Fix is in 4.96, please bump. https://github.com/Exim/exim/commit/51be321b27825c01829dffd90f11bfff256f7e42
This was not silently fixed, I made noise about this, and since this was considered not a big deal, we don't have 4.95 in the tree (I retracted the build-animal, for it wasn't used/acted on anyway) and 4.96 is for similar reasons masked, for newer releases of Exim are just unusable. I suggest you close this issue, as we simply don't "suffer" from this problem. % q -mvv exim # Fabian Groffen <grobian@gentoo.org> (2022-07-02) # Segfaults handling SPF validations (warn on permerror), like the # previous release, better not to trust your important mail to ~mail-mta/exim-4.96
(In reply to Fabian Groffen from comment #1) > This was not silently fixed, I made noise about this, and since this was > considered not a big deal, we don't have 4.95 in the tree (I retracted the > build-animal, for it wasn't used/acted on anyway) and 4.96 is for similar > reasons masked, for newer releases of Exim are just unusable. > > I suggest you close this issue, as we simply don't "suffer" from this > problem. The version with the patch is masked, but I'm not sure how that means it doesn't affect us?
There is another: https://github.com/ivd38/exim_overflow https://github.com/Exim/exim/commit/d4bc023436e4cce7c23c5f8bb5199e178b4cc743 https://www.openwall.com/lists/oss-security/2022/08/06/8 The first issue is CVE-2022-37451.
CVE-2022-37452: Exim before 4.95 has a heap-based buffer overflow for the alias list in host_name_lookup in host.c when sender_host_name is set.
(In reply to John Helmert III from comment #2) > The version with the patch is masked, but I'm not sure how that means it > doesn't affect us? It was introduced in 4.95, a version which we no longer have in the tree. So 4.94 and 4.96 are fine. (In reply to John Helmert III from comment #3) > There is another: > > https://github.com/ivd38/exim_overflow > https://github.com/Exim/exim/commit/d4bc023436e4cce7c23c5f8bb5199e178b4cc743 > https://www.openwall.com/lists/oss-security/2022/08/06/8 > > The first issue is CVE-2022-37451. This one is included in 4.94.2-r8 via bug #799368, and available upstream since 4.95.
(In reply to Fabian Groffen from comment #5) > (In reply to John Helmert III from comment #2) > > The version with the patch is masked, but I'm not sure how that means it > > doesn't affect us? > > It was introduced in 4.95, a version which we no longer have in the tree. > So 4.94 and 4.96 are fine. > > (In reply to John Helmert III from comment #3) > > There is another: > > > > https://github.com/ivd38/exim_overflow > > https://github.com/Exim/exim/commit/d4bc023436e4cce7c23c5f8bb5199e178b4cc743 > > https://www.openwall.com/lists/oss-security/2022/08/06/8 > > > > The first issue is CVE-2022-37451. > > This one is included in 4.94.2-r8 via bug #799368, and available upstream > since 4.95. Ah, thanks!