Adam D. Barratt writes: > On Wed, 2021-05-05 at 11:07 +0000, halfdog wrote: >> This is weird: I have only bullseye/bullseye-updates/bullseye- >> security >> in my sources list. I applied all updates on 2nd of May with >> no Exim package available. Then after the 21nails disclosure >> I run the updates (timestamps in UTC): >> >> 2021-05-02 07:05:31 status installed initramfs-tools:all 0.140 >> ... >> 2021-05-04 16:49:48 upgrade exim4-daemon-light:amd64 4.94-17 4.94-19 >> >> But there is no transaction for 4.94-19 in PTS between these >> two dates, next is > > >> [2021-05-05] exim4 4.94-19 MIGRATED to testing (Debian testing >> watch) > > The "testing watch" script only runs daily, in the early morning UTC. > The 4.94-19 package actually migrated on the morning of the 4th (again > UTC): > > 20210504101451|control-suite|dak|added|testing|exim4 4.94-19 source > > The upload including the 21nails fixes is: > > 20210504134823|process-upload|dak|ACCEPT|exim4_4.94.2-1_multi.changes
Thanks, that explains the timeline. I am now at ii exim4-daemon-light 4.94.2-1 amd64 lightweight Exim MTA (v4) daemon At least it does not segfault on locally generated messages as the 4.94-19 package did. What a weird coincidence that the 4.94-19 seemed to crash exactly around that part of code that seemed to related to CVE-2020-28007. Regards, hd
