UbuntuUpdates.org

Package "exim4-dev"

Name: exim4-dev

Description:

header files for the Exim MTA (v4) packages
Latest version: 4.95-4ubuntu2.7
Release: jammy (22.04)
Level: updates
Repository: main
Head package: exim4
Homepage: https://www.exim.org/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "exim4-dev"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "exim4-dev" in Jammy

Repository Area Version
base main 4.95-4ubuntu2
security main 4.95-4ubuntu2.7

Changelog

Version: 4.95-4ubuntu2.7 2026-05-04 15:34:46 UTC

  exim4 (4.95-4ubuntu2.7) jammy-security; urgency=medium

  * SECURITY UPDATE: Multiple security issues
    - debian/patches/CVE-2026-4068*.patch: backported upstream fixes.
    - CVE-2026-40685 - Possible OOB read/write on corrupt JSON in header
    - CVE-2026-40686 - Possible OOB read with large UTF8 trailing chars
    - CVE-2026-40687 - Possible OOB read/write with SPA authenticator

 -- Marc Deslauriers <email address hidden> Wed, 29 Apr 2026 13:23:54 -0400
Source diff to previous version
CVE-2026-4068 The Add Custom Fields to Media plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.3. This is
CVE-2026-40685 In Exim before 4.99.2, when JSON lookup is enabled, an out-of-bounds heap write can occur when a JSON operator encounters malformed JSON in an untrus
CVE-2026-40686 In Exim before 4.99.2, when utf8 operators are enabled, there is an out-of-bounds read if large UTF-8 trailing characters are present (malformed UTF-
CVE-2026-40687 In Exim before 4.99.2, when the SPA authentication driver is used with an adversarial SPA resource, there can be an out-of-bounds write that crashes

Version: 4.95-4ubuntu2.6 2024-07-31 23:07:11 UTC

  exim4 (4.95-4ubuntu2.6) jammy-security; urgency=medium

  * SECURITY UPDATE: Multiline header filename parsing issue
    - debian/patches/CVE-2024-39929-*.patch: Fix MIME parsing of filenames
      specified using multiple parameters.
    - CVE-2024-39929

 -- Fabian Toepfer <email address hidden> Tue, 30 Jul 2024 21:25:34 +0200
Source diff to previous version
CVE-2024-39929 Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus remote attackers can bypass a $mime_filename extension-blocking protecti

Version: 4.95-4ubuntu2.5 2024-01-29 14:09:48 UTC

  exim4 (4.95-4ubuntu2.5) jammy-security; urgency=medium

  * SECURITY UPDATE: SMTP smuggling
    - debian/patches/CVE-2023-51766-1.patch: Reject "dot, LF" as
      ending data phase in src/receive.c, src/smtp_in.c.
    - debian/patches/CVE-2023-51766-2.patch: use enum for body data
      input state-machine in src/receive.c.
    - debian/patches/CVE-2023-51766-3.patch: fix in src/receive.c.
    - CVE-2023-51766

 -- Leonidas Da Silva Barbosa <email address hidden> Thu, 11 Jan 2024 10:16:58 -0300
Source diff to previous version
CVE-2023-51766 Exim before 4.97.1 allows SMTP smuggling in certain PIPELINING/CHUNKING configurations. Remote attackers can use a published exploitation technique t

Version: 4.95-4ubuntu2.4 2023-10-27 01:09:57 UTC

  exim4 (4.95-4ubuntu2.4) jammy-security; urgency=medium

  * SECURITY UPDATE: remote code execution
    - debian/patches/CVE-2023-42117.patch: fixed string_is_ip_address()
      in string.c
    - CVE-2023-42117
  * SECURITY UPDATE: information disclosure
    - debian/patches/CVE-2023-42119.patch: hardened dnsdb.c against
      crafted DNS responses.
    - CVE-2023-42119

 -- Allen Huang <email address hidden> Wed, 25 Oct 2023 01:36:57 +0100
Source diff to previous version
CVE-2023-42117 Exim Improper Neutralization of Special Elements Remote Code Execution Vulnerability
CVE-2023-42119 Exim dnsdb Out-Of-Bounds Read Information Disclosure Vulnerability

Version: 4.95-4ubuntu2.3 2023-10-04 16:10:17 UTC

  exim4 (4.95-4ubuntu2.3) jammy-security; urgency=medium

  * SECURITY UPDATE: information disclosure
    - debian/patches/CVE-2023-42114.patch: fix possible OOB read in
      SPA authenticator
    - CVE-2023-42114
  * SECURITY UPDATE: remote code execution
    - debian/patches/CVE-2023-42115.patch: fix possible OOB write in
      external authenticator
    - CVE-2023-42115
  * SECURITY UPDATE: remote code execution
    - debian/patches/CVE-2023-42116.patch: fix possible OOB write in
      SPA authenticator
    - CVE-2023-42116
  * debian/patches/CVE-2023-42114_15_16.patch:
    - use uschar more in spa authenticator

 -- Allen Huang <email address hidden> Mon, 02 Oct 2023 17:10:42 +0100
CVE-2023-42114 Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vulnerability
CVE-2023-42115 Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability
CVE-2023-42116 Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability


About   -   Send Feedback to @ubuntu_updates