Devuan bug report logs - #579
Security: Please update exim on beowulf

Full log

🔗 View this message in rfc822 format

MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
X-Loop: owner@bugs.devuan.org
From: "Devuan bug Tracking System" <owner@bugs.devuan.org>
To: Klaus Ethgen <Klaus@ethgen.de>
Subject: bug#579 closed by Mark Hindley <mark@hindley.org.uk> (Re:
 bug#579: Security: Please update exim on beowulf)
Message-ID: <handler.579.D579.162066840417070.notifdone@bugs.devuan.org>
References: <YJlt5RyJupJTLkcg@hindley.org.uk>
 <YJeWezFIsZf4uXX+@ikki.ethgen.ch>
X-Devuan-PR-Message: they-closed 579
X-Devuan-PR-Package: amprolla
Reply-To: 579@bugs.devuan.org
Date: Mon, 10 May 2021 17:48:04 +0000
Content-Type: multipart/mixed; boundary="----------=_1620668884-17197-1"

[Message part 1 (text/plain, inline)]

This is an automatic notification regarding your bug report
which was filed against the amprolla package:

#579: Security: Please update exim on beowulf

It has been closed by Mark Hindley <mark@hindley.org.uk>.

Their explanation is attached below along with your original report.
If this explanation is unsatisfactory and you have not received a
better one in a separate message then please contact Mark Hindley <mark@hindley.org.uk> by
replying to this email.


-- 
579: https://bugs.devuan.org/cgi/bugreport.cgi?bug=579
Devuan Bug Tracking System
Contact owner@bugs.devuan.org with problems

[Message part 2 (message/rfc822, inline)]

From: Mark Hindley <mark@hindley.org.uk>

To: 579-done@bugs.devuan.org

Subject: Re: bug#579: Security: Please update exim on beowulf

Date: Mon, 10 May 2021 18:31:17 +0100

On Sun, May 09, 2021 at 09:59:55AM +0200, Klaus Ethgen wrote:
> Package: exim4
> Version: 4.92-8+deb10u5
> Severity: critical
> Tags: security
> 
> Please update exim4 to 4.92-8+deb10u6 on beowulf as already in debian.

Bad amprolla merge is now fixed (thanks rrq) and the updated exim4 packages are
available in the archive.

Closing.

Mark

[Message part 3 (message/rfc822, inline)]

From: Klaus Ethgen <Klaus@ethgen.de>

To: Devuan Bug Tracking System <submit@bugs.devuan.org>

Subject: Security: Please update exim on beowulf

Date: Sun, 9 May 2021 09:59:55 +0200

[Message part 4 (text/plain, inline)]

Package: exim4
Version: 4.92-8+deb10u5
Severity: critical
Tags: security

Please update exim4 to 4.92-8+deb10u6 on beowulf as already in debian.

Version 4.92-8+deb10u5 has several sever security bugs which are fixed
in 4.92-8+deb10u6.

* CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()
* CVE-2020-28018: Use-after-free in tls-openssl.c
* CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()
* CVE-2020-28010: Heap out-of-bounds write in main()
* CVE-2020-28011: Heap buffer overflow in queue_run()
* CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()
* CVE-2020-28017: Integer overflow in receive_add_recipient()
* CVE-2020-28022: Heap out-of-bounds read and write in extract_option()
* CVE-2020-28026: Line truncation and injection in spool_read_header()
* CVE-2020-28015 and CVE-2020-28021: New-line injection into spool header file.
* CVE-2020-28009: Integer overflow in get_stdinput()
* CVE-2020-28024: Heap buffer underflow in smtp_ungetc()
* CVE-2020-28012: Missing close-on-exec flag for privileged pipe
* CVE-2020-28019: Failure to reset function pointer after BDAT error
* CVE-2020-28007: Link attack in Exim's log directory
* CVE-2020-28008: Assorted attacks in Exim's spool directory
* CVE-2020-28014, CVE-2021-27216: Arbitrary PID file creation, clobbering, and deletion.

-- System Information:
Distributor ID:	Devuan
Description:	Devuan GNU/Linux 3 (beowulf)
Codename:	beowulf
Architecture: x86_64

Gruß
   Klaus
-- 
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <Klaus@Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.