openSUSE-SU-2024:0007-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2024:0007-1.json
JSON Data
https://api.test.osv.dev/v1/vulns/openSUSE-SU-2024:0007-1
Related
Published
2024-01-03T20:12:49Z
Modified
2024-01-03T20:12:49Z
Summary
Security update for exim
Details

This update for exim fixes the following issues:

exim was updated to 4.97.1 (boo#1218387, CVE-2023-51766):

  • Fixes for the smtp protocol smuggling (CVE-2023-51766)

exim was updated to exim 4.96:

  • Move from using the pcre library to pcre2.
  • Constification work in the filters module required a major version bump for the local-scan API. Specifically, the 'headers_charset' global which is visible via the API is now const and may therefore not be modified by local-scan code.
  • Bug 2819: speed up command-line messages being read in. Previously a time check was being done for every character; replace that with one per buffer.
  • Bug 2815: Fix ALPN sent by server under OpenSSL. Previously the string sent was prefixed with a length byte.
  • Change the SMTP feature name for pipelining connect to be compliant with RFC 5321. Previously Dovecot (at least) would log errors during submission.
  • Fix macro-definition during '-be' expansion testing. The move to write-protected store for macros had not accounted for these runtime additions; fix by removing this protection for '-be' mode.
  • Convert all uses of select() to poll().
  • Fix use of $senderhostname in daemon process. When used in certain main-section options or in a connect ACL, the value from the first ever connection was never replaced for subsequent connections.
  • Bug 2838: Fix for i32lp64 hard-align platforms
  • Bug 2845: Fix handling of tlsrequireciphers for OpenSSL when a value with underbars is given.
  • Bug 1895: TLS: Deprecate RFC 5114 Diffie-Hellman parameters.
  • Debugging initiated by an ACL control now continues through into routing and transport processes.
  • The 'expand' debug selector now gives more detail, specifically on the result of expansion operators and items.
  • Bug 2751: Fix include_directory in redirect routers. Previously a bad comparison between the option value and the name of the file to be included was done, and a mismatch was wrongly identified.
  • Support for Berkeley DB versions 1 and 2 is withdrawn.
  • When built with NDBM for hints DB's check for nonexistence of a name supplied as the db file-pair basename.
  • Remove the 'allowinsecuretainteddata' main config option and the 'taint' logselector.
  • Fix static address-list lookups to properly return the matched item. Previously only the domain part was returned.
  • The ${run} expansion item now expands its command string elements after splitting. Previously it was before; the new ordering makes handling zero-length arguments simpler.
  • Taint-check exec arguments for transport-initiated external processes. Previously, tainted values could be used. This affects 'pipe', 'lmtp' and 'queryprogram' transport, transport-filter, and ETRN commands. The ${run} expansion is also affected: in 'preexpand' mode no part of the command line may be tainted, in default mode the executable name may not be tainted.
  • Fix CHUNKING on a continued-transport. Previously the usabilility of the facility was not passed across execs, and only the first message passed over a connection could use BDAT; any further ones using DATA.
  • Support the PIPECONNECT facility in the smtp transport when the helodata uses $sendingip_address and an interface is specified.
  • OpenSSL: fix transport-required OCSP stapling verification under session resumption.
  • TLS resumption: the key for session lookup in the client now includes more info that a server could potentially use in configuring a TLS session, avoiding oferring mismatching sessions to such a server.
  • Fix string_copyn() for limit greater than actual string length.
  • Bug 2886: GnuTLS: Do not free the cached creds on transport connection close; it may be needed for a subsequent connection.
  • Fix CHUNKING for a second message on a connection when the first was rejected.
  • Fix ${srs_encode ...} to handle an empty sender address, now returning an empty address.
  • Bug 2855: Handle a v4mapped sender address given us by a frontending proxy.

update to exim 4.95

  • includes taintwarn (taintwarn.patch)
  • fast-ramp queue run
  • native SRS
  • TLS resumption
  • LMDB lookups with single key
  • smtp transport option 'messagelinelengthlimit'
  • optionally ignore lookup caches
  • quota checking for appendfile transport during message reception
  • sqlite lookups allow a 'file=<path>' option
  • lsearch lookups allow a 'ret=full' option
  • command line option for the notifier socket
  • faster TLS startup
  • new main config option 'proxyprotocoltimeout'
  • expand 'smtpacceptmaxperconnection'
  • log selector 'queuesizeexclusive'
  • main config option 'smtpbacklogmonitor'
  • main config option 'hostsrequirehelo'
  • main config option 'allowinsecuretainted_data'
References

Affected packages

SUSE:Package Hub 15 SP5 / exim

Package

Name
exim
Purl
pkg:rpm/suse/exim&distro=SUSE%20Package%20Hub%2015%20SP5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.97.1-bp155.5.9.1

Ecosystem specific

{
    "binaries": [
        {
            "eximstats-html": "4.97.1-bp155.5.9.1",
            "exim": "4.97.1-bp155.5.9.1",
            "eximon": "4.97.1-bp155.5.9.1"
        }
    ]
}

openSUSE:Leap 15.5 / exim

Package

Name
exim
Purl
pkg:rpm/opensuse/exim&distro=openSUSE%20Leap%2015.5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.97.1-bp155.5.9.1

Ecosystem specific

{
    "binaries": [
        {
            "eximstats-html": "4.97.1-bp155.5.9.1",
            "exim": "4.97.1-bp155.5.9.1",
            "eximon": "4.97.1-bp155.5.9.1"
        }
    ]
}