Devuan bug report logs - #579
Security: Please update exim on beowulf

Package: amprolla; Severity: critical; Reported by: Klaus Ethgen <Klaus@ethgen.de>; Done: Mark Hindley <mark@hindley.org.uk>; Maintainer for amprolla is (unknown).

Message received at 579-done@bugs.devuan.org:


Received: (at 579-done) by bugs.devuan.org; 10 May 2021 17:40:04 +0000
Return-Path: <mark@hindley.org.uk>
Delivered-To: devuanbugs@dyne.org
Received: from tupac3.dyne.org [195.169.149.119]
	by doc.devuan.org with IMAP (fetchmail-6.4.0.beta4)
	for <debbugs@localhost> (single-drop); Mon, 10 May 2021 17:40:04 +0000 (UTC)
Received: from mx.hindley.org.uk (193-36-131-86.cfwn.uk [193.36.131.86])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by vm6.ganeti.dyne.org (Postfix) with ESMTPS id 8AEFBF609FF
	for <579-done@bugs.devuan.org>; Mon, 10 May 2021 19:31:18 +0200 (CEST)
Received: from apollo.hindleynet ([192.168.1.3] helo=hindley.org.uk)
	by mx.hindley.org.uk with smtp (Exim 4.84_2)
	(envelope-from <mark@hindley.org.uk>)
	id 1lg9kT-0006ig-Lb
	for 579-done@bugs.devuan.org; Mon, 10 May 2021 18:31:17 +0100
Received: (nullmailer pid 11203 invoked by uid 1000);
	Mon, 10 May 2021 17:31:17 -0000
Date: Mon, 10 May 2021 18:31:17 +0100
From: Mark Hindley <mark@hindley.org.uk>
To: 579-done@bugs.devuan.org
Subject: Re: bug#579: Security: Please update exim on beowulf
Message-ID: <YJlt5RyJupJTLkcg@hindley.org.uk>
References: <YJeWezFIsZf4uXX+@ikki.ethgen.ch>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <YJeWezFIsZf4uXX+@ikki.ethgen.ch>
X-Debbugs-No-Ack: No Thanks
X-Spam-Status: No, score=0.4 required=5.0 tests=RDNS_DYNAMIC,SPF_PASS
	autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org

On Sun, May 09, 2021 at 09:59:55AM +0200, Klaus Ethgen wrote:
> Package: exim4
> Version: 4.92-8+deb10u5
> Severity: critical
> Tags: security
> 
> Please update exim4 to 4.92-8+deb10u6 on beowulf as already in debian.

Bad amprolla merge is now fixed (thanks rrq) and the updated exim4 packages are
available in the archive.

Closing.

Mark

Notification sent to Klaus Ethgen <Klaus@ethgen.de>:
bug acknowledged by developer. Full text available.
Reply sent to Mark Hindley <mark@hindley.org.uk>:
You have taken responsibility. Full text available.
No longer marked as found in versions 4.92-8+deb10u5. Request was from Mark Hindley <mark@hindley.org.uk> to 579-submit@bugs.devuan.org. Full text available.
bug reassigned from package 'exim4' to 'amprolla'. Request was from Mark Hindley <mark@hindley.org.uk> to 579-submit@bugs.devuan.org. Full text available.

Message received at 579@bugs.devuan.org:


Received: (at 579) by bugs.devuan.org; 10 May 2021 17:30:03 +0000
Return-Path: <mark@hindley.org.uk>
Delivered-To: devuanbugs@dyne.org
Received: from tupac3.dyne.org [195.169.149.119]
	by doc.devuan.org with IMAP (fetchmail-6.4.0.beta4)
	for <debbugs@localhost> (single-drop); Mon, 10 May 2021 17:30:03 +0000 (UTC)
Received: from mx.hindley.org.uk (193-36-131-86.cfwn.uk [193.36.131.86])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by vm6.ganeti.dyne.org (Postfix) with ESMTPS id 9E3A2F60932
	for <579@bugs.devuan.org>; Mon, 10 May 2021 19:16:09 +0200 (CEST)
Received: from apollo.hindleynet ([192.168.1.3] helo=hindley.org.uk)
	by mx.hindley.org.uk with smtp (Exim 4.84_2)
	(envelope-from <mark@hindley.org.uk>)
	id 1lg9Vn-0006dZ-Hl; Mon, 10 May 2021 18:16:07 +0100
Received: (nullmailer pid 10713 invoked by uid 1000);
	Mon, 10 May 2021 17:16:07 -0000
Date: Mon, 10 May 2021 18:16:06 +0100
From: Mark Hindley <mark@hindley.org.uk>
To: Klaus Ethgen <Klaus@ethgen.de>, 579@bugs.devuan.org
Subject: Re: bug#579: Security: Please update exim on beowulf
Message-ID: <YJlqVrx7cax43a6X@hindley.org.uk>
References: <YJeWezFIsZf4uXX+@ikki.ethgen.ch>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <YJeWezFIsZf4uXX+@ikki.ethgen.ch>
X-Debbugs-No-Ack: No Thanks
X-Spam-Status: No, score=0.4 required=5.0 tests=RDNS_DYNAMIC,SPF_PASS
	autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org

