Devuan logs - #579, boring messages

Message sent to [email protected], [email protected]:

Subject: bug#579: Security: Please update exim on beowulf
Reply-To: Klaus Ethgen <[email protected]>, [email protected]
Resent-From: Klaus Ethgen <[email protected]>
Resent-To: [email protected]
Resent-CC: [email protected]
Resent-Date: Sun, 09 May 2021 08:18:02 +0000
Resent-Message-ID: <[email protected]>
Resent-Sender: [email protected]
Date: Sun, 9 May 2021 09:59:55 +0200
From: Klaus Ethgen <[email protected]>
To: Devuan Bug Tracking System <[email protected]>
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="iM97bDwsOuKEyQUo"
Content-Disposition: inline
OpenPGP: id=79D0B06F4E20AF1C;
 url=http://www.ethgen.ch/~klaus/79D0B06F4E20AF1C.txt; preference=signencrypt

--iM97bDwsOuKEyQUo
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: exim4
Version: 4.92-8+deb10u5
Severity: critical
Tags: security

Please update exim4 to 4.92-8+deb10u6 on beowulf as already in debian.

Version 4.92-8+deb10u5 has several sever security bugs which are fixed
in 4.92-8+deb10u6.

* CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()
* CVE-2020-28018: Use-after-free in tls-openssl.c
* CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()
* CVE-2020-28010: Heap out-of-bounds write in main()
* CVE-2020-28011: Heap buffer overflow in queue_run()
* CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()
* CVE-2020-28017: Integer overflow in receive_add_recipient()
* CVE-2020-28022: Heap out-of-bounds read and write in extract_option()
* CVE-2020-28026: Line truncation and injection in spool_read_header()
* CVE-2020-28015 and CVE-2020-28021: New-line injection into spool header f=
ile.
* CVE-2020-28009: Integer overflow in get_stdinput()
* CVE-2020-28024: Heap buffer underflow in smtp_ungetc()
* CVE-2020-28012: Missing close-on-exec flag for privileged pipe
* CVE-2020-28019: Failure to reset function pointer after BDAT error
* CVE-2020-28007: Link attack in Exim's log directory
* CVE-2020-28008: Assorted attacks in Exim's spool directory
* CVE-2020-28014, CVE-2021-27216: Arbitrary PID file creation, clobbering, =
and deletion.

-- System Information:
Distributor ID:	Devuan
Description:	Devuan GNU/Linux 3 (beowulf)
Codename:	beowulf
Architecture: x86_64

Gru=DF
   Klaus
--=20
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <[email protected]>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C

--iM97bDwsOuKEyQUo
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Comment: Charset: ISO-8859-1

iQGzBAABCgAdFiEEMWF28vh4/UMJJLQEpnwKsYAZ9qwFAmCXlnsACgkQpnwKsYAZ
9qysfgv9Fen8TH0CfI5R9ubH/AcgSNLDZ1Aa+AT3Dteyjuo+9fEokPyci1jweM6C
vQvhzTd+MMfeB3jI3HAWWGR59c7UCOHAAeJ2vjCbNGJ1DGxKFhdaEC9oZ84gCwfc
jnYQEayDsY6mZlH94RLBSGQUo0JyinEpzF6VaSW7gd0k28FSOLf8zte0xkn6C37X
GXmkQA/APaOXHT0/X8tjzjnCLJwP++zIJLvsIXv3fRSvz8vJBWHDRTVnszhdCBNu
r2/ACyXZTPn9I6FzJzxFE8Y81QDCh6UTUAKtAArFhb2h44uBI50KqQHwYRlUGTR+
AYEudR7sdWGG2BN3KLlK+TFb749PyLFW7HJjvRaPsqgjralOgozbjsBnGx9czVaj
EqvKJh8YFVXE1zOOWUEPBPkyRAvrHEGDWMfYcgVYpXjXu3sZoP94GX0maOOmHuzt
lYE/KXm2Vh2xe3RNJYRPXOQ4BblWe25yICn/EzBbvkdT2DLIDD8AGfP/8S7xtXcz
x7ds+8k3
=IF0/
-----END PGP SIGNATURE-----

