Comment 0 for bug 2040379

Upstream: tbd
Debian: 4.97~RC3-1
Ubuntu: 4.96-17ubuntu2

Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle.

If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired.

### New Debian Changes ###

exim4 (4.97~RC3-1) unstable; urgency=medium

  * New upstream version, drop patches pulled from master.

 -- Andreas Metzler <email address hidden> Sun, 22 Oct 2023 07:31:26 +0200

exim4 (4.97~RC2-2) unstable; urgency=high

  * 76_changesfrom_4.96.2.diff: Pull fixes for CVE-2023-42117 and
    CVE-2023-42119 from upstream GIT master. Closes: #1053310

 -- Andreas Metzler <email address hidden> Mon, 16 Oct 2023 18:26:40 +0200

exim4 (4.97~RC2-1) unstable; urgency=low

  * Generate /etc/default/exim4 in exim4-config.postinst instead of
    /etc/default/exim. Closes: #1053788
  * Also remove the unused file and generate the correct one if missing.
  * New upstream version.
    + Drop 75-01-Auths*.diff.
  * Add two post-release fixes:
    + 75-01-Fix-crash-in-SPF-DNS-usage.patch
    + 75-02-SPF-harden-against-crafted-DNS-responses.patch

 -- Andreas Metzler <email address hidden> Wed, 11 Oct 2023 18:56:28 +0200

exim4 (4.97~RC1-2) unstable; urgency=high

  * Address SPA authenticator vulnerabilities (CVE-2023-42114, CVE-2023-42115,
    CVE-2023-42116)
    - Auths: fix possible OOB write in external authenticator (CVE-2023-42115)
    - Auths: use uschar more in spa authenticator
    - Auths: fix possible OOB write in SPA authenticator (CVE-2023-42116)
    - Auths: fix possible OOB read in SPA authenticator (CVE-2023-42114)

 -- Andreas Metzler <email address hidden> Sun, 01 Oct 2023 18:04:33 +0200

exim4 (4.97~RC1-1) unstable; urgency=medium

  [ Helmut Grohne ]
  * Fix FTBFS when dh_installsystemd installs units to /usr.
    Closes: #1053110

  [ Andreas Metzler ]
  * New upstream version.
    + Drop 75_01-Fix-tr.-and-empty-strings.-Bug-3023.patch.

 -- Andreas Metzler <email address hidden> Sat, 30 Sep 2023 11:29:26 +0200

exim4 (4.97~RC0-3) unstable; urgency=medium

  * Drop misleading phrase regarding incoming TLS support in README.Debian.
    Closes: #1051945
  * Improve on description of group setting for pipe deliveries in
    README.Debian.
  * 75_01-Fix-tr.-and-empty-strings.-Bug-3023.patch from upstream GIT master
    fixing crashes in string expansion.
    https://bugs.exim.org/show_bug.cgi?id=3023

 -- Andreas Metzler <email address hidden> Tue, 19 Sep 2023 18:04:22 +0200

exim4 (4.97~RC0-2) unstable; urgency=low

  * Fix URL of specific upstream exim bugreport in README.Debian.
  * Upload to unstable.
  * Add NEWS entry for format change of internal ID used for message
    identification. (See upstream changelog JH/29!)
  * Generate manpage for exim_msgdate(8) with pod2man and ship it.
  * Add manpage for exim_id_update.

 -- Andreas Metzler <email address hidden> Sun, 10 Sep 2023 14:04:49 +0200

exim4 (4.97~RC0-1) experimental; urgency=low

  * New upstream version.
    + Drop cherry-picked patches.
    + Unfuzz 90_localscan_dlopen.dpatch.
    + Add b-d and -basde dep on libfile-fcntllock-perl.
    + Update example conf md5 hash (no changes to merge).
  * Let -base depend on ${perl:Depends}.

 -- Andreas Metzler <email address hidden> Sat, 09 Sep 2023 13:53:15 +0200

exim4 (4.96-22) unstable; urgency=low

  * Fix architecture all build.

 -- Andreas Metzler <email address hidden> Sat, 02 Sep 2023 15:41:28 +0200

exim4 (4.96-21) unstable; urgency=low

  * tests/basic: Add isolation-container restriction (needs a running
    exim daemon).
  * Add ${run } expansion test to tests/basic.
  * Replace 75_78-Fix-free-of-value-after-run.patch with
    75_83-Re-fix-live-variable-value-free.-The-inital-fix-resu.patch fixing
    $value expansion after ${run ..}.
  * Upload to unstable.

 -- Andreas Metzler <email address hidden> Sat, 02 Sep 2023 13:49:33 +0200

### Old Ubuntu Delta ###

exim4 (4.96-17ubuntu2) mantic; urgency=medium

  * SECURITY UPDATE: information disclosure
    - debian/patches/CVE-2023-42114.patch: fix possible OOB read in
      SPA authenticator
    - CVE-2023-42114
  * SECURITY UPDATE: remote code execution
    - debian/patches/CVE-2023-42115.patch: fix possible OOB write in
      external authenticator
    - CVE-2023-42115
  * SECURITY UPDATE: remote code execution
    - debian/patches/CVE-2023-42116.patch: fix possible OOB write in
      SPA authenticator
    - CVE-2023-42116
  * debian/patches/CVE-2023-42114_15_16.patch:
    - use uschar more in spa authenticator

 -- Allen Huang <email address hidden> Tue, 03 Oct 2023 14:35:45 +0100

exim4 (4.96-17ubuntu1) mantic; urgency=medium

  * Merge with Debian unstable (LP: #2030098). Remaining changes:
     - Disable external SPF support to avoid Build-Depends on libspf2-dev
       (only available in universe). SPF can still be implemented via
       spf-tools-perl, as documented in exim4.conf.template. This reverts
       Vcs-Git commit 494f1fe, first released in 4.95~RC0-1.
       (LP #1952738)
       + d/control: drop Build-Depends on libspf2-dev.
       + d/EDITME.exim4-heavy.diff: disable support for libspf2.
       + d/d/c/a/30_exim4-config_check_rcpt: restore SPF logic based
         on spfquery.mail-spf-perl from spf-tools-perl, but without
         the previously supported helo detection.
    - Show Ubuntu distribution in SMTP banner
      + d/p/fix_smtp_banner.patch: Show Ubuntu distribution
        in SMTP banner.
      + Build-Depends on lsb-release to detect Distribution.
  * Dropped:
    - d/p/fix-run--arg-parsing.patch: Fix argument parsing for ${run }
      expansion. Previously, when an argument included a close-brace
      character (e.g. it itself used an expansion) an error occurred.
      (LP #1998678)
      [Accepted by Debian in 4.96-16]

 -- Bryce Harrington <email address hidden> Fri, 04 Aug 2023 20:28:47 -0700