Bug#1055155: bookworm-pu: package exim4/4.96-15+deb12u3 (2nd try for new bug)
Hi Andreas,
On Wed, Nov 01, 2023 at 12:03:37PM +0100, Andreas Metzler wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> User: release.debian.org@packages.debian.org
> Usertags: pu
> Control: affects -1 + src:exim4
>
> Hello,
>
> I would like to push another round of cherry-picked upstream fixes to
> bookworm, including the update to 4.96.2 to fix two non-DSA minor
> security issues.
>
> The changes are included in the new upstream (4.97 rc) uploads to sid which=
> are present in sid and testing.
>
>
> * Multiple bugfixes from upstream GIT master:
> + 75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch
> + 75_76-Expansions-disallow-UTF-16-surrogates-from-utf8clean.patch
> (Upstream bug 2998)
> + 75_77-GnuTLS-fix-crash-with-tls_dhparam-none.patch
> + 75_79-Fix-recipients-expansion-when-used-within-run.-.-Bug.patch
> (Upstream bug 3013)
> ----> ${run expansion breakage, similar to #1025420.
> + 75_82-GnuTLS-fix-autogen-cert-expiry-date.-Bug-3014.patch: Fix on-demand
> TLS cert expiry date. Closes: #1043233
> (Upstream bug 3014)
> ----> This is major hickup, bordering on RC.
>
> + 75_83-Re-fix-live-variable-value-free.-The-inital-fix-resu.patch
> ----> Another patch for ${run} expansion breakage.
> + 76-10-Fix-tr.-and-empty-strings.-Bug-3023.patch ((Upstream bug 3023)
> + 76-12-DNS-more-hardening-against-crafted-responses.patch
> * tests/basic: Add isolation-container restriction (needs a running
> exim daemon).
> * Add ${run } expansion test to tests/basic.
> * Update code to 4.96.2, fixing issues with the proxy protocol
> (CVE-2023-42117) and the `dnsdb` lookup subsystem (CVE-2023-42219). It
> also includes additional hardening for spf lookups, however CVE-2023-42218
The mentioned CVEs have a typo. I believe this should be
CVE-2023-42117 and CVE-2023-42119 (and for completeness about the
libspf2 mentioning CVE-2023-42118).
Regards,
Salvatore
Reply to: