On Wed, 17 Dec 2025, Heiko Schlittermann via Exim-announce wrote:
Dear Exim users and maintainers,
we are pleased to announce the availability of release 4.99.1 of Exim.
This is a security release. It fixes CVE-2025-67896 (aka
EXIM-Security-2025-12-09.1), which was introduced with 4.99. Older Exim
versions may or may not be vulnerable and are not activly maintained
anymore by the Exim maintainers. (To the best of our knowledge, 4.98.1
should be safe.)
Hmm. git show be040d7df68a8cbb244aaabc37832984dafcbf55
+Exim version 4.98.2
+-------------------
+
+This is a security release, addressing CVE-2025-30232
+
+JH/01 Fix use-after-free notified by Trend Micro (ref: ZDI-CAN-26250).
+ Null out debug_pretrigger_buf pointer before freeing the buffer;
+ the use of this buffer by the storage management checks the pointer
+ for non-null before using it.
+
... so I would not advise anyone that 4.98.1 is safe,
even if it is not vulnerable to CVE-2025-67896
--
Andrew C. Aitchison Kendal, UK
[email protected]
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## [email protected]
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