--iM97bDwsOuKEyQUo--

Message sent:

Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
Content-Type: text/plain; charset=utf-8
X-Loop: [email protected]
From: "Devuan bug Tracking System" <[email protected]>
To: Klaus Ethgen <[email protected]>
Subject: bug#579: Acknowledgement (Security: Please update exim on beowulf)
Message-ID: <[email protected]>
References: <[email protected]>
X-Devuan-PR-Message: ack 579
X-Devuan-PR-Package: exim4
Reply-To: [email protected]
Date: Sun, 09 May 2021 08:18:05 +0000

Thank you for filing a new bug report with Devuan.

You can follow progress on this bug here: 579: https://bugs.devuan.org/cgi/=
bugreport.cgi?bug=3D579.

This is an automatically generated reply to let you know your message
has been received.

Your message is being forwarded to the package maintainers and other
interested parties for their attention; they will reply in due course.

Your message has been sent to the package maintainer(s):
 [email protected]

If you wish to submit further information on this problem, please
send it to [email protected].

Please do not send mail to [email protected] unless you wish
to report a problem with the Bug-tracking system.

--=20
579: https://bugs.devuan.org/cgi/bugreport.cgi?bug=3D579
Devuan Bug Tracking System
Contact [email protected] with problems

Message sent to [email protected], [email protected]:

Subject: bug#579: Security: Please update exim on beowulf
Reply-To: Mark Hindley <[email protected]>, [email protected]
Resent-From: Mark Hindley <[email protected]>
Resent-To: [email protected]
Resent-CC: [email protected]
Resent-Date: Mon, 10 May 2021 17:33:01 +0000
Resent-Message-ID: <[email protected]>
Resent-Sender: [email protected]
References: <[email protected]> <[email protected]>
Date: Mon, 10 May 2021 18:16:06 +0100
From: Mark Hindley <[email protected]>
To: Klaus Ethgen <[email protected]>, [email protected]
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[email protected]>

Control: reassign -1 amprolla

This is an amprolla issue. Reassigning.

Mark

Message received at [email protected]:

Date: Mon, 10 May 2021 18:16:06 +0100
From: Mark Hindley <[email protected]>
To: Klaus Ethgen <[email protected]>, [email protected]
Subject: Re: bug#579: Security: Please update exim on beowulf
Message-ID: <[email protected]>
References: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[email protected]>

Control: reassign -1 amprolla

This is an amprolla issue. Reassigning.

Mark

Message received at [email protected]:

Received: (at 579) by bugs.devuan.org; 10 May 2021 17:30:03 +0000
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from tupac3.dyne.org [195.169.149.119]
	by doc.devuan.org with IMAP (fetchmail-6.4.0.beta4)
	for <debbugs@localhost> (single-drop); Mon, 10 May 2021 17:30:03 +0000 (UTC)
Received: from mx.hindley.org.uk (193-36-131-86.cfwn.uk [193.36.131.86])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by vm6.ganeti.dyne.org (Postfix) with ESMTPS id 9E3A2F60932
	for <[email protected]>; Mon, 10 May 2021 19:16:09 +0200 (CEST)
Received: from apollo.hindleynet ([192.168.1.3] helo=hindley.org.uk)
	by mx.hindley.org.uk with smtp (Exim 4.84_2)
	(envelope-from <[email protected]>)
	id 1lg9Vn-0006dZ-Hl; Mon, 10 May 2021 18:16:07 +0100
Received: (nullmailer pid 10713 invoked by uid 1000);
	Mon, 10 May 2021 17:16:07 -0000
Date: Mon, 10 May 2021 18:16:06 +0100
From: Mark Hindley <[email protected]>
To: Klaus Ethgen <[email protected]>, [email protected]
Subject: Re: bug#579: Security: Please update exim on beowulf
Message-ID: <[email protected]>
References: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[email protected]>
X-Debbugs-No-Ack: No Thanks
X-Spam-Status: No, score=0.4 required=5.0 tests=RDNS_DYNAMIC,SPF_PASS
	autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org

Control: reassign -1 amprolla

This is an amprolla issue. Reassigning.

