[From nobody Sun May 3 17:34:06 2026 Received: (at 1134984-close) by bugs.debian.org; 3 May 2026 16:33:06 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-114.1 required=4.0 tests=ALL_TRUSTED,BAYES_00, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FOURLA, FVGT_m_MULTI_ODD,HAS_BUG_NUMBER,MD5_SHA1_SUM,PGPSIGNATURE, SPF_HELO_PASS,SPF_PASS,USER_IN_DKIM_WELCOMELIST autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 86; hammy, 150; neutral, 227; spammy, 0. spammytokens: hammytokens:0.000-+--HX-Debian:DAK, 0.000-+--H*rp:D*ftp-master.debian.org, 0.000-+--UD:debian.tar.xz, 0.000-+--H*r:sk:fasolo., 0.000-+--H*MI:fasolo Return-path: <envelope@ftp-master.debian.org> Received: from mailly.debian.org ([2001:41b8:202:deb:6564:a62:52c3:4b72]:60760) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <envelope@ftp-master.debian.org>) id 1wJZkg-004wut-2t for 1134984-close@bugs.debian.org; Sun, 03 May 2026 16:33:06 +0000 Received: via submission from C=NA, ST=NA, L=Ankh Morpork, O=Debian SMTP, OU=Debian SMTP CA, CN=fasolo.debian.org, EMAIL=hostmaster@fasolo.debian.org (verified) by mailly.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <envelope@ftp-master.debian.org>) id 1wJZkf-0021kT-21 for 1134984-close@bugs.debian.org; Sun, 03 May 2026 16:33:05 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.fasolo; h=Date:Message-Id:Content-Type: Subject:MIME-Version:To:Reply-To:From:Cc:Content-Transfer-Encoding:Content-ID :Content-Description:In-Reply-To:References; bh=kaLdZpWrCRv2fcjrUPR+0S+8Ub3umIAfGpKRMp9Ltkw=; b=Kqi8CEWmW/gxbg4qHIPs/h+OJF wTHpiXsCM+sSU6ieLcTCbh63/r85TO5i1qPOW6xCWE6Ngl9Lpa+c5PY7KmUt7T5IivOIVqp7rvaRK QWVn2IRIhy5ggODG3FJ2r6S3PeCN4KI7dzMb0kvTRDxOvQuPT3WLSABSoDc4V+gzGw44sNcQJq7wr LF8j24dvBF9NQf1F4Cd/BpIS5hd7kklJr0IlT5XliAzUXGd5KYTZRsToY8+wh4VE3XfRqMkhVK8cp XEBUqK1yMWwYe49DBwkiOojRDHxWAn+l1FnPosDkALCHpJgkeltc+y2yFK2od393zHm1fEISqrKi6 3HRNHWoQ==; Received: from dak by fasolo.debian.org with local (Exim 4.98.2) (envelope-from <envelope@ftp-master.debian.org>) id 1wJZke-00000009XI1-2r8I; Sun, 03 May 2026 16:33:04 +0000 From: Debian FTP Masters <ftpmaster@ftp-master.debian.org> Reply-To: Andreas Metzler <ametzler@debian.org> To: 1134984-close@bugs.debian.org X-DAK: dak process-policy X-Debian: DAK X-Debian-Package: exim4 Debian: DAK Debian-Changes: exim4_4.96-15+deb12u8_multi.changes Debian-Source: exim4 Debian-Version: 4.96-15+deb12u8 Debian-Architecture: source Debian-Suite: oldstable-proposed-updates Debian-Archive-Action: accept MIME-Version: 1.0 Subject: Bug#1134984: fixed in exim4 4.96-15+deb12u8 Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="===============9146995232579952577==" Message-Id: <E1wJZke-00000009XI1-2r8I@fasolo.debian.org> Date: Sun, 03 May 2026 16:33:04 +0000 --===============9146995232579952577== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Source: exim4 Source-Version: 4.96-15+deb12u8 Done: Andreas Metzler <ametzler@debian.org> We believe that the bug you reported is fixed in the latest version of exim4, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1134984@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andreas Metzler <ametzler@debian.org> (supplier of updated exim4 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 02 May 2026 11:33:47 +0200 Source: exim4 Architecture: