[Git][security-tracker-team/security-tracker][master] Reserve DSA number for exim4 update and cleanup data

Tue May 12 15:20:44 BST 2026


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
79ea49a7 by Salvatore Bonaccorso at 2026-05-12T16:19:33+02:00
Reserve DSA number for exim4 update and cleanup data

- - - - -


4 changed files:

- data/CVE/list
- data/DSA/list
- data/next-oldstable-point-update.txt
- data/next-point-update.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,6 +1,9 @@
 CVE-2026-XXXX [Exim-Security-2026-05-01.1: TLS: on rxd close with CHUNKING active, clean the input processing stack]
 	- exim4 <unfixed>
+	[trixie] - exim4 4.98.2-1+deb13u2
+	[bookworm] - exim4 4.96-15+deb12u9
 	NOTE: https://code.exim.org/exim/exim/commit/040c1ce6889f435206677ed532c9a4185cf0bcaf
+	NOTE: https://www.openwall.com/lists/oss-security/2026/05/12/4
 CVE-2026-44931
 	- malcontent <not-affected> (Vulnerable code introduced later)
 	NOTE: https://www.openwall.com/lists/oss-security/2026/05/11/1
@@ -8411,14 +8414,10 @@ CVE-2026-40685 (In Exim before 4.99.2, when JSON lookup is enabled, an out-of-bo
 	NOTE: JSON lookup support not enabled in Debian
 CVE-2026-40686 (In Exim before 4.99.2, when utf8 operators are enabled, there is an ou ...)
 	- exim4 4.99.2-1
-	[trixie] - exim4 <no-dsa> (Minor issue)
-	[bookworm] - exim4 <no-dsa> (Minor issue)
 	[bullseye] - exim4 <postponed> (Minor issue; can be fixed in next update)
 	NOTE: Fixed by: https://code.exim.org/exim/exim/commit/f2570bde16fb4d4a1242ff363a4c4eecf6372efc
 CVE-2026-40687 (In Exim before 4.99.2, when the SPA authentication driver is used with ...)
 	- exim4 4.99.2-1
-	[trixie] - exim4 <no-dsa> (Minor issue)
-	[bookworm] - exim4 <no-dsa> (Minor issue)
 	[bullseye] - exim4 <postponed> (Minor issue; can be fixed in next update)
 	NOTE: Fixed by: https://code.exim.org/exim/exim/commit/68b963b9f75ca27b38e1c0f8c87037990199f505
 CVE-2026-7466 (AgentFlow contains an arbitrary code execution vulnerability that allo ...)


=====================================
data/DSA/list
=====================================
@@ -1,3 +1,7 @@
+[12 May 2026] DSA-6265-1 exim4 - security update
+	{CVE-2026-40684 CVE-2026-40685 CVE-2026-40686 CVE-2026-40687}
+	[bookworm] - exim4 4.96-15+deb12u9
+	[trixie] - exim4 4.98.2-1+deb13u2
 [11 May 2026] DSA-6264-1 dnsmasq - security update
 	{CVE-2026-2291 CVE-2026-4890 CVE-2026-4891 CVE-2026-4892 CVE-2026-4893 CVE-2026-5172}
 	[bookworm] - dnsmasq 2.90-4~deb12u2


=====================================
data/next-oldstable-point-update.txt
=====================================
@@ -352,14 +352,6 @@ CVE-2024-57392
 	[bookworm] - proftpd-dfsg 1.3.8+dfsg-4+deb12u5
 CVE-2026-42167
 	[bookworm] - proftpd-dfsg 1.3.8+dfsg-4+deb12u5
-CVE-2026-40684
-	[bookworm] - exim4 4.96-15+deb12u8
-CVE-2026-40685
-	[bookworm] - exim4 4.96-15+deb12u8
-CVE-2026-40686
-	[bookworm] - exim4 4.96-15+deb12u8
-CVE-2026-40687
-	[bookworm] - exim4 4.96-15+deb12u8
 CVE-2026-28525
 	[bookworm] - swupdate 2022.12+dfsg-4+deb12u2
 CVE-2019-5427


=====================================
data/next-point-update.txt
=====================================
@@ -368,14 +368,6 @@ CVE-2026-42167
 	[trixie] - proftpd-dfsg 1.3.8.c+dfsg-4+deb13u2
 CVE-2026-41035
 	[trixie] - rsync 3.4.1+ds1-5+deb13u2
-CVE-2026-40684
-	[trixie] - exim4 4.98.2-1+deb13u1
-CVE-2026-40685
-	[trixie] - exim4 4.98.2-1+deb13u1
-CVE-2026-40686
-	[trixie] - exim4 4.98.2-1+deb13u1
-CVE-2026-40687
-	[trixie] - exim4 4.98.2-1+deb13u1
 CVE-2026-33721
 	[trixie] - mapserver 8.4.0-4+deb13u2
 CVE-2026-35386



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/79ea49a715bd4b390d24e4dfda68a955433068bf

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/79ea49a715bd4b390d24e4dfda68a955433068bf
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260512/bb20178e/attachment-0001.htm>
