UbuntuUpdates.org

Package "exim4-daemon-light"

Name: exim4-daemon-light

Description:

lightweight Exim MTA (v4) daemon
Latest version: 4.97-4ubuntu4.4
Release: noble (24.04)
Level: security
Repository: main
Head package: exim4
Homepage: https://www.exim.org/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "exim4-daemon-light"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "exim4-daemon-light" in Noble

Repository Area Version
base main 4.97-4ubuntu4
updates main 4.97-4ubuntu4.4

Changelog

Version: 4.97-4ubuntu4.4 2026-05-04 15:35:34 UTC

  exim4 (4.97-4ubuntu4.4) noble-security; urgency=medium

  * SECURITY UPDATE: Multiple security issues
    - debian/patches/CVE-2026-4068*.patch: backported upstream fixes.
    - CVE-2026-40685 - Possible OOB read/write on corrupt JSON in header
    - CVE-2026-40686 - Possible OOB read with large UTF8 trailing chars
    - CVE-2026-40687 - Possible OOB read/write with SPA authenticator

 -- Marc Deslauriers <email address hidden> Wed, 29 Apr 2026 13:16:58 -0400
Source diff to previous version
CVE-2026-4068 The Add Custom Fields to Media plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.3. This is
CVE-2026-40685 In Exim before 4.99.2, when JSON lookup is enabled, an out-of-bounds heap write can occur when a JSON operator encounters malformed JSON in an untrus
CVE-2026-40686 In Exim before 4.99.2, when utf8 operators are enabled, there is an out-of-bounds read if large UTF-8 trailing characters are present (malformed UTF-
CVE-2026-40687 In Exim before 4.99.2, when the SPA authentication driver is used with an adversarial SPA resource, there can be an out-of-bounds write that crashes

Version: 4.97-4ubuntu4.3 2025-03-26 18:07:37 UTC

  exim4 (4.97-4ubuntu4.3) noble-security; urgency=medium

  * SECURITY UPDATE: use-after-free security issue
    - debian/patches/CVE-2025-30232.patch: null out debug_pretrigger_buf
      pointer before freeing the buffer in src/debug.c.
    - CVE-2025-30232

 -- Marc Deslauriers <email address hidden> Fri, 21 Mar 2025 10:14:44 -0400
Source diff to previous version

Version: 4.97-4ubuntu4.1 2024-07-31 21:07:10 UTC

  exim4 (4.97-4ubuntu4.1) noble-security; urgency=medium

  * SECURITY UPDATE: Multiline header filename parsing issue
    - debian/patches/CVE-2024-39929-*.patch: Fix MIME parsing of filenames
      specified using multiple parameters.
    - CVE-2024-39929

 -- Fabian Toepfer <email address hidden> Tue, 30 Jul 2024 21:17:37 +0200
CVE-2024-39929 Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus remote attackers can bypass a $mime_filename extension-blocking protecti


About   -   Send Feedback to @ubuntu_updates