source Version: 4.96-15+deb12u8 Distribution: bookworm Urgency: medium Maintainer: Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org> Changed-By: Andreas Metzler <ametzler@debian.org> Closes: 1134984 Changes: exim4 (4.96-15+deb12u8) bookworm; urgency=3Dmedium . * Fix GnuTLS hostname verify of a server certificate with a zero-length Subject. Patch from upstream GIT master (Closes: #1134984) * Pull CVE-fixes from 4.99.2 +CVE-2026-40684 Possible crash with malicious DNS data when using musl libc On systems using musl libc (not glibc) due to an oddity in octal printing it is possible to crash the connection instance when malformed DNS data is present in PTR records. +CVE-2026-40685 Possible OOB read/write on corrupt JSON in header configurations using json operators on invalid externally-provided input could trigger heap corruption. +CVE-2026-40686 Possible OOB read with large UTF8 trailing characters configurations using utf8 operators on malformed utf8 in headers could trigger OOB reads and might trigger some data leak if error messages are required for subsequent emails in the current connection and similar malformed headers are present. +CVE-2026-40687 Possible OOB read/write with SPA authenticator in configurations using the SPA authentication driver to a hostile/compromised external SPA/NTLM connection it is possible to trigger an OOB read/write and crash the connection instance or possibly leak heap data to the instance. +As a pre-dependeny to the patchset also add the fix for upstream Bug 3106 from 4.99. Checksums-Sha1:=20 dd1cdc14573010c47f6adcc86d60184f88deb3f5 2923 exim4_4.96-15+deb12u8.dsc c6fad317505ae338b469f3744b97d75825b304cb 518040 exim4_4.96-15+deb12u8.debian= .tar.xz Checksums-Sha256:=20 81e485dba59d696c93b205cd3bdcc1ca19bc600a606080d1937551b55424b7b0 2923 exim4_= 4.96-15+deb12u8.dsc 4f0b97836206d3b30c221e05ad571f2df88e856a6213dc7e39ee8262b2c7db0e 518040 exim= 4_4.96-15+deb12u8.debian.tar.xz Files:=20 86bad2b4b5ec640fd5cac3a153f65d5f 2923 mail standard exim4_4.96-15+deb12u8.dsc 76490c2928c445b0a7686e4c0d4ef6a1 518040 mail standard exim4_4.96-15+deb12u8.= debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE0uCSA5741Jbt9PpepU8BhUOCFIQFAmn3L7MACgkQpU8BhUOC FIT4Fw//cD+XboouXR7SPn0/AhdX5JLW81l5/MQ9N49M6HuCk9y4JuChuShNei6a TERvgHDUncYSXIROcAEN1/DoDgCzHu6aYo6OfAceAZQ5NNg5S2r2u/Bh/tELDERb em9pB+kvNaGxe3Xkf1jMUkgGR/jgxznAj7fpMfnULl3c5TRcB0rfSff0klgzNAc/ cuzWI2KSQa72X1lird73V9VpRbfbZCXaWjzPnuFTrPQCA6zJnLtI8Y8ZDvcyzjTa xERlonaGkxG9Cpe4GExKs4ywAgWv2+lywBzpAeYjC3Xf9375H9fJVBCHVdee76dw VnIPRdoMr+72WesXZnCuEiL12nw0aIB46+krQtmKbxvtxm14sDP6Uw/Ojk5I1PoD 3jGuPoB+oUX1qUN1jRwGYw4MEwNZ1uuUZCrbChvdHGeNdSrE6eMBML3ih9WsGPlz T931R/bnTjmM7PkKnJp/U1X1/e90eC3pN9jNSqd9Vfz0NYraLz3jqagFUr/6hWrO n9YA/pjMZiIUV2S8xsqKwfd+5Nu5fJtQliXAN/W/hthrUdz+35T8SO3YGEPG08DP SjkhQYuVKnJ4f1n9Jqe7p75rlChuBUsYlIZcMrDEbyUnBTWbajBt+LXNXpUR8i+h JDAbX7Ccpwc7+Huxb8X5Eyx412PlplRpH7kM3L+YM4oFqikapwY=3D =3DZ+xd -----END PGP SIGNATURE----- --===============9146995232579952577== Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iHUEABYIAB0WIQTziqJOuF8J+ZI8pJSb9qggYcy5IQUCafd4wAAKCRCb9qggYcy5 IeGNAQCULNp/EdPPeGE7yjCosEIdi+RpQlW5nktIoliEiuEregD8D2BuG7dYd25S ohbgoMibGv7MQ0QxiuwngYzg2L72mAU= =E6e3 -----END PGP SIGNATURE----- --===============9146995232579952577==-- ]