Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle.
If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired.
### New Debian Changes ###
exim4 (4.97~RC3-1) unstable; urgency=medium
* New upstream version, drop patches pulled from master.
-- Andreas Metzler <email address hidden> Sun, 22 Oct 2023 07:31:26 +0200
exim4 (4.97~RC2-2) unstable; urgency=high
* 76_changesfrom_4.96.2.diff: Pull fixes for CVE-2023-42117 and
CVE-2023-42119 from upstream GIT master. Closes: #1053310
-- Andreas Metzler <email address hidden> Mon, 16 Oct 2023 18:26:40 +0200
exim4 (4.97~RC2-1) unstable; urgency=low
* Generate /etc/default/exim4 in exim4-config.postinst instead of
/etc/default/exim. Closes: #1053788
* Also remove the unused file and generate the correct one if missing.
* New upstream version.
+ Drop 75-01-Auths*.diff.
* Add two post-release fixes:
+ 75-01-Fix-crash-in-SPF-DNS-usage.patch
+ 75-02-SPF-harden-against-crafted-DNS-responses.patch
-- Andreas Metzler <email address hidden> Wed, 11 Oct 2023 18:56:28 +0200
exim4 (4.97~RC1-2) unstable; urgency=high
* Address SPA authenticator vulnerabilities (CVE-2023-42114, CVE-2023-42115,
CVE-2023-42116)
- Auths: fix possible OOB write in external authenticator (CVE-2023-42115)
- Auths: use uschar more in spa authenticator
- Auths: fix possible OOB write in SPA authenticator (CVE-2023-42116)
- Auths: fix possible OOB read in SPA authenticator (CVE-2023-42114)
-- Andreas Metzler <email address hidden> Sun, 01 Oct 2023 18:04:33 +0200
exim4 (4.97~RC1-1) unstable; urgency=medium
[ Helmut Grohne ]
* Fix FTBFS when dh_installsystemd installs units to /usr.
Closes: #1053110
[ Andreas Metzler ]
* New upstream version.
+ Drop 75_01-Fix-tr.-and-empty-strings.-Bug-3023.patch.
* Drop misleading phrase regarding incoming TLS support in README.Debian.
Closes: #1051945
* Improve on description of group setting for pipe deliveries in
README.Debian.
* 75_01-Fix-tr.-and-empty-strings.-Bug-3023.patch from upstream GIT master
fixing crashes in string expansion. https://bugs.exim.org/show_bug.cgi?id=3023
* Fix URL of specific upstream exim bugreport in README.Debian.
* Upload to unstable.
* Add NEWS entry for format change of internal ID used for message
identification. (See upstream changelog JH/29!)
* Generate manpage for exim_msgdate(8) with pod2man and ship it.
* Add manpage for exim_id_update.
* New upstream version.
+ Drop cherry-picked patches.
+ Unfuzz 90_localscan_dlopen.dpatch.
+ Add b-d and -basde dep on libfile-fcntllock-perl.
+ Update example conf md5 hash (no changes to merge).
* Let -base depend on ${perl:Depends}.
* SECURITY UPDATE: information disclosure
- debian/patches/CVE-2023-42114.patch: fix possible OOB read in
SPA authenticator
- CVE-2023-42114
* SECURITY UPDATE: remote code execution
- debian/patches/CVE-2023-42115.patch: fix possible OOB write in
external authenticator
- CVE-2023-42115
* SECURITY UPDATE: remote code execution
- debian/patches/CVE-2023-42116.patch: fix possible OOB write in
SPA authenticator
- CVE-2023-42116
* debian/patches/CVE-2023-42114_15_16.patch:
- use uschar more in spa authenticator
-- Allen Huang <email address hidden> Tue, 03 Oct 2023 14:35:45 +0100
exim4 (4.96-17ubuntu1) mantic; urgency=medium
* Merge with Debian unstable (LP: #2030098). Remaining changes:
- Disable external SPF support to avoid Build-Depends on libspf2-dev
(only available in universe). SPF can still be implemented via spf-tools-perl, as documented in exim4.conf.template. This reverts
Vcs-Git commit 494f1fe, first released in 4.95~RC0-1.