Mark

Message sent:

MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
X-Loop: [email protected]
From: "Devuan bug Tracking System" <[email protected]>
To: Mark Hindley <[email protected]>
Subject: bug#579: marked as done (Security: Please update exim on beowulf)
Message-ID: <[email protected]>
References: <[email protected]>
 <[email protected]>
X-Devuan-PR-Message: closed 579
X-Devuan-PR-Package: amprolla
Reply-To: [email protected]
Date: Mon, 10 May 2021 17:48:01 +0000
Content-Type: multipart/mixed; boundary="----------=_1620668882-17197-0"

This is a multi-part message in MIME format...

------------=_1620668882-17197-0
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Your message dated Mon, 10 May 2021 18:31:17 +0100
with message-id <[email protected]>
and subject line Re: bug#579: Security: Please update exim on beowulf
has caused the Devuan bug report #579,
regarding Security: Please update exim on beowulf
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


--=20
579: https://bugs.devuan.org/cgi/bugreport.cgi?bug=3D579
Devuan Bug Tracking System
Contact [email protected] with problems

------------=_1620668882-17197-0
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at submit) by bugs.devuan.org; 9 May 2021 08:10:03 +0000
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from tupac3.dyne.org [195.169.149.119]
	by doc.devuan.org with IMAP (fetchmail-6.4.0.beta4)
	for <debbugs@localhost> (single-drop); Sun, 09 May 2021 08:10:03 +0000 (UTC)
Received: from tschil.ethgen.ch (tschil.ethgen.ch [5.9.7.51])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by vm6.ganeti.dyne.org (Postfix) with ESMTPS id 3F01AF6089B
	for <[email protected]>; Sun,  9 May 2021 10:00:00 +0200 (CEST)
Authentication-Results: vm6.ganeti.dyne.org;
	dkim=pass (4096-bit key; unprotected) header.d=ethgen.de [email protected] header.b="jYvDYZtF";
	dkim-atps=neutral
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ethgen.de;
	 s=mail; h=Content-Type:MIME-Version:Message-ID:Subject:To:From:Date:Sender:
	Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
	List-Post:List-Owner:List-Archive;
	bh=ud5duopMPRwgsqoiPACAAEPA0rI88WfSr044atcI2VU=; b=jYvDYZtFY3NOzN5nL7vVCGxAOP
	ViocDFZy0TFedKw40yxdRDBZUHYG2x8Fw4qwtR9cDZ+e4b2R22QEwnUMfZTVWXp/z+OFS7qUgT3e9
	rQrYRWpkb3eIqj9MI2sRixEp9TYDXzh5pkK2SDeHEfezqxRZjVNPE5BErYGdcX6hTCE8nnDawNpFh
	oA31PZgAtmusACIL+hSwbwLORITI+Hy1v7m6NgBas4P/J2ZCRUxPuhTqZkViiOW5dNECmW9TBhrTo
	Rsaodqx9m1JJ/cl1i/k9OY3q50ptFjTcA7RLtYBiECzBnbFLJfuSYzl+t9pbOCOM3A80zkLyZ6ef0
	uaUpiFeH5CLmhhG6zO9ItuR+b4oLm3Ro/W5Hin0cD7i6xrDRF8GUp4BiNScPQiaUBLXfVrouqjpZa
	WKTYo61XaAxuRMKPp/16plL3ZbmbumxXlPNcCmPobscz8NrfnJwMp0Ly7F1qDu+a8Yr22ieF3wXau
	iLmTMuHlgKu+I400zCP9JOU8ssKalaE2lSl/iA1pNGfgrW4eHr1kczeKpQ/TSxXiOovUOK/crdKuv
	iuYbt9bAcuy80sh8M3ND6PDQkN0We8S5dRfRiQAK6IUwzvXM2h9Jd6pCK6WF1QK19Prslktd0XTof
	/I82IIt/NLHI/FL7xfBuz7talPPnAH42BJp++HS28=;
Received: from [192.168.17.4] (helo=ikki.ket)
	by tschil.ethgen.ch with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <[email protected]>)
	id 1lfeM0-00045i-2f; Sun, 09 May 2021 07:59:56 +0000
Received: from klaus by ikki.ket with local (Exim 4.94.2)
	(envelope-from <[email protected]>)
	id 1lfeLz-000664-Le; Sun, 09 May 2021 09:59:55 +0200
Date: Sun, 9 May 2021 09:59:55 +0200
From: Klaus Ethgen <[email protected]>
To: Devuan Bug Tracking System <[email protected]>
Subject: Security: Please update exim on beowulf
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="iM97bDwsOuKEyQUo"
Content-Disposition: inline
X-Reportbug-Version: 7.10.3+devuan1
OpenPGP: id=79D0B06F4E20AF1C;
 url=http://www.ethgen.ch/~klaus/79D0B06F4E20AF1C.txt; preference=signencrypt
X-Spam-Status: No, score=-2.5 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_PASS
	autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org


