Hi, Exim 4.98 has been released a few weeks ago as per https://lists.exim.org/lurker/message/20240710.155945.8823670d.en.html Reproducible: Always
Security Changes: * Fixed CVE-2024-39929 - Incorrect parsing of multiline rfc2231 header filename This release also contains the previous fixes for CVE-2023-51766 in 4.97.1 New stuff we've added since 4.97: * The dkim_status ACL condition may now be used in data ACLs * The dkim_verbose logging control also enables logging of signing * The dkim_timestamps signing option now accepts zero to include a current timestamp but no expiry timestamp. Code by Simon Arlott; testsuite additions by jgh. * The recipients_max main option is now expanded. * Setting variables for "exim -be" can set a tainted value. * A dns:fail event. * The dsearch lookup supports search for a sub-path. * Include mailtest utility for simple connection checking. * Add SMTP WELLKNOWN extension. * Sqlite3 can be used for the hints databases (vs. DBD, NDB, GBDM, TDB). Add "USE_SQLITE = y" and "DBMLIB = -lsqlite3" in Local/Makefile, to override the settings done in the OS/Makefile-<platform> file. Notable changes: * Fix TLS resumption for TLS-on-connect. * Tighten up parsing of DKIM DNS records.
For the CVE we applied a backport to the previous release. I'm not very eager to upgrade Exim right now because of experiences with previous releases that were not good. I'll keep an eye on what happens upstream and go from there.
(In reply to Fabian Groffen from comment #2) > For the CVE we applied a backport to the previous release. > > I'm not very eager to upgrade Exim right now because of experiences with > previous releases that were not good. I'll keep an eye on what happens > upstream and go from there. I perfectly understand that. The main reason I was asking for the version bump is more specifically about the dkim_status ACL condition now available as I also had noticed that the fix for the CVE was backported. Maybe we can version bump the package and keep it ~keyworded or even masked for a while to learn from people living with edge packages ?
Yes, if you're looking for 4.98 then adding it masked is a perfectly fine solution. I don't have the cycles right now to try and get the ebuild working, but in any way I'll try to get the ebuild in the tree in the coming weeks.
(In reply to Fabian Groffen from comment #4) > I don't have the cycles right now to try and get the ebuild > working, but in any way I'll try to get the ebuild in the tree in the coming > weeks. Thanks Flavian
As it stands, exim_tinydb segfaults due to an invalid free. So 4.98 is not likely to get unmasked.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c11a6aa7cbedbd8107a4e9a3bde16ace888b16d1 commit c11a6aa7cbedbd8107a4e9a3bde16ace888b16d1 Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2024-09-02 08:20:17 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2024-09-02 08:21:49 +0000 mail-mta/exim-4.98: version bump This version will be masked until we figure out why exim_tinydb segfaults due to an invalid free(). Daemon seems to run though. Closes: https://bugs.gentoo.org/938473 Signed-off-by: Fabian Groffen <grobian@gentoo.org> mail-mta/exim/Manifest | 2 + mail-mta/exim/exim-4.98.ebuild | 640 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 642 insertions(+)