(LP #1952738)
+ d/control: drop Build-Depends on libspf2-dev.
+ d/EDITME.exim4-heavy.diff: disable support for libspf2.
+ d/d/c/a/30_exim4-config_check_rcpt: restore SPF logic based
on spfquery.mail-spf-perl from spf-tools-perl, but without
the previously supported helo detection.
- Show Ubuntu distribution in SMTP banner
+ d/p/fix_smtp_banner.patch: Show Ubuntu distribution
in SMTP banner.
+ Build-Depends on lsb-release to detect Distribution.
* Dropped:
- d/p/fix-run--arg-parsing.patch: Fix argument parsing for ${run }
expansion. Previously, when an argument included a close-brace
character (e.g. it itself used an expansion) an error occurred.
(LP #1998678)
[Accepted by Debian in 4.96-16]
Upstream: tbd
Debian: 4.97~RC3-1
Ubuntu: 4.96-17ubuntu2
Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle.
If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired.
### New Debian Changes ###
exim4 (4.97~RC3-1) unstable; urgency=medium
* New upstream version, drop patches pulled from master.
-- Andreas Metzler <email address hidden> Sun, 22 Oct 2023 07:31:26 +0200
exim4 (4.97~RC2-2) unstable; urgency=high
* 76_changesfrom_ 4.96.2. diff: Pull fixes for CVE-2023-42117 and
CVE-2023-42119 from upstream GIT master. Closes: #1053310
-- Andreas Metzler <email address hidden> Mon, 16 Oct 2023 18:26:40 +0200
exim4 (4.97~RC2-1) unstable; urgency=low
* Generate /etc/default/exim4 in exim4-config. postinst instead of default/ exim. Closes: #1053788 crash-in- SPF-DNS- usage.patch harden- against- crafted- DNS-responses. patch
/etc/
* Also remove the unused file and generate the correct one if missing.
* New upstream version.
+ Drop 75-01-Auths*.diff.
* Add two post-release fixes:
+ 75-01-Fix-
+ 75-02-SPF-
-- Andreas Metzler <email address hidden> Wed, 11 Oct 2023 18:56:28 +0200
exim4 (4.97~RC1-2) unstable; urgency=high
* Address SPA authenticator vulnerabilities (CVE-2023-42114, CVE-2023-42115,
CVE-2023-42116)
- Auths: fix possible OOB write in external authenticator (CVE-2023-42115)
- Auths: use uschar more in spa authenticator
- Auths: fix possible OOB write in SPA authenticator (CVE-2023-42116)
- Auths: fix possible OOB read in SPA authenticator (CVE-2023-42114)
-- Andreas Metzler <email address hidden> Sun, 01 Oct 2023 18:04:33 +0200
exim4 (4.97~RC1-1) unstable; urgency=medium
[ Helmut Grohne ]
* Fix FTBFS when dh_installsystemd installs units to /usr.
Closes: #1053110
[ Andreas Metzler ] tr.-and- empty-strings. -Bug-3023.patch.
* New upstream version.
+ Drop 75_01-Fix-
-- Andreas Metzler <email address hidden> Sat, 30 Sep 2023 11:29:26 +0200
exim4 (4.97~RC0-3) unstable; urgency=medium
* Drop misleading phrase regarding incoming TLS support in README.Debian. tr.-and- empty-strings. -Bug-3023.patch from upstream GIT master /bugs.exim. org/show_ bug.cgi? id=3023
Closes: #1051945
* Improve on description of group setting for pipe deliveries in
README.Debian.