--iM97bDwsOuKEyQUo
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: exim4
Version: 4.92-8+deb10u5
Severity: critical
Tags: security

Please update exim4 to 4.92-8+deb10u6 on beowulf as already in debian.

Version 4.92-8+deb10u5 has several sever security bugs which are fixed
in 4.92-8+deb10u6.

* CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()
* CVE-2020-28018: Use-after-free in tls-openssl.c
* CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()
* CVE-2020-28010: Heap out-of-bounds write in main()
* CVE-2020-28011: Heap buffer overflow in queue_run()
* CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()
* CVE-2020-28017: Integer overflow in receive_add_recipient()
* CVE-2020-28022: Heap out-of-bounds read and write in extract_option()
* CVE-2020-28026: Line truncation and injection in spool_read_header()
* CVE-2020-28015 and CVE-2020-28021: New-line injection into spool header f=
ile.
* CVE-2020-28009: Integer overflow in get_stdinput()
* CVE-2020-28024: Heap buffer underflow in smtp_ungetc()
* CVE-2020-28012: Missing close-on-exec flag for privileged pipe
* CVE-2020-28019: Failure to reset function pointer after BDAT error
* CVE-2020-28007: Link attack in Exim's log directory
* CVE-2020-28008: Assorted attacks in Exim's spool directory
* CVE-2020-28014, CVE-2021-27216: Arbitrary PID file creation, clobbering, =
and deletion.

-- System Information:
Distributor ID:	Devuan
Description:	Devuan GNU/Linux 3 (beowulf)
Codename:	beowulf
Architecture: x86_64

Gru=DF
   Klaus
--=20
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <[email protected]>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C

--iM97bDwsOuKEyQUo
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Comment: Charset: ISO-8859-1

iQGzBAABCgAdFiEEMWF28vh4/UMJJLQEpnwKsYAZ9qwFAmCXlnsACgkQpnwKsYAZ
9qysfgv9Fen8TH0CfI5R9ubH/AcgSNLDZ1Aa+AT3Dteyjuo+9fEokPyci1jweM6C
vQvhzTd+MMfeB3jI3HAWWGR59c7UCOHAAeJ2vjCbNGJ1DGxKFhdaEC9oZ84gCwfc
jnYQEayDsY6mZlH94RLBSGQUo0JyinEpzF6VaSW7gd0k28FSOLf8zte0xkn6C37X
GXmkQA/APaOXHT0/X8tjzjnCLJwP++zIJLvsIXv3fRSvz8vJBWHDRTVnszhdCBNu
r2/ACyXZTPn9I6FzJzxFE8Y81QDCh6UTUAKtAArFhb2h44uBI50KqQHwYRlUGTR+
AYEudR7sdWGG2BN3KLlK+TFb749PyLFW7HJjvRaPsqgjralOgozbjsBnGx9czVaj
EqvKJh8YFVXE1zOOWUEPBPkyRAvrHEGDWMfYcgVYpXjXu3sZoP94GX0maOOmHuzt
lYE/KXm2Vh2xe3RNJYRPXOQ4BblWe25yICn/EzBbvkdT2DLIDD8AGfP/8S7xtXcz
x7ds+8k3
=IF0/
-----END PGP SIGNATURE-----

