksums-Sha1: 
 b3e376cab8722ef0278336b19001a18136a0091f 2927 exim4_4.96-15+deb12u10.dsc
 1ff8dd1f32c8448824fb82371f55c4626b3485f3 520300 exim4_4.96-15+deb12u10.debian.tar.xz
Checksums-Sha256: 
 3904d44f94b8a9bc76911f882aa13dc45c842c34c6204c1f707a867fb47ac622 2927 exim4_4.96-15+deb12u10.dsc
 06c9e3c699a4171e7765369e87a883861252a70f436675d214ade95ee4435050 520300 exim4_4.96-15+deb12u10.debian.tar.xz
Files: 
 76d06816770ed9c062942ccb8be11b78 2927 mail standard exim4_4.96-15+deb12u10.dsc
 e9ae3fc3fc2d975bf9eaab9da0256e3b 520300 mail standard exim4_4.96-15+deb12u10.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE0uCSA5741Jbt9PpepU8BhUOCFIQFAmoYcJ8ACgkQpU8BhUOC
FIQ/vA//eKWY9dSbbsHzBfUx29d1U6WR2bxNPskrOy1wv3tn6382z5CadPBTlh45
ShrHb8NOUPwpJHA1gFWoGbKJZDZKTXJ/W4wH4mGnuJSC7RQB3/vk870sgXtTikkY
tS2fPshdj4XVULb+gnKR6zIEOIjlhgLKi9KIyGGTKU/rvEOoypFujzaBs1QCa0VY
6OvSjAxjSuvvKY4Y8d6WuGRligV0LYvwEgQBI4PuCtYq8BpxmumSheX9kUVvs/Bb
+SFmKztEfohjbhz7FVkL5089cdKZFkRIVsAyEhY31XutMQ2v5bojOx8vB6LQ/G6c
+WL+wmyVnQhcvjWXUQdZyJK2CpeqSMkboq8FilHO4ju3a4t6Knpn52lxOzvU1JWe
8FtmUDhfo59EQgV1AQ/1E3hF9zLhng4SGrInPbvmTrcx6Tdak3taqBsnPyO1lPlp
4N/vQSPCS7kyPQFc484DjJK3LFgP4gFBKd45JfgDpgHPbLYPPTS9QOxIQ8KRVh70
aYriwTejGr8uzGnFoCZhUsMJ1McQOhNgWA8+n1exfKDUg4WD2xQVGllGBhHrmTxr
ghp+qgszHqNy6V0oID9ut8iS1ZuHisDdUIx9koTo9thwi5cgiHsIS1Fln2dGV7ES
uRlndT9LNSgzgCvtbAzfIcfLJp47886SWXyXsQikOwbU6TRwJlY=
=CdvD
-----END PGP SIGNATURE-----

News for package exim4