Hi Andreas, On Wed, Nov 01, 2023 at 12:03:37PM +0100, Andreas Metzler wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > User: release.debian....@packages.debian.org > Usertags: pu > Control: affects -1 + src:exim4 > > Hello, > > I would like to push another round of cherry-picked upstream fixes to > bookworm, including the update to 4.96.2 to fix two non-DSA minor > security issues. > > The changes are included in the new upstream (4.97 rc) uploads to sid which= > are present in sid and testing. > > > * Multiple bugfixes from upstream GIT master: > + 75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch > + 75_76-Expansions-disallow-UTF-16-surrogates-from-utf8clean.patch > (Upstream bug 2998) > + 75_77-GnuTLS-fix-crash-with-tls_dhparam-none.patch > + 75_79-Fix-recipients-expansion-when-used-within-run.-.-Bug.patch > (Upstream bug 3013) > ----> ${run expansion breakage, similar to #1025420. > + 75_82-GnuTLS-fix-autogen-cert-expiry-date.-Bug-3014.patch: Fix on-demand > TLS cert expiry date. Closes: #1043233 > (Upstream bug 3014) > ----> This is major hickup, bordering on RC. > > + 75_83-Re-fix-live-variable-value-free.-The-inital-fix-resu.patch > ----> Another patch for ${run} expansion breakage. > + 76-10-Fix-tr.-and-empty-strings.-Bug-3023.patch ((Upstream bug 3023) > + 76-12-DNS-more-hardening-against-crafted-responses.patch > * tests/basic: Add isolation-container restriction (needs a running > exim daemon). > * Add ${run } expansion test to tests/basic. > * Update code to 4.96.2, fixing issues with the proxy protocol > (CVE-2023-42117) and the `dnsdb` lookup subsystem (CVE-2023-42219). It > also includes additional hardening for spf lookups, however CVE-2023-42218
The mentioned CVEs have a typo. I believe this should be CVE-2023-42117 and CVE-2023-42119 (and for completeness about the libspf2 mentioning CVE-2023-42118). Regards, Salvatore