Your message dated Fri, 24 Nov 2023 14:47:09 +0000 with message-id <e1r6xsx-00caxp...@fasolo.debian.org> and subject line Bug#1053310: fixed in exim4 4.96-15+deb12u3 has caused the Debian Bug report #1053310, regarding exim4-base: Various severe CVE reports are outstanding to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1053310: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053310 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: exim4-base Version: 4.94.2-7 Severity: critical Justification: breaks the whole system Dear Maintainer, *** Reporter, please consider answering these questions, where appropriate *** There are various CVE report with a rating of 9.8/10. CVE-2023-42119 CVE-2023-42118 CVE-2023-42117 CVE-2023-42116 CVE-2023-42115 CVE-2023-42114 It would help if there would be a statement by the Debian exim maintainer team, by when updates are expected to arrive. This would at least help to judge, if I should migrate my systems to postfix or if I can wait for a bugfix. *** End of the template - remove these template lines *** -- Package-specific info: Exim version 4.94.2 #2 built 13-Jul-2021 16:04:57 Copyright (c) University of Cambridge, 1995 - 2018 (c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2018 Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013) Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS move_frozen_messages Content_Scanning DANE DKIM DNSSEC Event I18N OCSP PIPE_CONNECT PRDR PROXY SOCKS TCP_Fast_Open Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa tls Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp Malware: f-protd f-prot6d drweb fsecure sophie clamd avast sock cmdline Fixed never_users: 0 Configure owner: 0:0 Size of off_t: 8 Configuration file search path is /etc/exim4/exim4.conf:/var/lib/exim4/config.autogenerated Configuration file is /var/lib/exim4/config.autogenerated -- System Information: Debian Release: 11.7 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-25-amd64 (SMP w/2 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages exim4-base depends on: ii adduser 3.118 ii cron [cron-daemon] 3.0pl1-137 ii debconf [debconf-2.0] 1.5.77 ii exim4-config [exim4-config-2] 4.94.2-7 ii libc6 2.31-13+deb11u6 ii libdb5.3 5.3.28+dfsg1-0.8 ii lsb-base 11.1.0 ii netbase 6.3 ii systemd-sysv 247.3-7+deb11u4 Versions of packages exim4-base recommends: ii mailutils [mailx] 1:3.10-3+b1 ii psmisc 23.4-2 Versions of packages exim4-base suggests: ii emacs-gtk [mail-reader] 1:27.1+1-3.1+deb11u2 pn exim4-doc-html | exim4-doc-info <none> pn eximon4 <none> ii file 1:5.39-3+deb11u1 ii mailutils [mail-reader] 1:3.10-3+b1 ii openssl 1.1.1n-0+deb11u5 pn spf-tools-perl <none> pn swaks <none> -- Configuration Files: /etc/logrotate.d/exim4-base changed [not included] /etc/logrotate.d/exim4-paniclog changed [not included] -- debconf information excluded
--- End Message ---
