From unknown Tue Jun 24 05:10:23 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#66304 <66304@debbugs.gnu.org> To: bug#66304 <66304@debbugs.gnu.org> Subject: Status: exim vulnearable to CVE-2023-42115 et al Reply-To: bug#66304 <66304@debbugs.gnu.org> Date: Tue, 24 Jun 2025 12:10:23 +0000 retitle 66304 exim vulnearable to CVE-2023-42115 et al reassign 66304 guix submitter 66304 Wilko Meyer severity 66304 normal tag 66304 security thanks From debbugs-submit-bounces@debbugs.gnu.org Mon Oct 02 06:47:23 2023 Received: (at submit) by debbugs.gnu.org; 2 Oct 2023 10:47:23 +0000 Received: from localhost ([127.0.0.1]:36130 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qnGSR-0006wN-6P for submit@debbugs.gnu.org; Mon, 02 Oct 2023 06:47:23 -0400 Received: from lists.gnu.org ([2001:470:142::17]:34260) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qnGSP-0006w7-64 for submit@debbugs.gnu.org; Mon, 02 Oct 2023 06:47:21 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qnGRs-0007JU-7h for bug-guix@gnu.org; Mon, 02 Oct 2023 06:46:52 -0400 Received: from mail.wmeyer.eu ([95.216.196.112]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qnGRf-0005aJ-UZ for bug-guix@gnu.org; Mon, 02 Oct 2023 06:46:37 -0400 From: Wilko Meyer DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wmeyer.eu; s=mail; t=1696243591; bh=D5UHfzwp561sP8LesMn6DIZdk7YIZ1tMInLrCV5v6pU=; h=From:To:Subject:Date; b=LhQ25Jc9PH65mhv9YsRvN/NCxbZqtBE555O7Z5g6yF1cCgQKy3DCTdnFyqu6Zf9H0 MdwSMBY250jxxwHiZ2qjl8VsFK20tPnXt45k5UWpACxMwHSKb9buc57uNAs8xWghRm I2DjHotVpM0/JNjoWzEQQCe2D5UHxT7VvW/akb2k= To: bug-guix@gnu.org Subject: exim vulnearable to CVE-2023-42115 et al Date: Mon, 02 Oct 2023 12:35:20 +0200 Message-ID: <87leclmhdp.fsf@wmeyer.eu> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=95.216.196.112; envelope-from=w@wmeyer.eu; helo=mail.wmeyer.eu X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 0.9 (/) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.1 (/) Hi Guix, Exim currently has unpatched vulnearabilities regarding its EXTERNAL Auth driver as well as its SPA/NTLM authenticator. According to the project[0] prospective fixes seem to be around the corner. We should probably bump the Exim version we ship to a non-vulnearable version as soon as one is available. [0]: https://www.exim.org/static/doc/security/CVE-2023-zdi.txt -- Kind regards, Wilko Meyer w@wmeyer.eu From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 04 12:06:44 2023 Received: (at control) by debbugs.gnu.org; 4 Oct 2023 16:06:45 +0000 Received: from localhost ([127.0.0.1]:45157 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qo4Oa-0001R8-Ny for submit@debbugs.gnu.org; Wed, 04 Oct 2023 12:06:44 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:45280) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qo4OQ-0001QJ-PA for control@debbugs.gnu.org; Wed, 04 Oct 2023 12:06:43 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qo4O3-0000aY-Pj for control@debbugs.gnu.org; Wed, 04 Oct 2023 12:06:11 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-version:Subject:From:To:Date:in-reply-to: references; bh=W1HhyC412pZ8m0N6NLjoLabj67DmYXcikRZzmZIZ5kA=; b=W4v7ffxs9zx6qO