Debian Exim4 vulnerabilities

CVE-2019-16928 [CRITICAL] CVE-2019-16928: exim4 - Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability... Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command. Scope: local bookworm: resolved (fixed in 4.92.2-3) bullseye: resolved (fixed in 4.92.2-3) forky: resolved (fixed in 4.92.2-3) sid: resolved (fixed in 4.92.2-3) trix

CVE-2019-10149 [CRITICAL] CVE-2019-10149: exim4 - A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation ... A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution. Scope: local bookworm: resolved (fixed in 4.92~RC3-1) bullseye: resolved (fixed in 4.92~RC3-1) forky: resolved (fixed in 4.92~RC3-1) sid: resolved (fixed in 4.92~RC3-1) trixie: re

CVE-2018-6789 [CRITICAL] CVE-2018-6789: exim4 - An issue was discovered in the base64d function in the SMTP listener in Exim bef... An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1. By sending a handcrafted message, a buffer overflow may happen. This can be used to execute code remotely. Scope: local bookworm: resolved (fixed in 4.90.1-1) bullseye: resolved (fixed in 4.90.1-1) forky: resolved (fixed in 4.90.1-1) sid: resolved (fixed in 4.90.1-1) trixie:

CVE-2017-16943 [CRITICAL] CVE-2017-16943: exim4 - The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 a... The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands. Scope: local bookworm: resolved (fixed in 4.89-12) bullseye: resolved (fixed in 4.89-12) forky: resolved (fixed in 4.89-12) sid: resolved (fixed in 4.89-1

CVE-2017-16944 [HIGH] CVE-2017-16944: exim4 - The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 a... The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a '.' character signifying the end of the content, related to the bdat_getc function. Scope: local bookworm: resolved (fixed in 4.89-13) bu

CVE-2017-1000369 [MEDIUM] CVE-2017-1000369: exim4 - Exim supports the use of multiple "-p" command line arguments which are malloc()... Exim supports the use of multiple "-p" command line arguments which are malloc()'ed and never free()'ed, used in conjunction with other issues allows attackers to cause arbitrary code execution. This affects exim version 4.89 and earlier. Please note that at this time upstream has released a patch (commit 65e061b76867a9ea7aeeb535341b790b90ae6c21), but it is not

CVE-2016-1531 [HIGH] CVE-2016-1531: exim4 - Exim before 4.86.2, when installed setuid root, allows local users to gain privi... Exim before 4.86.2, when installed setuid root, allows local users to gain privileges via the perl_startup argument. Scope: local bookworm: resolved (fixed in 4.86.2-1) bullseye: resolved (fixed in 4.86.2-1) forky: resolved (fixed in 4.86.2-1) sid: resolved (fixed in 4.86.2-1) trixie: resolved (fixed in 4.86.2-1)

CVE-2016-9963 [MEDIUM] CVE-2016-9963: exim4 - Exim before 4.87.1 might allow remote attackers to obtain the private DKIM signi... Exim before 4.87.1 might allow remote attackers to obtain the private DKIM signing key via vectors related to log files and bounce messages. Scope: local bookworm: resolved (fixed in 4.88~RC6-2) bullseye: resolved (fixed in 4.88~RC6-2) forky: resolved (fixed in 4.88~RC6-2) sid: resolved (fixed in 4.88~RC6-2) trixie: resolved (fixed in 4.88~RC6-2)

CVE-2014-2972 [MEDIUM] CVE-2014-2972: exim4 - expand.c in Exim before 4.83 expands mathematical comparisons twice, which allow... expand.c in Exim before 4.83 expands mathematical comparisons twice, which allows local users to gain privileges and execute arbitrary commands via a crafted lookup value. Scope: local bookworm: resolved (fixed in 4.82.1-2) bullseye: resolved (fixed in 4.82.1-2) forky: resolved (fixed in 4.82.1-2) sid: resolved (fixed in 4.82.1-2) trixie: resolved (fixed in 4.82.1-2)

CVE-2014-2957 [MEDIUM] CVE-2014-2957: exim4 - The dmarc_process function in dmarc.c in Exim before 4.82.1, when EXPERIMENTAL_D... The dmarc_process function in dmarc.c in Exim before 4.82.1, when EXPERIMENTAL_DMARC is enabled, allows remote attackers to execute arbitrary code via the From header in an email, which is passed to the expand_string function. Scope: local bookworm: resolved (fixed in 4.82.1-1) bullseye: resolved (fixed in 4.82.1-1) forky: resolved (fixed in 4.82.1-1) sid: resolved (f

CVE-2012-5671 [MEDIUM] CVE-2012-5671: exim4 - Heap-based buffer overflow in the dkim_exim_query_dns_txt function in dkim.c in ... Heap-based buffer overflow in the dkim_exim_query_dns_txt function in dkim.c in Exim 4.70 through 4.80, when DKIM support is enabled and acl_smtp_connect and acl_smtp_rcpt are not set to "warn control = dkim_disable_verify," allows remote attackers to execute arbitrary code via an email from a malicious DNS server. Scope: local bookworm: resolved (fixed in 4.80-5.1) b