* 75_01-Fix-
fixing crashes in string expansion.
https:/
-- Andreas Metzler <email address hidden> Tue, 19 Sep 2023 18:04:22 +0200
exim4 (4.97~RC0-2) unstable; urgency=low
* Fix URL of specific upstream exim bugreport in README.Debian.
* Upload to unstable.
* Add NEWS entry for format change of internal ID used for message
identification. (See upstream changelog JH/29!)
* Generate manpage for exim_msgdate(8) with pod2man and ship it.
* Add manpage for exim_id_update.
-- Andreas Metzler <email address hidden> Sun, 10 Sep 2023 14:04:49 +0200
exim4 (4.97~RC0-1) experimental; urgency=low
* New upstream version. dlopen. dpatch. fcntllock- perl.
+ Drop cherry-picked patches.
+ Unfuzz 90_localscan_
+ Add b-d and -basde dep on libfile-
+ Update example conf md5 hash (no changes to merge).
* Let -base depend on ${perl:Depends}.
-- Andreas Metzler <email address hidden> Sat, 09 Sep 2023 13:53:15 +0200
exim4 (4.96-22) unstable; urgency=low
* Fix architecture all build.
-- Andreas Metzler <email address hidden> Sat, 02 Sep 2023 15:41:28 +0200
exim4 (4.96-21) unstable; urgency=low
* tests/basic: Add isolation-container restriction (needs a running free-of- value-after- run.patch with 83-Re-fix- live-variable- value-free. -The-inital- fix-resu. patch fixing
exim daemon).
* Add ${run } expansion test to tests/basic.
* Replace 75_78-Fix-
75_
$value expansion after ${run ..}.
* Upload to unstable.
-- Andreas Metzler <email address hidden> Sat, 02 Sep 2023 13:49:33 +0200
### Old Ubuntu Delta ###
exim4 (4.96-17ubuntu2) mantic; urgency=medium
* SECURITY UPDATE: information disclosure patches/ CVE-2023- 42114.patch: fix possible OOB read in patches/ CVE-2023- 42115.patch: fix possible OOB write in patches/ CVE-2023- 42116.patch: fix possible OOB write in patches/ CVE-2023- 42114_15_ 16.patch:
- debian/
SPA authenticator
- CVE-2023-42114
* SECURITY UPDATE: remote code execution
- debian/
external authenticator
- CVE-2023-42115
* SECURITY UPDATE: remote code execution
- debian/
SPA authenticator
- CVE-2023-42116
* debian/
- use uschar more in spa authenticator
-- Allen Huang <email address hidden> Tue, 03 Oct 2023 14:35:45 +0100
exim4 (4.96-17ubuntu1) mantic; urgency=medium
* Merge with Debian unstable (LP: #2030098). Remaining changes:
spf-tools- perl, as documented in exim4.conf. template. This reverts exim4-heavy. diff: disable support for libspf2. 30_exim4- config_ check_rcpt: restore SPF logic based mail-spf- perl from spf-tools-perl, but without smtp_banner. patch: Show Ubuntu distribution run--arg- parsing. patch: Fix argument parsing for ${run }
- Disable external SPF support to avoid Build-Depends on libspf2-dev
(only available in universe). SPF can still be implemented via
Vcs-Git commit 494f1fe, first released in 4.95~RC0-1.
(LP #1952738)
+ d/control: drop Build-Depends on libspf2-dev.
+ d/EDITME.
+ d/d/c/a/
on spfquery.
the previously supported helo detection.
- Show Ubuntu distribution in SMTP banner
+ d/p/fix_
in SMTP banner.
+ Build-Depends on lsb-release to detect Distribution.
* Dropped:
- d/p/fix-
expansion. Previously, when an argument included a close-brace
character (e.g. it itself used an expansion) an error occurred.
(LP #1998678)
[Accepted by Debian in 4.96-16]
-- Bryce Harrington <email address hidden> Fri, 04 Aug 2023 20:28:47 -0700