- What: Security update for exim4 addressing a vulnerability in handling PROXY frames.
- Impact: Debian users should apply the update to secure their mail transport agent.
[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index] [SECURITY] [DSA 6309-1] exim4 security update To: debian-security-announce@lists.debian.org Subject: [SECURITY] [DSA 6309-1] exim4 security update From: Salvatore Bonaccorso <carnil@debian.org> Date: Fri, 29 May 2026 15:44:07 +0000 Message-id: <[🔎] E1wSzNX-00000001c1b-0g0G@seger.debian.org> Reply-to: debian-security-announce-request@lists.debian.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-6309-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 29, 2026 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : exim4 CVE ID : CVE-2026-48840 Warisjeet Singh discovered that Exim, a mail transport agent, does not properly handle PROXY frames whose declared payload length is too short for the claimed address family, which may result in information disclosure in configurations with SUPPORT_PROXY and 'host_proxy' set. For the oldstable distribution (bookworm), this problem has been fixed in version 4.96-15+deb12u10. For the stable distribution (trixie), this problem has been fixed in version 4.98.2-1+deb13u3. We recommend that you upgrade your exim4 packages. For the detailed security status of exim4 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/exim4 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmoZs/JfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0SZuA/+KkaQcGFAtllqkTY9fY5wSfZlf3XF2fkSj8Ih6EkH3jpX050NfbX5t8Aa 0Q5OnCFxOYa0Eok1G1ffDaDvZjKS++Gwm0GA3E/rLsT/2tLB+Fn3vfYASzHI4PlM LXvKJw6U/NQlUrCOoPlrfTLykv/jIL9ZgJdEaeAa8sShakMJ5YxXF1B4HJGFROrf Ae13k56wrYHxMeKczs1uw64QLm9x28dkJXztOXpxUEORBWqov+MV5Xl8BPhWI1ch 6FCzfuT/LFCaM2wPP+6CCm9LlWzRU3+Kca6dzZ+vCBk6IW0rJVzrIOhQfGOBWoTB 5pwbqCAsOvg/g+hl6kGmK+K6+ENjFQbMOmpfQ46mRN3WFT+6rb3DWxJohB4p3H+x 3XkT32U1laaUucClc3RGKmZS0x9VNKRbB2L/pRyavf16PxfBl7fJ5ksMde0nOA9P YA/Ldxsi/t+nLAg3Mvf1nq4m8rV90FPsy7cnU5yo4O/BwkMFbJISHk+aO2+sxxit LjMvPI/JbHVSsD2cekFraTeQ662Lzrv5R/FCqhTjqcBy+iBKtAutsnF9/PLEkZ7q ml2AS0JwhZRAMJlNcIR41LLUXkLPLinW0/QSIEioQnpdw17sr/cr0J/8PhiA8c/C SJFFMFxm3ePEhoGBKC6So0N9vKh4uqEsg/hqD5Ts7agNEktTPbo= =lo/T -----END PGP SIGNATURE----- Reply to: debian-security-announce@lists.debian.org Salvatore Bonaccorso (on-list) Salvatore Bonaccorso (off-list) Prev by Date: [SECURITY] [DSA 6308-1] nagios4 security update Next by Date: [SECURITY] [DSA 6310-1] imagemagick security update Previous by thread: [SECURITY] [DSA 6308-1] nagios4 security update Next by thread: [SECURITY] [DSA 6310-1] imagemagick security update Index(es): Date Thread