two bugs in exim 3.35, one of them present in exim 4.32 http://www.guninski.com/exim1.html
Confirmed : CAN-2004-0400 : When headers_check_syntax is configured in exim.conf a buffer overflow can happen during the header check. CAN-2004-0399 only applies to exim3, which disappeared from the tree since Nov 2002. Apparently version 4.33 does not include the fix, Debian seems to have applied a patch to it to fix, see : http://packages.qa.debian.org/e/exim4.html http://www.debian.org/security/2004/dsa-501
*** Bug 50492 has been marked as a duplicate of this bug. ***
adding peitolm to the bug sine he's not on the net-mail alias, but is the maintainer of exim.
OK I cleared this up : 4.33 is not sufficient to fix, we need 4.33 + Philip Hazel patch at : http://www.exim.org/pipermail/exim-users/Week-of-Mon-20040503/071126.html
I've added this patch to the exim 4.33-r1 ebuild that's been in portage for 3 hours or so (forgot to update this bug to say). I personally don't use headers_check_syntax, so I've not immediatly bumped it to stable, but it does appear to work, and If I can get independant confirmation from someone that uses headers_check_syntax, then I'll bump, if not I'll bump it tomorrow.
Arch maintainers please read this bug then test/(stable?) if you can.
Arch maintainer ignore the previous test request. Peti says he can test for all arches.
Some confusion here, I can test and will mark a stable for both x86 and sparc, however I've never tested exim on any other arch, even though they've got previous stable flags, could hppa, ppc, amd64 and alpha please test. Arch Last Stable Revision x86 exim-4.32-r1 sparc exim-4.32-r1 ppc exim-4.24-r3 hppa exim-4.21 amd64 exim-4.21 alpha None in Portage Arch-maintainers, I'll leave it up to you to let me know if exim-4.33-r1 is stable for you, (minimum of being able to compile, start and send an email through it). I'm happy to do the testing myself, I just don't have access to these archs yet.
Adding in the relevant arch-maintainers
Philip Hazel (Exim author), has release 4.34, which includes a fix for this, so If you haven't tested 4.31-r1, or indeed if you have and haven't told me, can you test 4.34 please, I'll add this to portage within the next few hours. (I'll update this bug when it's in).
exim 4.34 now in cvs, would the relevant archs please test.
GLSA drafted, waiting for stable on 4.33-r1 and/or 4.34
Fixed on amd64
Marked 4.34 stable on hppa.
Obviously I forgot a few arches, Target keywords are : x86 ppc sparc ~alpha hppa amd64 We currently have : ~x86 ~sparc alpha hppa amd64 x86, sparc, ppc : please test and mark net-mail/exim-4.34 stable
Koon, please read back through my previous comments, specifically " I can test and will mark a stable for both x86 and sparc". so I'm removing those archs again, and we're just waiting for ppc to respond.
Well, I've marked Exim 4.34 stable on x86 and sparc, so we're just waiting for ppc to confirm then we can go ahead and start to mask the old versions
ppc folks -- can you please test/mark stable?
marked ppc sorry for the delay
GLSA drafted
GLSA 200405-07