--iM97bDwsOuKEyQUo--

------------=_1620668882-17197-0
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at 579-done) by bugs.devuan.org; 10 May 2021 17:40:04 +0000
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from tupac3.dyne.org [195.169.149.119]
	by doc.devuan.org with IMAP (fetchmail-6.4.0.beta4)
	for <debbugs@localhost> (single-drop); Mon, 10 May 2021 17:40:04 +0000 (UTC)
Received: from mx.hindley.org.uk (193-36-131-86.cfwn.uk [193.36.131.86])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by vm6.ganeti.dyne.org (Postfix) with ESMTPS id 8AEFBF609FF
	for <[email protected]>; Mon, 10 May 2021 19:31:18 +0200 (CEST)
Received: from apollo.hindleynet ([192.168.1.3] helo=hindley.org.uk)
	by mx.hindley.org.uk with smtp (Exim 4.84_2)
	(envelope-from <[email protected]>)
	id 1lg9kT-0006ig-Lb
	for [email protected]; Mon, 10 May 2021 18:31:17 +0100
Received: (nullmailer pid 11203 invoked by uid 1000);
	Mon, 10 May 2021 17:31:17 -0000
Date: Mon, 10 May 2021 18:31:17 +0100
From: Mark Hindley <[email protected]>
To: [email protected]
Subject: Re: bug#579: Security: Please update exim on beowulf
Message-ID: <[email protected]>
References: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[email protected]>
X-Debbugs-No-Ack: No Thanks
X-Spam-Status: No, score=0.4 required=5.0 tests=RDNS_DYNAMIC,SPF_PASS
	autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org

On Sun, May 09, 2021 at 09:59:55AM +0200, Klaus Ethgen wrote:
> Package: exim4
> Version: 4.92-8+deb10u5
> Severity: critical
> Tags: security
> 
> Please update exim4 to 4.92-8+deb10u6 on beowulf as already in debian.

Bad amprolla merge is now fixed (thanks rrq) and the updated exim4 packages are
available in the archive.

Closing.

Mark
------------=_1620668882-17197-0--

Message sent:

MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
X-Loop: [email protected]
From: "Devuan bug Tracking System" <[email protected]>
To: Klaus Ethgen <[email protected]>
Subject: bug#579 closed by Mark Hindley <[email protected]> (Re:
 bug#579: Security: Please update exim on beowulf)
Message-ID: <[email protected]>
References: <[email protected]>
 <[email protected]>
X-Devuan-PR-Message: they-closed 579
X-Devuan-PR-Package: amprolla
Reply-To: [email protected]
Date: Mon, 10 May 2021 17:48:04 +0000
Content-Type: multipart/mixed; boundary="----------=_1620668884-17197-1"

This is a multi-part message in MIME format...

------------=_1620668884-17197-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

This is an automatic notification regarding your bug report
which was filed against the amprolla package:

#579: Security: Please update exim on beowulf

It has been closed by Mark Hindley <[email protected]>.

Their explanation is attached below along with your original report.
If this explanation is unsatisfactory and you have not received a
better one in a separate message then please contact Mark Hindley <mark@hin=
dley.org.uk> by
replying to this email.


--=20
579: https://bugs.devuan.org/cgi/bugreport.cgi?bug=3D579
Devuan Bug Tracking System
Contact [email protected] with problems

------------=_1620668884-17197-1
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at 579-done) by bugs.devuan.org; 10 May 2021 17:40:04 +0000
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from tupac3.dyne.org [195.169.149.119]
	by doc.devuan.org with IMAP (fetchmail-6.4.0.beta4)
	for <debbugs@localhost> (single-drop); Mon, 10 May 2021 17:40:04 +0000 (UTC)
Received: from mx.hindley.org.uk (193-36-131-86.cfwn.uk [193.36.131.86])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by vm6.ganeti.dyne.org (Postfix) with ESMTPS id 8AEFBF609FF
	for <[email protected]>; Mon, 10 May 2021 19:31:18 +0200 (CEST)
Received: from apollo.hindleynet ([192.168.1.3] helo=hindley.org.uk)
	by mx.hindley.org.uk with smtp (Exim 4.84_2)
	(envelope-from <[email protected]>)
	id 1lg9kT-0006ig-Lb
	for [email protected]; Mon, 10 May 2021 18:31:17 +0100
Received: (nullmailer pid 11203 invoked by uid 1000);
	Mon, 10 May 2021 17:31:17 -0000
Date: Mon, 10 May 2021 18:31:17 +0100
From: Mark Hindley <[email protected]>
To: [email protected]
Subject: Re: bug#579: Security: Please update exim on beowulf
Message-ID: <[email protected]>
References: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[email protected]>
X-Debbugs-No-Ack: No Thanks
X-Spam-Status: No, score=0.4 required=5.0 tests=RDNS_DYNAMIC,SPF_PASS
	autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org

