Your message dated Tue, 25 Oct 2022 17:04:18 +0000
with message-id <[email protected]>
and subject line Bug#1022556: fixed in exim4 4.96-7
has caused the Debian Bug report #1022556,
regarding exim4: CVE-2022-3620
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1022556: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022556
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: exim4
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for exim4.
CVE-2022-3620[0]:
| A vulnerability was found in Exim and classified as problematic. This
| issue affects the function dmarc_dns_lookup of the file dmarc.c of the
| component DMARC Handler. The manipulation leads to use after free. The
| attack may be initiated remotely. The name of the patch is
| 12fb3842f81bcbd4a4519d5728f2d7e0e3ca1445. It is recommended to apply a
| patch to fix this issue. The associated identifier of this
| vulnerability is VDB-211919.
Introduced by:
https://git.exim.org/exim.git/commit/92583637b25b6bde926f9ca6be7b085e5ac8b1e6
(exim-4.95-RC0)
(as such Bullseye/Buster are not affected)
Fixed by:
https://git.exim.org/exim.git/commit/12fb3842f81bcbd4a4519d5728f2d7e0e3ca1445
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-3620
https://www.cve.org/CVERecord?id=CVE-2022-3620
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: exim4
Source-Version: 4.96-7
Done: Andreas Metzler <[email protected]>
We believe that the bug you reported is fixed in the latest version of
exim4, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Metzler <[email protected]> (supplier of updated exim4 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 25 Oct 2022 18:38:38 +0200
Source: exim4
Architecture: source
Version: 4.96-7
Distribution: unstable
Urgency: high
Maintainer: Exim4 Maintainers <[email protected]>
Changed-By: Andreas Metzler <[email protected]>
Closes: 1022556
Changes:
exim4 (4.96-7) unstable; urgency=high
.
* Replace 85_dmarc-api-breakage-workaround.diff with version from upstream
GIT master 75_18-Fix-Build-with-libopendmarc-1.4.x-fixes-2728.patch.
* 75_19-DMARC-fix-use-after-free-in-dmarc_dns_lookup.patch: Fix
use-after-free in dmarc.c. VDB-211919 / CVE-2022-3620.
This does not affect Debian *binary* packages since they are not built
with DMARC support. Closes: #1022556
Checksums-Sha1:
40d3615b14c53f8a12c18f6a217ba43682b92889 2889 exim4_4.96-7.dsc
2727f7ef0b23572645be1f8d78ff4ac0de9d489d 473020 exim4_4.96-7.debian.tar.xz
Checksums-Sha256:
4f19f9645c4099fdd3f987fa28aedb96d42566acdaafec7f21abddd8067d5cbc 2889
exim4_4.96-7.dsc
55eb7a629e4920da52fd21ca3483a300d5871eccb3da15c1068afd6f3fbee651 473020
exim4_4.96-7.debian.tar.xz
Files:
396a407987c92e50c869f26ec75fff47 2889 mail standard exim4_4.96-7.dsc
8caf8f72879c276f46c94fa5f0771a97 473020 mail standard
exim4_4.96-7.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE0uCSA5741Jbt9PpepU8BhUOCFIQFAmNYEfMACgkQpU8BhUOC
FIRLwg//d8Ywwh28/9NUZcYQqXEa2tro2fp8g12wbPZM3GeQLzRfjqc9dQeQAYxN
r0JGD2oyZgMavloS0jG3lwHIpguY+6u5Uk1Ex8JEDv/BmO6DF3tChvBcmkw+sx9A
LX4mHv3TMnCZ/QUc8xt7D+24Fau6mMeUCeA5X66DcRzK2UXBCcyjC6pjZf7dnOW/
2X0v8Gtg9YaQ1sVYmny1u+sqqET5BXwIBfhX8uCMrCDqMEOEMK6VtUXn+HnwmU0z
babXM7XA+9G6euQTmIBcAF/3M1qYKxD0wjY6/uWDjnQYkYKKJFClZePVL67s1siD
sxQBmnxYjxw+fa5dHjUU8nwN+7QOWFeLCbTAF8r1NsPNSO4vvkYHZ1nCYQYPWB8x
/dukEug3N8PC2g4sCFJbsnTi0rgFU8ne94EYO8g1Ry1rghsgsEhYYlBqiEyjE3fX
EAdV37HRS6ynXCDiayFdzHx5rOoBtJkTM55KroBUt2oxWfsN+9h1eVrVoMIerx6F
MEEUVN3Fqyvv4YmCx+gYKoH0LwGOYamuTJnHONDCKL9+EFnFdZhcUzo86yVu/aDO
qTxPH0ojjYQbxsiWQaInQGeajIuMrXfP8jlhhKSAHkGZCxhyrNk2Mkeko3xQGa1F
OsrTKxnGafQ9eD99uPWlYheJyAp52EXnk+wdLt7HWJEIe7EVKDM=
=oCMI
-----END PGP SIGNATURE-----
--- End Message ---