Control: reassign -1 amprolla

This is an amprolla issue. Reassigning.

Mark

Information forwarded to devuan-bugs@lists.dyne.org, devuan-dev@lists.dyne.org:
bug#579; Package exim4. Full text available.

Message received at submit@bugs.devuan.org:


Received: (at submit) by bugs.devuan.org; 9 May 2021 08:10:03 +0000
Return-Path: <Klaus@ethgen.de>
Delivered-To: devuanbugs@dyne.org
Received: from tupac3.dyne.org [195.169.149.119]
	by doc.devuan.org with IMAP (fetchmail-6.4.0.beta4)
	for <debbugs@localhost> (single-drop); Sun, 09 May 2021 08:10:03 +0000 (UTC)
Received: from tschil.ethgen.ch (tschil.ethgen.ch [5.9.7.51])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by vm6.ganeti.dyne.org (Postfix) with ESMTPS id 3F01AF6089B
	for <submit@bugs.devuan.org>; Sun,  9 May 2021 10:00:00 +0200 (CEST)
Authentication-Results: vm6.ganeti.dyne.org;
	dkim=pass (4096-bit key; unprotected) header.d=ethgen.de header.i=@ethgen.de header.b="jYvDYZtF";
	dkim-atps=neutral
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ethgen.de;
	 s=mail; h=Content-Type:MIME-Version:Message-ID:Subject:To:From:Date:Sender:
	Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
	List-Post:List-Owner:List-Archive;
	bh=ud5duopMPRwgsqoiPACAAEPA0rI88WfSr044atcI2VU=; b=jYvDYZtFY3NOzN5nL7vVCGxAOP
	ViocDFZy0TFedKw40yxdRDBZUHYG2x8Fw4qwtR9cDZ+e4b2R22QEwnUMfZTVWXp/z+OFS7qUgT3e9
	rQrYRWpkb3eIqj9MI2sRixEp9TYDXzh5pkK2SDeHEfezqxRZjVNPE5BErYGdcX6hTCE8nnDawNpFh
	oA31PZgAtmusACIL+hSwbwLORITI+Hy1v7m6NgBas4P/J2ZCRUxPuhTqZkViiOW5dNECmW9TBhrTo
	Rsaodqx9m1JJ/cl1i/k9OY3q50ptFjTcA7RLtYBiECzBnbFLJfuSYzl+t9pbOCOM3A80zkLyZ6ef0
	uaUpiFeH5CLmhhG6zO9ItuR+b4oLm3Ro/W5Hin0cD7i6xrDRF8GUp4BiNScPQiaUBLXfVrouqjpZa
	WKTYo61XaAxuRMKPp/16plL3ZbmbumxXlPNcCmPobscz8NrfnJwMp0Ly7F1qDu+a8Yr22ieF3wXau
	iLmTMuHlgKu+I400zCP9JOU8ssKalaE2lSl/iA1pNGfgrW4eHr1kczeKpQ/TSxXiOovUOK/crdKuv
	iuYbt9bAcuy80sh8M3ND6PDQkN0We8S5dRfRiQAK6IUwzvXM2h9Jd6pCK6WF1QK19Prslktd0XTof
	/I82IIt/NLHI/FL7xfBuz7talPPnAH42BJp++HS28=;
Received: from [192.168.17.4] (helo=ikki.ket)
	by tschil.ethgen.ch with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <Klaus@ethgen.de>)
	id 1lfeM0-00045i-2f; Sun, 09 May 2021 07:59:56 +0000
Received: from klaus by ikki.ket with local (Exim 4.94.2)
	(envelope-from <Klaus@ethgen.de>)
	id 1lfeLz-000664-Le; Sun, 09 May 2021 09:59:55 +0200
Date: Sun, 9 May 2021 09:59:55 +0200
From: Klaus Ethgen <Klaus@ethgen.de>
To: Devuan Bug Tracking System <submit@bugs.devuan.org>
Subject: Security: Please update exim on beowulf
Message-ID: <YJeWezFIsZf4uXX+@ikki.ethgen.ch>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="iM97bDwsOuKEyQUo"
Content-Disposition: inline
X-Reportbug-Version: 7.10.3+devuan1
OpenPGP: id=79D0B06F4E20AF1C;
 url=http://www.ethgen.ch/~klaus/79D0B06F4E20AF1C.txt; preference=signencrypt
X-Spam-Status: No, score=-2.5 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_PASS
	autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org


