git.99rst.org / openwrt-packages.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 2ac8367)
exim: update to 4.99.3 (security release)
authorDaniel Golle <redacted>
Fri, 8 May 2026 17:14:04 +0000 (18:14 +0100)
committerDaniel Golle <redacted>
Thu, 14 May 2026 22:13:25 +0000 (23:13 +0100)
commit82d729ced2d59d4e69e77fb0d03a4e915116d7d1
treea20cacd479741711c04a4d4d2a625dfbbbe795aatree | snapshot
parent2ac8367f3a82e8aaad54c0570e589cd3f6ca02e8commit | diff
exim: update to 4.99.3 (security release)

4.99.3 (security release):
 * Addresses EXIM-Security-2026-05-01.1: a remotely reachable
   Use-After-Free vulnerability in Exim's BDAT (binary data
   transmission) body parsing path when using the GnuTLS
   backend. This can lead to heap corruption and potential code
   execution. Affects 4.97 through 4.99.x when built with GnuTLS
   support AND with STARTTLS and CHUNKING advertised.
   Reported by xbow security.

Previous security releases folded into this bump:

4.99.2 (security release):
 * Addresses Exim-Security-2026-04.1, covering 4 CVEs:
   - CVE-2026-40684: Possible crash with malicious DNS data (musl libc)
   - CVE-2026-40685: Possible OOB read/write on corrupt JSON in header
   - CVE-2026-40686: Possible OOB read with large UTF8 trailing characters
   - CVE-2026-40687: Possible OOB read/write with SPA authenticator

4.99.1 (security release):
 * Re-incarnation of CVE-2025-26794, ports fixes from 4.98.1/4.98.2.

Link: https://exim.org/static/doc/security/EXIM-Security-2026-05-01.1/
Link: https://git.exim.org/exim.git/blob/refs/tags/exim-4.99.3:/doc/doc-txt/ChangeLog
Signed-off-by: Daniel Golle <redacted>
mail/exim/Makefile diff | blob | history
git clone https://git.99rst.org/PROJECT