CVE-2011-1764 [HIGH] CVE-2011-1764: exim4 - Format string vulnerability in the dkim_exim_verify_finish function in src/dkim.... Format string vulnerability in the dkim_exim_verify_finish function in src/dkim.c in Exim before 4.76 might allow remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via format string specifiers in data used in DKIM logging, as demonstrated by an identity field containing a % (percent) character. Scope: local bookworm: resolved (fixed

CVE-2011-1407 [HIGH] CVE-2011-1407: exim4 - The DKIM implementation in Exim 4.7x before 4.76 permits matching for DKIM ident... The DKIM implementation in Exim 4.7x before 4.76 permits matching for DKIM identities to apply to lookup items, instead of only strings, which allows remote attackers to execute arbitrary code or access a filesystem via a crafted identity. Scope: local bookworm: resolved (fixed in 4.76-1) bullseye: resolved (fixed in 4.76-1) forky: resolved (fixed in 4.76-1) sid: resolv

CVE-2011-0017 [MEDIUM] CVE-2011-0017: exim4 - The open_log function in log.c in Exim 4.72 and earlier does not check the retur... The open_log function in log.c in Exim 4.72 and earlier does not check the return value from (1) setuid or (2) setgid system calls, which allows local users to append log data to arbitrary files via a symlink attack. Scope: local bookworm: resolved (fixed in 4.72-4) bullseye: resolved (fixed in 4.72-4) forky: resolved (fixed in 4.72-4) sid: resolved (fixed in 4.72-4)

CVE-2010-4344 [CRITICAL] CVE-2010-4344: exim4 - Heap-based buffer overflow in the string_vformat function in string.c in Exim be... Heap-based buffer overflow in the string_vformat function in string.c in Exim before 4.70 allows remote attackers to execute arbitrary code via an SMTP session that includes two MAIL commands in conjunction with a large message containing crafted headers, leading to improper rejection logging. Scope: local bookworm: resolved (fixed in 4.70-1) bullseye: resolved (fix

CVE-2010-4345 [HIGH] CVE-2010-4345: exim4 - Exim 4.72 and earlier allows local users to gain privileges by leveraging the ab... Exim 4.72 and earlier allows local users to gain privileges by leveraging the ability of the exim user account to specify an alternate configuration file with a directive that contains arbitrary commands, as demonstrated by the spool_directory directive. Scope: local bookworm: resolved (fixed in 4.72-3) bullseye: resolved (fixed in 4.72-3) forky: resolved (fixed in 4.72

CVE-2010-2024 [MEDIUM] CVE-2010-2024: exim4 - transports/appendfile.c in Exim before 4.72, when MBX locking is enabled, allows... transports/appendfile.c in Exim before 4.72, when MBX locking is enabled, allows local users to change permissions of arbitrary files or create arbitrary files, and cause a denial of service or possibly gain privileges, via a symlink attack on a lockfile in /tmp/. Scope: local bookworm: resolved (fixed in 4.72-1) bullseye: resolved (fixed in 4.72-1) forky: resolved (f

CVE-2010-2023 [MEDIUM] CVE-2010-2023: exim4 - transports/appendfile.c in Exim before 4.72, when a world-writable sticky-bit ma... transports/appendfile.c in Exim before 4.72, when a world-writable sticky-bit mail directory is used, does not verify the st_nlink field of mailbox files, which allows local users to cause a denial of service or possibly gain privileges by creating a hard link to another user's file. Scope: local bookworm: resolved (fixed in 4.72-1) bullseye: resolved (fixed in 4.72-1

CVE-2005-0021 [HIGH] CVE-2005-0021: exim4 - Multiple buffer overflows in Exim before 4.43 may allow attackers to execute arb... Multiple buffer overflows in Exim before 4.43 may allow attackers to execute arbitrary code via (1) an IPv6 address with more than 8 components, as demonstrated using the -be command line option, which triggers an overflow in the host_aton function, or (2) the -bh command line option or dnsdb PTR lookup, which triggers an overflow in the dns_build_reverse function. Scop

CVE-2005-0022 [MEDIUM] CVE-2005-0022: exim4 - Buffer overflow in the spa_base64_to_bits function in Exim before 4.43, as origi... Buffer overflow in the spa_base64_to_bits function in Exim before 4.43, as originally obtained from Samba code, and as called by the auth_spa_client function, may allow attackers to execute arbitrary code during SPA authentication. Scope: local bookworm: resolved (fixed in 4.34-10) bullseye: resolved (fixed in 4.34-10) forky: resolved (fixed in 4.34-10) sid: resolved