On Sun, May 09, 2021 at 09:59:55AM +0200, Klaus Ethgen wrote:
> Package: exim4
> Version: 4.92-8+deb10u5
> Severity: critical
> Tags: security
> 
> Please update exim4 to 4.92-8+deb10u6 on beowulf as already in debian.

Bad amprolla merge is now fixed (thanks rrq) and the updated exim4 packages are
available in the archive.

Closing.

Mark
------------=_1620668884-17197-1
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at submit) by bugs.devuan.org; 9 May 2021 08:10:03 +0000
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from tupac3.dyne.org [195.169.149.119]
	by doc.devuan.org with IMAP (fetchmail-6.4.0.beta4)
	for <debbugs@localhost> (single-drop); Sun, 09 May 2021 08:10:03 +0000 (UTC)
Received: from tschil.ethgen.ch (tschil.ethgen.ch [5.9.7.51])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by vm6.ganeti.dyne.org (Postfix) with ESMTPS id 3F01AF6089B
	for <[email protected]>; Sun,  9 May 2021 10:00:00 +0200 (CEST)
Authentication-Results: vm6.ganeti.dyne.org;
	dkim=pass (4096-bit key; unprotected) header.d=ethgen.de [email protected] header.b="jYvDYZtF";
	dkim-atps=neutral
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ethgen.de;
	 s=mail; h=Content-Type:MIME-Version:Message-ID:Subject:To:From:Date:Sender:
	Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
	List-Post:List-Owner:List-Archive;
	bh=ud5duopMPRwgsqoiPACAAEPA0rI88WfSr044atcI2VU=; b=jYvDYZtFY3NOzN5nL7vVCGxAOP
	ViocDFZy0TFedKw40yxdRDBZUHYG2x8Fw4qwtR9cDZ+e4b2R22QEwnUMfZTVWXp/z+OFS7qUgT3e9
	rQrYRWpkb3eIqj9MI2sRixEp9TYDXzh5pkK2SDeHEfezqxRZjVNPE5BErYGdcX6hTCE8nnDawNpFh
	oA31PZgAtmusACIL+hSwbwLORITI+Hy1v7m6NgBas4P/J2ZCRUxPuhTqZkViiOW5dNECmW9TBhrTo
	Rsaodqx9m1JJ/cl1i/k9OY3q50ptFjTcA7RLtYBiECzBnbFLJfuSYzl+t9pbOCOM3A80zkLyZ6ef0
	uaUpiFeH5CLmhhG6zO9ItuR+b4oLm3Ro/W5Hin0cD7i6xrDRF8GUp4BiNScPQiaUBLXfVrouqjpZa
	WKTYo61XaAxuRMKPp/16plL3ZbmbumxXlPNcCmPobscz8NrfnJwMp0Ly7F1qDu+a8Yr22ieF3wXau
	iLmTMuHlgKu+I400zCP9JOU8ssKalaE2lSl/iA1pNGfgrW4eHr1kczeKpQ/TSxXiOovUOK/crdKuv
	iuYbt9bAcuy80sh8M3ND6PDQkN0We8S5dRfRiQAK6IUwzvXM2h9Jd6pCK6WF1QK19Prslktd0XTof
	/I82IIt/NLHI/FL7xfBuz7talPPnAH42BJp++HS28=;
Received: from [192.168.17.4] (helo=ikki.ket)
	by tschil.ethgen.ch with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <[email protected]>)
	id 1lfeM0-00045i-2f; Sun, 09 May 2021 07:59:56 +0000
Received: from klaus by ikki.ket with local (Exim 4.94.2)
	(envelope-from <[email protected]>)
	id 1lfeLz-000664-Le; Sun, 09 May 2021 09:59:55 +0200
Date: Sun, 9 May 2021 09:59:55 +0200
From: Klaus Ethgen <[email protected]>
To: Devuan Bug Tracking System <[email protected]>
Subject: Security: Please update exim on beowulf
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="iM97bDwsOuKEyQUo"
Content-Disposition: inline
X-Reportbug-Version: 7.10.3+devuan1
OpenPGP: id=79D0B06F4E20AF1C;
 url=http://www.ethgen.ch/~klaus/79D0B06F4E20AF1C.txt; preference=signencrypt
X-Spam-Status: No, score=-2.5 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_PASS
	autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org


