Bug#992172: exim4: CVE-2021-38371

Andreas Metzler ametzler at bebt.de
Thu Mar 16 17:21:47 GMT 2023


On 2023-03-15 Moritz Mühlenhoff <jmm at inutil.org> wrote:
> Am Sun, Aug 15, 2021 at 07:21:40AM +0200 schrieb Andreas Metzler:
> > On 2021-08-14 Salvatore Bonaccorso <carnil at debian.org> wrote:
[...]
> > > CVE-2021-38371[0]:
> > > | The STARTTLS feature in Exim through 4.94.2 allows response injection
> > > | (buffering) during MTA SMTP sending.
> > [...]
> > 
> > IIRC that is mitigated in experimental (4.95 rc) by ALPN and unkown
> > command related changes, I will not be able to check in detail for a
> > week or so, though.

> Do you know if this is fixed in 4.96/bookworm?

Yes it is. 4.95 and later are fine.
https://lists.exim.org/lurker/message/20230315.200011.3128be8e.en.html

cu Andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'



More information about the Pkg-exim4-maintainers mailing list