Devuan bug report logs - #579
Security: Please update exim on beowulf

Full log

🔗 View this message in rfc822 format

MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
X-Loop: owner@bugs.devuan.org
From: "Devuan bug Tracking System" <owner@bugs.devuan.org>
To: Mark Hindley <mark@hindley.org.uk>
Subject: bug#579: marked as done (Security: Please update exim on beowulf)
Message-ID: <handler.579.D579.162066840417070.ackdone@bugs.devuan.org>
References: <YJlt5RyJupJTLkcg@hindley.org.uk>
 <YJeWezFIsZf4uXX+@ikki.ethgen.ch>
X-Devuan-PR-Message: closed 579
X-Devuan-PR-Package: amprolla
Reply-To: 579@bugs.devuan.org
Date: Mon, 10 May 2021 17:48:01 +0000
Content-Type: multipart/mixed; boundary="----------=_1620668882-17197-0"

[Message part 1 (text/plain, inline)]

Your message dated Mon, 10 May 2021 18:31:17 +0100
with message-id <YJlt5RyJupJTLkcg@hindley.org.uk>
and subject line Re: bug#579: Security: Please update exim on beowulf
has caused the Devuan bug report #579,
regarding Security: Please update exim on beowulf
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.devuan.org
immediately.)


-- 
579: https://bugs.devuan.org/cgi/bugreport.cgi?bug=579
Devuan Bug Tracking System
Contact owner@bugs.devuan.org with problems

[Message part 2 (message/rfc822, inline)]

From: Klaus Ethgen <Klaus@ethgen.de>

To: Devuan Bug Tracking System <submit@bugs.devuan.org>

Subject: Security: Please update exim on beowulf

Date: Sun, 9 May 2021 09:59:55 +0200

[Message part 3 (text/plain, inline)]

Package: exim4
Version: 4.92-8+deb10u5
Severity: critical
Tags: security

Please update exim4 to 4.92-8+deb10u6 on beowulf as already in debian.

Version 4.92-8+deb10u5 has several sever security bugs which are fixed
in 4.92-8+deb10u6.

* CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()
* CVE-2020-28018: Use-after-free in tls-openssl.c
* CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()
* CVE-2020-28010: Heap out-of-bounds write in main()
* CVE-2020-28011: Heap buffer overflow in queue_run()
* CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()
* CVE-2020-28017: Integer overflow in receive_add_recipient()
* CVE-2020-28022: Heap out-of-bounds read and write in extract_option()
* CVE-2020-28026: Line truncation and injection in spool_read_header()
* CVE-2020-28015 and CVE-2020-28021: New-line injection into spool header file.
* CVE-2020-28009: Integer overflow in get_stdinput()
* CVE-2020-28024: Heap buffer underflow in smtp_ungetc()
* CVE-2020-28012: Missing close-on-exec flag for privileged pipe
* CVE-2020-28019: Failure to reset function pointer after BDAT error
* CVE-2020-28007: Link attack in Exim's log directory
* CVE-2020-28008: Assorted attacks in Exim's spool directory
* CVE-2020-28014, CVE-2021-27216: Arbitrary PID file creation, clobbering, and deletion.

-- System Information:
Distributor ID:	Devuan
Description:	Devuan GNU/Linux 3 (beowulf)
Codename:	beowulf
Architecture: x86_64

Gruß
   Klaus
-- 
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <Klaus@Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C

[signature.asc (application/pgp-signature, inline)]

[Message part 5 (message/rfc822, inline)]

From: Mark Hindley <mark@hindley.org.uk>

To: 579-done@bugs.devuan.org

Subject: Re: bug#579: Security: Please update exim on beowulf

Date: Mon, 10 May 2021 18:31:17 +0100

On Sun, May 09, 2021 at 09:59:55AM +0200, Klaus Ethgen wrote:
> Package: exim4
> Version: 4.92-8+deb10u5
> Severity: critical
> Tags: security
> 
> Please update exim4 to 4.92-8+deb10u6 on beowulf as already in debian.

Bad amprolla merge is now fixed (thanks rrq) and the updated exim4 packages are
available in the archive.

Closing.

Mark

Send a report that this bug log contains spam.