Your message dated Fri, 12 Jul 2024 19:55:06 +0000
with message-id <e1ssmme-008vmc...@fasolo.debian.org>
and subject line Bug#1075785: fixed in exim4 4.96-15+deb12u5
has caused the Debian Bug report #1075785,
regarding exim4: CVE-2024-39929: Incorrect parsing of multiline rfc2231 header
filename
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1075785: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1075785
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: exim4
Version: 4.97-8
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://bugs.exim.org/show_bug.cgi?id=3099
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for exim4.
CVE-2024-39929[0]:
| Exim through 4.97.1 misparses a multiline RFC 2231 header filename,
| and thus remote attackers can bypass a $mime_filename extension-
| blocking protection mechanism, and potentially deliver executable
| attachments to the mailboxes of end users.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-39929
https://www.cve.org/CVERecord?id=CVE-2024-39929
[1] https://bugs.exim.org/show_bug.cgi?id=3099#c4
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: exim4
Source-Version: 4.96-15+deb12u5
Done: Andreas Metzler <ametz...@debian.org>
We believe that the bug you reported is fixed in the latest version of
exim4, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1075...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Metzler <ametz...@debian.org> (supplier of updated exim4 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 09 Jul 2024 10:53:35 +0200
Source: exim4
Architecture: source
Version: 4.96-15+deb12u5
Distribution: bookworm-security
Urgency: high
Maintainer: Exim4 Maintainers <pkg-exim4-maintain...@lists.alioth.debian.org>
Changed-By: Andreas Metzler <ametz...@debian.org>
Closes: 1075785
Changes:
exim4 (4.96-15+deb12u5) bookworm-security; urgency=high
.
* Fix parsing of multiline RFC 2231 header filename parameter in mime ACL.
CVE-2024-39929 Closes: #1075785
Checksums-Sha1:
8bea1cc5cdfb359fbb50fd2c061e36aa439aa4c5 2923 exim4_4.96-15+deb12u5.dsc
85c76962802389c6a5abe9e61d926273c8f8d31c 510812
exim4_4.96-15+deb12u5.debian.tar.xz
Checksums-Sha256:
4b0857a01dd265cf7100284205b33610c3d7a803f5bc22d2df1e32c5afc685f6 2923
exim4_4.96-15+deb12u5.dsc
18dc015a8088eb83c8b3a60a710d4d701b5227c5234bf469d76d0358cceb96c4 510812
exim4_4.96-15+deb12u5.debian.tar.xz
Files:
3c80308765d1f7715037d50b88cc0019 2923 mail standard exim4_4.96-15+deb12u5.dsc
42bd8d2104290674fcf7722a9da91ae4 510812 mail standard
exim4_4.96-15+deb12u5.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE0uCSA5741Jbt9PpepU8BhUOCFIQFAmaNFPYACgkQpU8BhUOC
FIQOOA/9E5XRwbGZs7ermqn6x5ggYLkLyXCyvalCKwpTrr2VgfKzqGZRhL2sCtbf
roT1b/VgGt6iIGvNYIpcRNfe2k+jWLL4wQ7H/P+HagskP1yQKViButWEy29TkPxe
tu/QIZmfa6f5rF+hKrSzgaQPbkDkdiJnW2XwEnh1sdA2+PnB1onMByLAhBg/QZ9i
XnkOJonR+a+uTVo9XPnlro9Yb6I94q2DzUaPMnPLRF5wyNu+PbFEVS+e7RMNCTHL
pOPrPUe+UL6U7pZN+u7IvX14g1XduvCnHE5BuzY/aWpAwe+9+yJfq2HsIUMzhytG
0EDHGCdWP4UQkD5VMc8XIIJAcgrlY8g/TLpRRIWEH4lKmbqRKfXCnT+D/6HSz7Dw
4lgu/2b8z83jEKknskZNGJsk/gaJyvNEFpyfVzFITmN5U9MJXWEJZVtzYgfWgMH0
DVJlMjypvGQnORgpbTUX6P9ArhV1iFPz2LtXmz4/sS3xFjGSrMbC4sG+vxy/vMWo
q1CH8I7RYqwAV5G0tK5VzDVPWFdrVRuIy0CnAPxsh11cGsswO1esxxrCaTwNVnvC
1QfHIadI4RKuwziTxOJHdzIOXhHc/q5NQQHFaVQYkLrnlF0XoSzupX74VuNEq681
rlLPR/Y0zlv4im9iUi1uJUJhOC58KMGESqfivAGUlPegn5dUPP8=
=9s4q
-----END PGP SIGNATURE-----
pgpH8aQxLOry0.pgp
Description: PGP signature
--- End Message ---