--iM97bDwsOuKEyQUo
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: exim4
Version: 4.92-8+deb10u5
Severity: critical
Tags: security

Please update exim4 to 4.92-8+deb10u6 on beowulf as already in debian.

Version 4.92-8+deb10u5 has several sever security bugs which are fixed
in 4.92-8+deb10u6.

* CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()
* CVE-2020-28018: Use-after-free in tls-openssl.c
* CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()
* CVE-2020-28010: Heap out-of-bounds write in main()
* CVE-2020-28011: Heap buffer overflow in queue_run()
* CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()
* CVE-2020-28017: Integer overflow in receive_add_recipient()
* CVE-2020-28022: Heap out-of-bounds read and write in extract_option()
* CVE-2020-28026: Line truncation and injection in spool_read_header()
* CVE-2020-28015 and CVE-2020-28021: New-line injection into spool header f=
ile.
* CVE-2020-28009: Integer overflow in get_stdinput()
* CVE-2020-28024: Heap buffer underflow in smtp_ungetc()
* CVE-2020-28012: Missing close-on-exec flag for privileged pipe
* CVE-2020-28019: Failure to reset function pointer after BDAT error
* CVE-2020-28007: Link attack in Exim's log directory
* CVE-2020-28008: Assorted attacks in Exim's spool directory
* CVE-2020-28014, CVE-2021-27216: Arbitrary PID file creation, clobbering, =
and deletion.

-- System Information:
Distributor ID:	Devuan
Description:	Devuan GNU/Linux 3 (beowulf)
Codename:	beowulf
Architecture: x86_64

Gru=DF
   Klaus
--=20
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <[email protected]>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C

--iM97bDwsOuKEyQUo
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Comment: Charset: ISO-8859-1

iQGzBAABCgAdFiEEMWF28vh4/UMJJLQEpnwKsYAZ9qwFAmCXlnsACgkQpnwKsYAZ
9qysfgv9Fen8TH0CfI5R9ubH/AcgSNLDZ1Aa+AT3Dteyjuo+9fEokPyci1jweM6C
vQvhzTd+MMfeB3jI3HAWWGR59c7UCOHAAeJ2vjCbNGJ1DGxKFhdaEC9oZ84gCwfc
jnYQEayDsY6mZlH94RLBSGQUo0JyinEpzF6VaSW7gd0k28FSOLf8zte0xkn6C37X
GXmkQA/APaOXHT0/X8tjzjnCLJwP++zIJLvsIXv3fRSvz8vJBWHDRTVnszhdCBNu
r2/ACyXZTPn9I6FzJzxFE8Y81QDCh6UTUAKtAArFhb2h44uBI50KqQHwYRlUGTR+
AYEudR7sdWGG2BN3KLlK+TFb749PyLFW7HJjvRaPsqgjralOgozbjsBnGx9czVaj
EqvKJh8YFVXE1zOOWUEPBPkyRAvrHEGDWMfYcgVYpXjXu3sZoP94GX0maOOmHuzt
lYE/KXm2Vh2xe3RNJYRPXOQ4BblWe25yICn/EzBbvkdT2DLIDD8AGfP/8S7xtXcz
x7ds+8k3
=IF0/
-----END PGP SIGNATURE-----

--iM97bDwsOuKEyQUo--

------------=_1620668884-17197-1--