--iM97bDwsOuKEyQUo
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: exim4
Version: 4.92-8+deb10u5
Severity: critical
Tags: security

Please update exim4 to 4.92-8+deb10u6 on beowulf as already in debian.

Version 4.92-8+deb10u5 has several sever security bugs which are fixed
in 4.92-8+deb10u6.

* CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()
* CVE-2020-28018: Use-after-free in tls-openssl.c
* CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()
* CVE-2020-28010: Heap out-of-bounds write in main()
* CVE-2020-28011: Heap buffer overflow in queue_run()
* CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()
* CVE-2020-28017: Integer overflow in receive_add_recipient()
* CVE-2020-28022: Heap out-of-bounds read and write in extract_option()
* CVE-2020-28026: Line truncation and injection in spool_read_header()
* CVE-2020-28015 and CVE-2020-28021: New-line injection into spool header f=
ile.
* CVE-2020-28009: Integer overflow in get_stdinput()
* CVE-2020-28024: Heap buffer underflow in smtp_ungetc()
* CVE-2020-28012: Missing close-on-exec flag for privileged pipe
* CVE-2020-28019: Failure to reset function pointer after BDAT error
* CVE-2020-28007: Link attack in Exim's log directory
* CVE-2020-28008: Assorted attacks in Exim's spool directory
* CVE-2020-28014, CVE-2021-27216: Arbitrary PID file creation, clobbering, =
and deletion.

-- System Information:
Distributor ID:	Devuan
Description:	Devuan GNU/Linux 3 (beowulf)
Codename:	beowulf
Architecture: x86_64

Gru=DF
   Klaus
--=20
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <Klaus@Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C

--iM97bDwsOuKEyQUo
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Comment: Charset: ISO-8859-1

iQGzBAABCgAdFiEEMWF28vh4/UMJJLQEpnwKsYAZ9qwFAmCXlnsACgkQpnwKsYAZ
9qysfgv9Fen8TH0CfI5R9ubH/AcgSNLDZ1Aa+AT3Dteyjuo+9fEokPyci1jweM6C
vQvhzTd+MMfeB3jI3HAWWGR59c7UCOHAAeJ2vjCbNGJ1DGxKFhdaEC9oZ84gCwfc
jnYQEayDsY6mZlH94RLBSGQUo0JyinEpzF6VaSW7gd0k28FSOLf8zte0xkn6C37X
GXmkQA/APaOXHT0/X8tjzjnCLJwP++zIJLvsIXv3fRSvz8vJBWHDRTVnszhdCBNu
r2/ACyXZTPn9I6FzJzxFE8Y81QDCh6UTUAKtAArFhb2h44uBI50KqQHwYRlUGTR+
AYEudR7sdWGG2BN3KLlK+TFb749PyLFW7HJjvRaPsqgjralOgozbjsBnGx9czVaj
EqvKJh8YFVXE1zOOWUEPBPkyRAvrHEGDWMfYcgVYpXjXu3sZoP94GX0maOOmHuzt
lYE/KXm2Vh2xe3RNJYRPXOQ4BblWe25yICn/EzBbvkdT2DLIDD8AGfP/8S7xtXcz
x7ds+8k3
=IF0/
-----END PGP SIGNATURE-----

--iM97bDwsOuKEyQUo--

Acknowledgement sent to Klaus Ethgen <Klaus@ethgen.de>:
New bug report received and forwarded. Copy sent to devuan-dev@lists.dyne.org. Full text available.
Report forwarded to devuan-bugs@lists.dyne.org, devuan-dev@lists.dyne.org:
bug#579; Package exim4. Full text available.

Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.

Devuan Bugs Owner <owner@bugs.devuan.org>.
Last modified: Sat, 22 Jan 2022 16:39:02 UTC