Hi
Just answering a couple of question below, but the actual problem will
need to be handled by Andreas with more insight:
On Wed, May 05, 2021 at 10:09:42AM +0000, halfdog wrote:
> Salvatore Bonaccorso writes:
> > Hi,
> >
> > On Wed, May 05, 2021 at 06:58:02AM +0000, halfdog wrote:
> >> Package: exim4-daemon-light
> >> Version: 4.94-19
> >> Severity: grave
> >>
> >> Yesterdays 21nails update causes Exim to fail delivery of any
> >> messages. This might be related to using syslogging only without
> >> any file logging configured:
> >> ...
> >
> > Just to doubly-confirm, you see the problem only after yesterday's
> > update, but not yet in 4.94-19 as reported, right? Just to avoid
> > potential confusion.
>
> I see the problems with
>
> ii exim4-daemon-light 4.94-19 amd64
> lightweight Exim MTA (v4) daemon
Right, then this is not the version including the Qualys reported
issues, which are only present in 4.94.2-1 in unstable, which though
was alredy "unblocked" by a release team member:
Ignoring block request by freeze, due to unblock request by adsb
so it gan move fast to bullseye.
> I checked the PTS and it seems, that this package might have
> just been released around the same time (no timestamp given)
> than the 21nails patches.
>
> [2021-04-26] Accepted exim4 4.94-19 (source) into unstable (Andreas Metzler)
> [2021-05-05] exim4 4.94-19 MIGRATED to testing (Debian testing watch)
here I'm almost sure that the exim4 4.94-19 already moved on
2021-05-04 to testing, it was unblocked before, see #987924.
> I did not verify if exim4-daemon-light for bullseye is REALLY
> patched or still vulnerable, which it should be (unless Debian
> has broken the disclosure embargo).
exim4-daemon-light in bullseye is *not* patched and ist still
vulnerable, the fixes are only in the 4.94.2-1 upload.
So now handing over to Andreas for the actual problem then.
Regards,
Salvatore
