Your message dated Fri, 05 Jul 2024 16:35:06 +0000
with message-id <e1spltq-007pqw...@fasolo.debian.org>
and subject line Bug#1075785: fixed in exim4 4.98~RC3-2
has caused the Debian Bug report #1075785,
regarding exim4: CVE-2024-39929: Incorrect parsing of multiline rfc2231 header
filename
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1075785: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1075785
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: exim4
Version: 4.97-8
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://bugs.exim.org/show_bug.cgi?id=3099
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for exim4.
CVE-2024-39929[0]:
| Exim through 4.97.1 misparses a multiline RFC 2231 header filename,
| and thus remote attackers can bypass a $mime_filename extension-
| blocking protection mechanism, and potentially deliver executable
| attachments to the mailboxes of end users.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-39929
https://www.cve.org/CVERecord?id=CVE-2024-39929
[1] https://bugs.exim.org/show_bug.cgi?id=3099#c4
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: exim4
Source-Version: 4.98~RC3-2
Done: Andreas Metzler <ametz...@debian.org>
We believe that the bug you reported is fixed in the latest version of
exim4, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1075...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Metzler <ametz...@debian.org> (supplier of updated exim4 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 05 Jul 2024 18:06:31 +0200
Source: exim4
Architecture: source
Version: 4.98~RC3-2
Distribution: unstable
Urgency: medium
Maintainer: Exim4 Maintainers <pkg-exim4-maintain...@lists.alioth.debian.org>
Changed-By: Andreas Metzler <ametz...@debian.org>
Closes: 1075785
Changes:
exim4 (4.98~RC3-2) unstable; urgency=medium
.
* Upload to unstable.
* RC3 fixes CVE-2024-39929 Closes: #1075785
Checksums-Sha1:
6e376bf486ab296dd80422248e1aac00551dc11d 2963 exim4_4.98~RC3-2.dsc
d38440c1463a9e1cdb2ebfad79f38c1e064d1a04 469524 exim4_4.98~RC3-2.debian.tar.xz
Checksums-Sha256:
17bb054dacda7ab7144a2ca572d33b53216417a731286e3a5f6c4369e56c3310 2963
exim4_4.98~RC3-2.dsc
ca4b7486565cd46e1c37481930a806ec78a3ef032273791d7f6be0c9d1eedc54 469524
exim4_4.98~RC3-2.debian.tar.xz
Files:
828091414c6a38f4d8e7e5a9131bccc1 2963 mail standard exim4_4.98~RC3-2.dsc
706465480bec744b4a5d6b41ae6104b8 469524 mail standard
exim4_4.98~RC3-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE0uCSA5741Jbt9PpepU8BhUOCFIQFAmaIGuAACgkQpU8BhUOC
FISLhA/6AtJ4KuWZUsvUVcFB0J73mGEVHY6dBZm90J5Tv+nKBqlt+He1d7bMKsho
sISxiYr854dfh2+3OwvAVY1jafbXpweqMFSBV8sjhhbyNMe9enoNKXn1gROp/haS
lDEWdXAwilncd2NRytmjqnnPJKSjYATEweKktVFb8AKU/Xk34KcZU+LdCSNsa6XW
o1ahj2cjMavJtEVkGIYgIxPurygsoPAjcAB8SJQCBRSrEV9gca8DouXRThIvccXw
8ZXaICmvvD+ndImsxhE/9OH8d8cPUICvpVuVu0bE0mVTndkPnGBctc5kpYx97ew0
qoO3z7L9zNULBoXqLv6PTY/wTz35/PjhwmRdIGPB0Xl7u6ax66ArKJAGnDeyPkuw
tjbWod95klzq15TOe7p3lJSjxmkYYJ9r20FtRUdTeXVdfhiVFIA/9850jzTxv7VS
YuXBckDn7FktpxBOGI42MLLTI1RjUPKa7AycAS/2zmX5RMRrwqYrGOjrkpA1QCpJ
5Tjd7oTytj0fayL4CKCnoQUtYjVHFYABKb0bXEIQI7Lzu+n3IX384HGN9i2vcQtw
/fx857U6P7cN6JQZSp/H6kiIm645x6ErO+ci98iIAPHcV244Br//aRSfD5rVvNsm
12eqK+NqvydOzyCOLvM0YIWRa/MxwpCH0+Mb7I7X+HajQG/ngpE=
=75Zs
-----END PGP SIGNATURE-----
pgphDEW3WKH4a.pgp
Description: PGP signature
--- End Message ---