MoCNkwD18b5F5E+aIN9DJ98Z34qGucesV2R1+qCGH18zDtljrXeFNRQSCYcBySiTyPFYIRoaAyVPv pmrB+09FaJgr+6c5O0PFFkW4I5kxHZPbabJx4yYkWE5kckj293a204+UVeDnD6tMW18AUahW7Euhn S4vS8WkEPpiL/Tc9ClSAVSbG/26CfUU4jU2LekvthqQBjmEhKWmLBQ3nperOhljEVGvaSJ19MDZCT adQ+B0NGvCTbg90j1SdTr22Ljwe9ewAUqjQGdPq/ZMJlncJDW+lYSH21vkIEM8hpvZ5aST9RxIJ2b MVAfNQTm+sqHZGrcQONA==; Date: Wed, 04 Oct 2023 18:06:08 +0200 Message-Id: <87lecibcen.fsf@gnu.org> To: control@debbugs.gnu.org From: =?utf-8?Q?Ludovic_Court=C3=A8s?= Subject: control message for bug #66304 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) tags 66304 + security quit From debbugs-submit-bounces@debbugs.gnu.org Thu Oct 05 11:26:20 2023 Received: (at 66304) by debbugs.gnu.org; 5 Oct 2023 15:26:20 +0000 Received: from localhost ([127.0.0.1]:48266 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qoQF2-0004HR-6J for submit@debbugs.gnu.org; Thu, 05 Oct 2023 11:26:20 -0400 Received: from mail.wmeyer.eu ([95.216.196.112]:44176) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qoQEy-0004HE-TX for 66304@debbugs.gnu.org; Thu, 05 Oct 2023 11:26:19 -0400 From: Wilko Meyer DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wmeyer.eu; s=mail; t=1696519551; bh=g+PXxxjxAxdru+v3IhKNnJaiz7iS7+VqQzaa2bn/nCI=; h=From:To:Cc:Subject:Date; b=mE0/d0NABwm+qql+VMWNYhkdVCxQYg/+Xp3YVWaJ4Kcjdqn46sX3R/DZcNH2mT/CL OkGI3afrrvyXAwK0t1FaYm4Z0FPafSrL+iRcb6nIJp6X7GXmvSNQnPrZpPnAGFHysq RuVvR8jJYuFCoEndBSeEamueDPC8kxGSjlgR7ga4= To: 66304@debbugs.gnu.org Subject: [PATCH] gnu: exim: Update to 4.96.1 Date: Thu, 5 Oct 2023 17:25:18 +0200 Message-Id: <7c2c42679e0ec8205ce3718d988e17868e06169e.1696519379.git.w@wmeyer.eu> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 66304 Cc: Wilko Meyer X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * gnu/packages/mail.scm (exim): Update to 4.96.1. --- gnu/packages/mail.scm | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm index 72d971eb77..e6923627f4 100644 --- a/gnu/packages/mail.scm +++ b/gnu/packages/mail.scm @@ -52,6 +52,7 @@ ;;; Copyright © 2022 jgart ;;; Copyright © 2022 ( ;;; Copyright © 2023 Timo Wilken +;;; Copyright © 2023 Wilko Meyer ;;; ;;; This file is part of GNU Guix. ;;; @@ -1895,7 +1896,7 @@ (define-public msmtp (define-public exim (package (name "exim") - (version "4.96") + (version "4.96.1") (source (origin (method url-fetch) @@ -1909,7 +1910,7 @@ (define-public exim (string-append "https://ftp.exim.org/pub/exim/exim4/old/" file-name)))) (sha256 - (base32 "18ziihkpa23lybm7m2l9wp2farxw0bd5ng7xm9ylgcrfgf95d6i9")))) + (base32 "0g83cxkq3znh5b3r2a3990qxysw7d2l71jwcxaxzvq8pqdahgb4k")))) (build-system gnu-build-system) (arguments (list #:phases base-commit: ad5e4fe54a66c725dc03dedebf8e5c65723ccb74 prerequisite-patch-id: 5bde835de1e0f7e9cd752986da0585463713d745 prerequisite-patch-id: cda50d13de497f5c74c87b2def4ae6a7d5807305 prerequisite-patch-id: 7024afc52961b5947429f925c55265f29607c801 prerequisite-patch-id: 10a4f92340880065a5210c983cc878c98c075855 prerequisite-patch-id: e6610085f98fb881bada0bb27b59def23c3d7cc3 -- 2.41.0 From debbugs-submit-bounces@debbugs.gnu.org Fri Oct 06 17:14:42 2023 Received: (at 