Univention Bugzilla – Bug 53235
exim4: Multiple issues (4.4)
Last modified: 2021-05-12 13:37:37 CEST
New Debian exim4 4.89-2+deb9u8A~4.4.8.202105100950 fixes: This update addresses the following issues: * exim4 (CVE-2020-28007) * exim4 (CVE-2020-28008) * exim4 (CVE-2020-28009) * exim4 (CVE-2020-28011) * exim4 (CVE-2020-28012) * exim4 (CVE-2020-28013) * exim4 (CVE-2020-28014) * exim4 (CVE-2020-28015) * exim4 (CVE-2020-28017) * exim4 (CVE-2020-28019) * exim4 (CVE-2020-28020) * exim4 (CVE-2020-28021) * exim4 (CVE-2020-28022) * exim4 (CVE-2020-28023) * exim4 (CVE-2020-28024) * exim4 (CVE-2020-28025) * exim4 (CVE-2020-28026)
--- mirror/ftp/4.4/unmaintained/4.4-5/source/exim4_4.89-2+deb9u7A~4.4.4.202005181633.dsc +++ apt/ucs_4.4-0-errata4.4-8/source/exim4_4.89-2+deb9u8A~4.4.8.202105100950.dsc @@ -1,7 +1,32 @@ -4.89-2+deb9u7A~4.4.4.202005181633 [Mon, 18 May 2020 16:33:56 +0200] Univention builddaemon <buildd@univention.de>: +4.89-2+deb9u8A~4.4.8.202105100950 [Mon, 10 May 2021 09:58:28 +0200] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package 10_default-mta + +4.89-2+deb9u8 [Tue, 04 May 2021 11:03:02 +0200] Thorsten Alteholz <debian@alteholz.de>: + + * Non-maintainer upload by the LTS Team. + * Fix several security vulnerabilities reported by Qualys and add related + robustness improvements. (Originally fixed in upstream release 4.94.3 and + in upstream GIT branch exim-4.92.3+fixes. (Special thanks to Heiko) + + CVE-2020-28007: Link attack in Exim's log directory + + CVE-2020-28008: Assorted attacks in Exim's spool directory + + CVE-2020-28009: Integer overflow in get_stdinput() + + CVE-2020-28011: Heap buffer overflow in queue_run() + + CVE-2020-28012: Missing close-on-exec flag for privileged pipe + + CVE-2020-28013: Heap buffer overflow in parse_fix_phrase() + + CVE-2020-28014, CVE-2021-27216: Arbitrary PID file creation, clobbering, + and deletion. + + CVE-2020-28015 and CVE-2020-28021: New-line injection into spool header + file. + + CVE-2020-28017: Integer overflow in receive_add_recipient() + + CVE-2020-28019: Failure to reset function pointer after BDAT error + + CVE-2020-28020: More checks on header line length during reception + + CVE-2020-28022: Heap out-of-bounds read and write in extract_option() + + CVE-2020-28023: Out-of-bounds read in smtp_setup_msg() + + CVE-2020-28024: Heap buffer underflow in smtp_ungetc() + + CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash() + + CVE-2020-28026: Line truncation and injection in spool_read_header() 4.89-2+deb9u7 [Wed, 13 May 2020 18:18:26 +0200] Andreas Metzler <ametzler@debian.org>: <http://piuparts.knut.univention.de/4.4-8/#1153284034668251520>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-8] 00f916b670 Bug #53235: exim4 4.89-2+deb9u8A~4.4.8.202105100950 doc/errata/staging/exim4.yaml | 44 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+)
<https://errata.software-univention.de/#/?erratum=4.4x971>