Home | Devuan | Git | Forum | Packages | Popcon
Donate now!
Download

Devuan bug report logs - #579
Security: Please update exim on beowulf

Package: amprolla; Maintainer for amprolla is Devuan Developers <devuan-dev@lists.dyne.org>;

Reported by: Klaus Ethgen <Klaus@ethgen.de>

Date: Sun, 9 May 2021 08:18:02 UTC

Severity: critical

Done: Mark Hindley <mark@hindley.org.uk>

Full log

Message #5 received at submit@bugs.devuan.org (full text, mbox, reply):

Received: (at submit) by bugs.devuan.org; 9 May 2021 08:10:03 +0000
Return-Path: <Klaus@ethgen.de>
Delivered-To: devuanbugs@dyne.org
Received: from tupac3.dyne.org [195.169.149.119]
	by doc.devuan.org with IMAP (fetchmail-6.4.0.beta4)
	for <debbugs@localhost> (single-drop); Sun, 09 May 2021 08:10:03 +0000 (UTC)
Received: from tschil.ethgen.ch (tschil.ethgen.ch [5.9.7.51])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by vm6.ganeti.dyne.org (Postfix) with ESMTPS id 3F01AF6089B
	for <submit@bugs.devuan.org>; Sun,  9 May 2021 10:00:00 +0200 (CEST)
Authentication-Results: vm6.ganeti.dyne.org;
	dkim=pass (4096-bit key; unprotected) header.d=ethgen.de header.i=@ethgen.de header.b="jYvDYZtF";
	dkim-atps=neutral
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ethgen.de;
	 s=mail; h=Content-Type:MIME-Version:Message-ID:Subject:To:From:Date:Sender:
	Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
	List-Post:List-Owner:List-Archive;
	bh=ud5duopMPRwgsqoiPACAAEPA0rI88WfSr044atcI2VU=; b=jYvDYZtFY3NOzN5nL7vVCGxAOP
	ViocDFZy0TFedKw40yxdRDBZUHYG2x8Fw4qwtR9cDZ+e4b2R22QEwnUMfZTVWXp/z+OFS7qUgT3e9
	rQrYRWpkb3eIqj9MI2sRixEp9TYDXzh5pkK2SDeHEfezqxRZjVNPE5BErYGdcX6hTCE8nnDawNpFh
	oA31PZgAtmusACIL+hSwbwLORITI+Hy1v7m6NgBas4P/J2ZCRUxPuhTqZkViiOW5dNECmW9TBhrTo
	Rsaodqx9m1JJ/cl1i/k9OY3q50ptFjTcA7RLtYBiECzBnbFLJfuSYzl+t9pbOCOM3A80zkLyZ6ef0
	uaUpiFeH5CLmhhG6zO9ItuR+b4oLm3Ro/W5Hin0cD7i6xrDRF8GUp4BiNScPQiaUBLXfVrouqjpZa
	WKTYo61XaAxuRMKPp/16plL3ZbmbumxXlPNcCmPobscz8NrfnJwMp0Ly7F1qDu+a8Yr22ieF3wXau
	iLmTMuHlgKu+I400zCP9JOU8ssKalaE2lSl/iA1pNGfgrW4eHr1kczeKpQ/TSxXiOovUOK/crdKuv
	iuYbt9bAcuy80sh8M3ND6PDQkN0We8S5dRfRiQAK6IUwzvXM2h9Jd6pCK6WF1QK19Prslktd0XTof
	/I82IIt/NLHI/FL7xfBuz7talPPnAH42BJp++HS28=;
Received: from [192.168.17.4] (helo=ikki.ket)
	by tschil.ethgen.ch with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <Klaus@ethgen.de>)
	id 1lfeM0-00045i-2f; Sun, 09 May 2021 07:59:56 +0000
Received: from klaus by ikki.ket with local (Exim 4.94.2)
	(envelope-from <Klaus@ethgen.de>)
	id 1lfeLz-000664-Le; Sun, 09 May 2021 09:59:55 +0200
Date: Sun, 9 May 2021 09:59:55 +0200
From: Klaus Ethgen <Klaus@ethgen.de>
To: Devuan Bug Tracking System <submit@bugs.devuan.org>
Subject: Security: Please update exim on beowulf
Message-ID: <YJeWezFIsZf4uXX+@ikki.ethgen.ch>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="iM97bDwsOuKEyQUo"
Content-Disposition: inline
X-Reportbug-Version: 7.10.3+devuan1
OpenPGP: id=79D0B06F4E20AF1C;
 url=http://www.ethgen.ch/~klaus/79D0B06F4E20AF1C.txt; preference=signencrypt
X-Spam-Status: No, score=-2.5 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_PASS
	autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org

[Message part 1 (text/plain, inline)]
Package: exim4
Version: 4.92-8+deb10u5
Severity: critical
Tags: security

Please update exim4 to 4.92-8+deb10u6 on beowulf as already in debian.

Version 4.92-8+deb10u5 has several sever security bugs which are fixed
in 4.92-8+deb10u6.

* CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()
* CVE-2020-28018: Use-after-free in tls-openssl.c
* CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()
* CVE-2020-28010: Heap out-of-bounds write in main()
* CVE-2020-28011: Heap buffer overflow in queue_run()
* CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()
* CVE-2020-28017: Integer overflow in receive_add_recipient()
* CVE-2020-28022: Heap out-of-bounds read and write in extract_option()
* CVE-2020-28026: Line truncation and injection in spool_read_header()
* CVE-2020-28015 and CVE-2020-28021: New-line injection into spool header file.
* CVE-2020-28009: Integer overflow in get_stdinput()
* CVE-2020-28024: Heap buffer underflow in smtp_ungetc()
* CVE-2020-28012: Missing close-on-exec flag for privileged pipe
* CVE-2020-28019: Failure to reset function pointer after BDAT error
* CVE-2020-28007: Link attack in Exim's log directory
* CVE-2020-28008: Assorted attacks in Exim's spool directory
* CVE-2020-28014, CVE-2021-27216: Arbitrary PID file creation, clobbering, and deletion.

-- System Information:
Distributor ID:	Devuan
Description:	Devuan GNU/Linux 3 (beowulf)
Codename:	beowulf
Architecture: x86_64

Gruß
   Klaus
-- 
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <Klaus@Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.

Devuan Bugs Owner <owner@bugs.devuan.org>.
Last modified: Sun Nov 24 02:04:16 2024;