66304-done) by debbugs.gnu.org; 6 Oct 2023 21:14:42 +0000 Received: from localhost ([127.0.0.1]:52786 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qos9h-0000jE-S2 for submit@debbugs.gnu.org; Fri, 06 Oct 2023 17:14:42 -0400 Received: from mail-40131.protonmail.ch ([185.70.40.131]:12813) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qos9e-0000ix-Ih for 66304-done@debbugs.gnu.org; Fri, 06 Oct 2023 17:14:40 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1696626852; x=1696886052; bh=yR1kXMeVdZ46EY3QNg6Hx44qdg+bZDdwP0dZW0U9NHw=; h=Date:To:From:Cc:Subject:Message-ID:Feedback-ID:From:To:Cc:Date: Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector; b=sgQ6jrakKe9qTaCvxC7dZSqZRO7SXouhEq4vqk1iHepX7Qsje5m2AF6Sjm3gBaW43 JoMgIibFJWU9BzCzGv/U8InQYrXrLQ5Y7ZcLuc3a0h6Gy0sAwgNrjYbBph97atOflt VCfLqbU7OMTlJynht5uos2vlygcvBHNeetfdMEP7Zfr0jqgIFUMd9vYH7hG8A8ryfp sTQogHgNNLLcDTcLo3Alm9JtsdEAmTdJVsJ35STG9EoLSSXkVvUx6hleGkoMKY3uYv k5JqYx0sf1QAKTiiYayF+A7LgemPoKI8JExHnBupN+hut6nHNYcqlMAKG83zvc35yl rRLX4Tf7QK2mg== Date: Fri, 06 Oct 2023 21:14:05 +0000 To: Wilko Meyer From: John Kehayias Subject: Re: bug#66304: exim vulnearable to CVE-2023-42115 et al Message-ID: <87wmvz8ne9.fsf_-_@protonmail.com> Feedback-ID: 7805494:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 66304-done Cc: 66304-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hello, On Thu, Oct 05, 2023 at 05:25 PM, Wilko Meyer wrote: > * gnu/packages/mail.scm (exim): Update to 4.96.1. > --- > gnu/packages/mail.scm | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm > index 72d971eb77..e6923627f4 100644 > --- a/gnu/packages/mail.scm > +++ b/gnu/packages/mail.scm > @@ -52,6 +52,7 @@ > ;;; Copyright =C2=A9 2022 jgart > ;;; Copyright =C2=A9 2022 ( > ;;; Copyright =C2=A9 2023 Timo Wilken > +;;; Copyright =C2=A9 2023 Wilko Meyer > ;;; > ;;; This file is part of GNU Guix. > ;;; > @@ -1895,7 +1896,7 @@ (define-public msmtp > (define-public exim > (package > (name "exim") > - (version "4.96") > + (version "4.96.1") > (source > (origin > (method url-fetch) > @@ -1909,7 +1910,7 @@ (define-public exim > (string-append "https://ftp.exim.org/pub/exim/exim4/= old/" > file-name)))) > (sha256 > - (base32 "18ziihkpa23lybm7m2l9wp2farxw0bd5ng7xm9ylgcrfgf95d6i9"))= )) > + (base32 "0g83cxkq3znh5b3r2a3990qxysw7d2l71jwcxaxzvq8pqdahgb4k"))= )) > (build-system gnu-build-system) > (arguments > (list #:phases > > base-commit: ad5e4fe54a66c725dc03dedebf8e5c65723ccb74 > prerequisite-patch-id: 5bde835de1e0f7e9cd752986da0585463713d745 > prerequisite-patch-id: cda50d13de497f5c74c87b2def4ae6a7d5807305 > prerequisite-patch-id: 7024afc52961b5947429f925c55265f29607c801 > prerequisite-patch-id: 10a4f92340880065a5210c983cc878c98c075855 > prerequisite-patch-id: e6610085f98fb881bada0bb27b59def23c3d7cc3 Thanks for the patch and quickly noticing the security issues! Pushed as add2a22ad7bcca2521432e3f486460138401d5a5 with some added detail to the commit message. I tested that exim and a dependent builds. John From unknown Tue Jun 24 05:10:23 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Sat, 04 Nov 2023 11:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator