Your message dated Fri, 12 Jul 2024 19:55:58 +0000
with message-id <e1ssmn4-008vw0...@fasolo.debian.org>
and subject line Bug#1075785: fixed in exim4 4.94.2-7+deb11u3
has caused the Debian Bug report #1075785,
regarding exim4: CVE-2024-39929: Incorrect parsing of multiline rfc2231 header
filename
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1075785: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1075785
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: exim4
Version: 4.97-8
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://bugs.exim.org/show_bug.cgi?id=3099
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for exim4.
CVE-2024-39929[0]:
| Exim through 4.97.1 misparses a multiline RFC 2231 header filename,
| and thus remote attackers can bypass a $mime_filename extension-
| blocking protection mechanism, and potentially deliver executable
| attachments to the mailboxes of end users.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-39929
https://www.cve.org/CVERecord?id=CVE-2024-39929
[1] https://bugs.exim.org/show_bug.cgi?id=3099#c4
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: exim4
Source-Version: 4.94.2-7+deb11u3
Done: Andreas Metzler <ametz...@debian.org>
We believe that the bug you reported is fixed in the latest version of
exim4, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1075...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Metzler <ametz...@debian.org> (supplier of updated exim4 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 09 Jul 2024 11:01:33 +0200
Source: exim4
Architecture: source
Version: 4.94.2-7+deb11u3
Distribution: bullseye-security
Urgency: medium
Maintainer: Exim4 Maintainers <pkg-exim4-maintain...@lists.alioth.debian.org>
Changed-By: Andreas Metzler <ametz...@debian.org>
Closes: 1075785
Changes:
exim4 (4.94.2-7+deb11u3) bullseye-security; urgency=medium
.
* Fix parsing of multiline RFC 2231 header filename parameter in mime ACL.
CVE-2024-39929 Closes: #1075785
Checksums-Sha1:
32bb8e7bcbb47d04a7b8be452e376b106603574c 2927 exim4_4.94.2-7+deb11u3.dsc
eba8e6b4f9409f79c68c36128f5d3829c4f8710e 492832
exim4_4.94.2-7+deb11u3.debian.tar.xz
Checksums-Sha256:
ba45fd95955c70a3ec1b5b8e5f59435d36f139760addf5a3050097e96e1ca1e1 2927
exim4_4.94.2-7+deb11u3.dsc
1c3aecf5c6fcb89d8a9708f7ffcce6de8745b30413606ea92f4075e5c907c94a 492832
exim4_4.94.2-7+deb11u3.debian.tar.xz
Files:
9ae0c348e9a61998e6df24cd7c653a25 2927 mail standard exim4_4.94.2-7+deb11u3.dsc
084e353c36450cbc2e105fb011716e13 492832 mail standard
exim4_4.94.2-7+deb11u3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE0uCSA5741Jbt9PpepU8BhUOCFIQFAmaNFPMACgkQpU8BhUOC
FITjvw/+KiQtKZ1ZGxrjU8R4KN/F/+9DnHBrNxSKaX7LL66EtoerlHjbwArvQi4i
v7r0j/qincI4YtZlSy08xduMFT1pYA/4443cWgG0ouDvIJgLHgZAmDSH2MoGyOYI
2Fg0eio1Rcb3sY6hT1wVdAkIgh/Mpnug/yCaibg3rFrOabSleqSnmAF2MT3QZ1En
S/B4yS3/A8dSmatzUgx75YSRW5adiia821YLVrde7xtWSSlRnHLegZA1DT1rjeH+
+tn/DsTEU+XR4wdqD/yOfLECmu1qDyfJduZwY4QJ35+M9+N3/RYIdt2kH+zK0O2k
DGK/UUnL9AkBxYA0wh4iePjgT3F0lClUsstgmMdkxe8OCon45Vik0VrvyAvbWLZw
rHRm4urS1bgRknywJ7bk4uKtoveY3ItBgxqA1PHTmZsPbj5d6nqi43lE/OM1RxS7
r2Q82mGS8cxE4XL/1zlJm9SVRVIUuH9m4lvZU5ePEsEMefYB03bMx1DtenAM/gVr
5x1CMeCRMUSol8UP9+LLVDtgaZF6aQSLUqd9wBEKgBVuO0wA4zjQbFnw5NpqbJGC
p4CoSuS+wUXdAHHHXnKEDwvBOjNKK7BCy2/lvk9+zc9AE3WR/tZWWJr7Hd0E4Luh
bN+YgzOwicp/ylWBlPF26GUxCaLIY8U4hhw959KVWXxzKhtBRV8=
=tc34
-----END PGP SIGNATURE-----
pgpsxn2JQNdfR.pgp
Description: PGP signature
--- End Message ---
