[SECURITY] [DSA 6309-1] exim4 security update

To: debian-security-announce@lists.debian.org
Subject: [SECURITY] [DSA 6309-1] exim4 security update
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 29 May 2026 15:44:07 +0000
Message-id: <[🔎] E1wSzNX-00000001c1b-0g0G@seger.debian.org>
Reply-to: debian-security-announce-request@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6309-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
May 29, 2026                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : exim4
CVE ID         : CVE-2026-48840

Warisjeet Singh discovered that Exim, a mail transport agent, does not
properly handle PROXY frames whose declared payload length is too short
for the claimed address family, which may result in information
disclosure in configurations with SUPPORT_PROXY and 'host_proxy' set.

For the oldstable distribution (bookworm), this problem has been fixed
in version 4.96-15+deb12u10.

For the stable distribution (trixie), this problem has been fixed in
version 4.98.2-1+deb13u3.

We recommend that you upgrade your exim4 packages.

For the detailed security status of exim4 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/exim4

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmoZs/JfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0SZuA/+KkaQcGFAtllqkTY9fY5wSfZlf3XF2fkSj8Ih6EkH3jpX050NfbX5t8Aa
0Q5OnCFxOYa0Eok1G1ffDaDvZjKS++Gwm0GA3E/rLsT/2tLB+Fn3vfYASzHI4PlM
LXvKJw6U/NQlUrCOoPlrfTLykv/jIL9ZgJdEaeAa8sShakMJ5YxXF1B4HJGFROrf
Ae13k56wrYHxMeKczs1uw64QLm9x28dkJXztOXpxUEORBWqov+MV5Xl8BPhWI1ch
6FCzfuT/LFCaM2wPP+6CCm9LlWzRU3+Kca6dzZ+vCBk6IW0rJVzrIOhQfGOBWoTB
5pwbqCAsOvg/g+hl6kGmK+K6+ENjFQbMOmpfQ46mRN3WFT+6rb3DWxJohB4p3H+x
3XkT32U1laaUucClc3RGKmZS0x9VNKRbB2L/pRyavf16PxfBl7fJ5ksMde0nOA9P
YA/Ldxsi/t+nLAg3Mvf1nq4m8rV90FPsy7cnU5yo4O/BwkMFbJISHk+aO2+sxxit
LjMvPI/JbHVSsD2cekFraTeQ662Lzrv5R/FCqhTjqcBy+iBKtAutsnF9/PLEkZ7q
ml2AS0JwhZRAMJlNcIR41LLUXkLPLinW0/QSIEioQnpdw17sr/cr0J/8PhiA8c/C
SJFFMFxm3ePEhoGBKC6So0N9vKh4uqEsg/hqD5Ts7agNEktTPbo=
=lo/T
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DSA 6308-1] nagios4 security update
Next by Date: [SECURITY] [DSA 6310-1] imagemagick security update
Previous by thread: [SECURITY] [DSA 6308-1] nagios4 security update
Next by thread: [SECURITY] [DSA 6310-1] imagemagick security update
Index(es):
- Date
- Thread