Bug#992172: exim4: CVE-2021-38371
Moritz Mühlenhoff
jmm at inutil.org
Wed Mar 15 16:18:15 GMT 2023
Am Sun, Aug 15, 2021 at 07:21:40AM +0200 schrieb Andreas Metzler:
> On 2021-08-14 Salvatore Bonaccorso <carnil at debian.org> wrote:
> > Source: exim4
> > Version: 4.94.2-7
> > Severity: important
> > Tags: security upstream
> > X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
>
> > Hi,
>
> > The following vulnerability was published for exim4, this is to start
> > tracking the issue downstream for us. Note that at time of writing [2]
> > gives still a 404.
>
> > CVE-2021-38371[0]:
> > | The STARTTLS feature in Exim through 4.94.2 allows response injection
> > | (buffering) during MTA SMTP sending.
> [...]
>
> IIRC that is mitigated in experimental (4.95 rc) by ALPN and unkown
> command related changes, I will not be able to check in detail for a
> week or so, though.
Do you know if this is fixed in 4.96/bookworm?
Cheers,
Moritz
More information about the Pkg-exim4-maintainers
mailing list