--- Begin Message ---Source: exim4 Source-Version: 4.96-15+deb12u3 Done: Andreas Metzler <ametz...@debian.org> We believe that the bug you reported is fixed in the latest version of exim4, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1053...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andreas Metzler <ametz...@debian.org> (supplier of updated exim4 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 18 Nov 2023 11:07:57 +0100 Source: exim4 Architecture: source Version: 4.96-15+deb12u3 Distribution: bookworm Urgency: medium Maintainer: Exim4 Maintainers <pkg-exim4-maintain...@lists.alioth.debian.org> Changed-By: Andreas Metzler <ametz...@debian.org> Closes: 1043233 1053310 Changes: exim4 (4.96-15+deb12u3) bookworm; urgency=medium . * Multiple bugfixes from upstream GIT master: + 75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch + 75_76-Expansions-disallow-UTF-16-surrogates-from-utf8clean.patch (Upstream bug 2998) + 75_77-GnuTLS-fix-crash-with-tls_dhparam-none.patch + 75_79-Fix-recipients-expansion-when-used-within-run.-.-Bug.patch (Upstream bug 3013) + 75_82-GnuTLS-fix-autogen-cert-expiry-date.-Bug-3014.patch: Fix on-demand TLS cert expiry date. Closes: #1043233 (Upstream bug 3014) + 75_83-Re-fix-live-variable-value-free.-The-inital-fix-resu.patch + 76-10-Fix-tr.-and-empty-strings.-Bug-3023.patch ((Upstream bug 3023) + 76-12-DNS-more-hardening-against-crafted-responses.patch + 76-14-Lookups-Fix-dnsdb-lookup-of-multi-chunk-TXT.-Bug-305.patch Fix regression in dnsdb in CVE-2023-42119 fix. (Upstream bug 3054) * tests/basic: Add isolation-container restriction (needs a running exim daemon). * Add ${run } expansion test to tests/basic. * Update code to 4.96.2, fixing issues with the proxy protocol (CVE-2023-42117) and the `dnsdb` lookup subsystem (CVE-2023-42119). It also includes additional hardening for spf lookups, however CVE-2023-42118 was diagnosed as a vulnerability in the libspf2 library and needs to be addressed there. Closes: #1053310 Checksums-Sha1: c4722b686b96b895692a5109dfe3dcd4e1369ca4 2923 exim4_4.96-15+deb12u3.dsc c7e3725a4404d90894dc99a33d53b9c293d3ff54 504024 exim4_4.96-15+deb12u3.debian.tar.xz Checksums-Sha256: 0da9eaee8acd75eb4eaf5577b3e84bd5cc7a6294cb83587f0880c89691790306 2923 exim4_4.96-15+deb12u3.dsc a8f7a4d81c826b37305f4afb7d271c7bc152dd1e93cb3211ab779f1e3948f6ae 504024 exim4_4.96-15+deb12u3.debian.tar.xz Files: 20d9c1c596af9964a53c47ea3a015d3d 2923 mail standard exim4_4.96-15+deb12u3.dsc cd75904806abbe66032b45c63204f9e1 504024 mail standard exim4_4.96-15+deb12u3.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE0uCSA5741Jbt9PpepU8BhUOCFIQFAmVZ4x0ACgkQpU8BhUOC FITXBw//aSMq9kgiX3WrsK38H47wP0AV4Mh0BM1NB3ptlnKRo9xFaqVsoh3ag6zh YLbuuef1LKHPv/ZXRT7ut5ZRAMAo/cAfZjqIl9a/8KYStqgRWtNqfQn02uYVYEUm Cdtry+xo9zfYQ1q93srkGiFmN803mNhbXTtvW25CKM65SnS7TQR36aUXDVPX3mmZ zcoLROmpfHDeqZqwlJO8m6XYq0gXQEvMT4+9qHEJalsw4puQ2QRTFRaHeHJM62Yv f4GxjJbmlAafDREw6swZkRAskFKHzIDO1by5YtC5GMf0QIPZWjSOjAdfK0hm56Ef 1zg4nmcOt94WS9I91ibAVWxbSdUVigmvBOGjZx5KbFfbU9mhdnnPXUVX3CJZCrMI Nm/XMCt2cNEJ/M6QkFIC2AkMwbpGMxkuTrAd9FITW/PBr9EIa8uaizDLUxxqu5G9 P+qWIGRJLvqoKWvN4K7rGfnYw1YduAbVKZULV5mQ1DbMc/digI+99W7l2aVhKnhY 0zu+x75dRZc9Az3mPwxczkqS0XCtFZXhPfcaS1fZ3kuZmh/Bl0t9dhO20mQYs4eI u7n/ARpmEJqCMb21a/fNCkvwepQBiQnJlIzfblA6+Qrl52CAZvHpwn4K8O+t+ULQ 0B+3rcYOg6s2wq0phH5r44LpMvmzd516Y4a/o1Pn9F5kGcGWEHk= =6nFZ -----END PGP SIGNATURE-----
--- End Message ---
