Bug#1135538: trixie-pu: package exim4/4.98.2-1+deb13u1

Andreas Metzler ametzler at bebt.de
Sat May 2 12:42:54 BST 2026 

Package: release.debian.org
Severity: normal
Tags: trixie
Control: affects -1 + src:exim4
User: release.debian.org at packages.debian.org
Usertags: pu

Hello,

after discussion with the security team I would like to fix a couple
CVEs and unrelated to that a interoperability issue via
stable/oldstable uploads:

a) All the CVE fixes from the recent security update 4.99.2:
* CVE-2026-40684  Possible crash with malicious DNS data when using musl
  libc ...
  While we do not use musl libc, it is small contained patch, so I would
  still prefer to inculde it.
* CVE-2026-40685  Possible OOB read/write on corrupt JSON in header
  configurations using json operators on invalid externally-provided input
  could trigger heap corruption.
  As far I understand this also does not hit our binaries, since we do
  not build with JSON looks enabled. Howver users can build private
  packages from our sources. One-line change.
* CVE-2026-40686  Possible OOB read with large UTF8 trailing character
  ... Another tiny change, applies to Debian.
* CVE-2026-40687  Possible OOB read/write with SPA authenticator.
  This is client side and needs a hostile/compromised external
  counterpart. This patch is rather big and required some handholding to
  apply.

b) Fix GnuTLS hostname verify of a server certificate with a
   zero-length Subject. These are now being handed out by LetsEncrypt; note
   that this means they carry no DN (as well as no SN, that having decreed
   deprecated in favour of SANs).

This is also a small change and something our DSA would appreciate.
Upstream discussion starts here:
https://lists.exim.org/lurker/message/20260413.184322.ecbabb9e.en.html

TIA, cu Andreas

-- 
"You people are noisy," Nia said.
I made the gesture of agreement.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 13trixie.diff
Type: text/x-diff
Size: 21441 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-exim4-maintainers/attachments/20260502/cf2c612b/attachment.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-exim4-maintainers/attachments/20260502/cf2c612b/attachment.sig>

More information about the Pkg-exim4-maintainers mailing list