Bug#1053310: exim4-base: Various severe CVE reports are outstanding

Rainer Dorsch ml at bokomoko.de
Sun Oct 1 13:48:34 BST 2023 

Package: exim4-base
Version: 4.94.2-7
Severity: critical
Justification: breaks the whole system

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

There are various CVE report with a rating of 9.8/10.

CVE-2023-42119
CVE-2023-42118
CVE-2023-42117
CVE-2023-42116
CVE-2023-42115
CVE-2023-42114

It would help if there would be a statement by the Debian exim maintainer team, by when updates are expected to arrive.

This would at least help to judge, if I should migrate my systems to postfix or if I can wait for a bugfix.


*** End of the template - remove these template lines ***


-- Package-specific info:
Exim version 4.94.2 #2 built 13-Jul-2021 16:04:57
Copyright (c) University of Cambridge, 1995 - 2018
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2018
Berkeley DB: Berkeley DB 5.3.28: (September  9, 2013)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS move_frozen_messages Content_Scanning DANE DKIM DNSSEC Event I18N OCSP PIPE_CONNECT PRDR PROXY SOCKS TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa tls
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Malware: f-protd f-prot6d drweb fsecure sophie clamd avast sock cmdline
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Configuration file search path is /etc/exim4/exim4.conf:/var/lib/exim4/config.autogenerated
Configuration file is /var/lib/exim4/config.autogenerated

-- System Information:
Debian Release: 11.7
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-25-amd64 (SMP w/2 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages exim4-base depends on:
ii  adduser                        3.118
ii  cron [cron-daemon]             3.0pl1-137
ii  debconf [debconf-2.0]          1.5.77
ii  exim4-config [exim4-config-2]  4.94.2-7
ii  libc6                          2.31-13+deb11u6
ii  libdb5.3                       5.3.28+dfsg1-0.8
ii  lsb-base                       11.1.0
ii  netbase                        6.3
ii  systemd-sysv                   247.3-7+deb11u4

Versions of packages exim4-base recommends:
ii  mailutils [mailx]  1:3.10-3+b1
ii  psmisc             23.4-2

Versions of packages exim4-base suggests:
ii  emacs-gtk [mail-reader]          1:27.1+1-3.1+deb11u2
pn  exim4-doc-html | exim4-doc-info  <none>
pn  eximon4                          <none>
ii  file                             1:5.39-3+deb11u1
ii  mailutils [mail-reader]          1:3.10-3+b1
ii  openssl                          1.1.1n-0+deb11u5
pn  spf-tools-perl                   <none>
pn  swaks                            <none>

-- Configuration Files:
/etc/logrotate.d/exim4-base changed [not included]
/etc/logrotate.d/exim4-paniclog changed [not included]

-- debconf information excluded

More information about the Pkg-exim4-maintainers mailing list