{"id":2230804,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2230804/?format=json","web_url":"http://patchwork.ozlabs.org/project/buildroot/patch/20260430044144.7757-1-bernd@kuhls.net/","project":{"id":27,"url":"http://patchwork.ozlabs.org/api/1.1/projects/27/?format=json","name":"Buildroot development","link_name":"buildroot","list_id":"buildroot.buildroot.org","list_email":"buildroot@buildroot.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20260430044144.7757-1-bernd@kuhls.net>","date":"2026-04-30T04:41:44","name":"[1/1] package/exim: security bump version to 4.99.2","commit_ref":null,"pull_url":null,"state":"accepted","archived":false,"hash":"c36eb6e2ea83345578a17ae82718a34e69b28e5a","submitter":{"id":86624,"url":"http://patchwork.ozlabs.org/api/1.1/people/86624/?format=json","name":"Bernd Kuhls","email":"bernd@kuhls.net"},"delegate":{"id":89618,"url":"http://patchwork.ozlabs.org/api/1.1/users/89618/?format=json","username":"juju","first_name":"Julien","last_name":"Olivain","email":"juju@cotds.org"},"mbox":"http://patchwork.ozlabs.org/project/buildroot/patch/20260430044144.7757-1-bernd@kuhls.net/mbox/","series":[{"id":502188,"url":"http://patchwork.ozlabs.org/api/1.1/series/502188/?format=json","web_url":"http://patchwork.ozlabs.org/project/buildroot/list/?series=502188","date":"2026-04-30T04:41:44","name":"[1/1] package/exim: security bump version to 4.99.2","version":1,"mbox":"http://patchwork.ozlabs.org/series/502188/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2230804/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2230804/checks/","tags":{},"headers":{"Return-Path":"<buildroot-bounces@buildroot.org>","X-Original-To":["incoming-buildroot@patchwork.ozlabs.org","buildroot@buildroot.org"],"Delivered-To":["patchwork-incoming-buildroot@legolas.ozlabs.org","buildroot@buildroot.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=rsMYgElM;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)"],"Received":["from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g5hN33xd7z1yGq\n\tfor <incoming-buildroot@patchwork.ozlabs.org>;\n Thu, 30 Apr 2026 14:41:54 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id AD45D849F5;\n\tThu, 30 Apr 2026 04:41:52 +0000 (UTC)","from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id apCSfgXaWZ3L; Thu, 30 Apr 2026 04:41:49 +0000 (UTC)","from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id 35A6D849EF;\n\tThu, 30 Apr 2026 04:41:49 +0000 (UTC)","from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137])\n by lists1.osuosl.org (Postfix) with ESMTP id 9377B18E\n for <buildroot@buildroot.org>; Thu, 30 Apr 2026 04:41:47 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp4.osuosl.org (Postfix) with ESMTP id 796B3428A9\n for <buildroot@buildroot.org>; Thu, 30 Apr 2026 04:41:47 +0000 (UTC)","from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id nJ-ZUSaV3YzV for <buildroot@buildroot.org>;\n Thu, 30 Apr 2026 04:41:46 +0000 (UTC)","from dd20012.kasserver.com (dd20012.kasserver.com [85.13.140.57])\n by smtp4.osuosl.org (Postfix) with ESMTPS id 65ED5428A4\n for <buildroot@buildroot.org>; Thu, 30 Apr 2026 04:41:46 +0000 (UTC)","from fli4l.lan.fli4l (p54a1bb47.dip0.t-ipconnect.de [84.161.187.71])\n by dd20012.kasserver.com (Postfix) with ESMTPSA id 67813A4C1429;\n Thu, 30 Apr 2026 06:41:44 +0200 (CEST)","from bruckner.lan.fli4l ([192.168.1.1]:33632)\n by fli4l.lan.fli4l with esmtp (Exim 4.99.2)\n (envelope-from <bernd@kuhls.net>) id 1wIJDb-00000000745-2lF7;\n Thu, 30 Apr 2026 04:41:44 +0000"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver=<UNKNOWN> ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp1.osuosl.org 35A6D849EF","OpenDKIM Filter v2.11.0 smtp4.osuosl.org 65ED5428A4"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1777524109;\n\tbh=p/VSf4POIPI245RInZI4SJE8AFAq5an1KrbegXEdirA=;\n\th=From:To:Cc:Date:Subject:List-Id:List-Unsubscribe:List-Archive:\n\t List-Post:List-Help:List-Subscribe:From;\n\tb=rsMYgElMmGBSURvD0LcZNY/65peIyMXJI9PW+4zX+0TCuwFaDfO0A+Nf8F/1LhKHB\n\t Z09y9XgKv/FYd6yRbVHfa9mROTPdJ59k5NQ3hSUOmlvJ0QFn974MOP4D15517gEmLK\n\t m09vaR2M3OxparT+A5bejJPuRZBkuzKYu2v7+LJeh39OqWmBfbIE+VZeXDBktq13xr\n\t R2+XrFH8SacBSlg42rYOqe1h7bMI7JPDbmqp699hgkapLwIsi0z7wCqKqo4osUJz3P\n\t knvwslcZUHDRKAuVjTB988g7svferHp4NH+qyzAhv4H/Etw749cWxAQjWJSOmD4PGu\n\t el++kM+cFiFng==","Received-SPF":"Pass (mailfrom) identity=mailfrom; client-ip=85.13.140.57;\n helo=dd20012.kasserver.com; envelope-from=bernd@kuhls.net;\n receiver=<UNKNOWN>","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp4.osuosl.org 65ED5428A4","From":"Bernd Kuhls <bernd@kuhls.net>","To":"buildroot@buildroot.org","Cc":"Luca Ceresoli <luca.ceresoli@bootlin.com>","Date":"Thu, 30 Apr 2026 06:41:44 +0200","Message-ID":"<20260430044144.7757-1-bernd@kuhls.net>","X-Mailer":"git-send-email 2.47.3","MIME-Version":"1.0","X-Spamd-Bar":"+","X-Mailman-Original-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=kuhls.net;\n s=kas202511301023; t=1777524104;\n bh=sthvk9szO0vAnXxPT8xBr+webBvwB+Fl3EGDkPToLBQ=;\n h=From:To:Cc:Subject:Date:From;\n b=iVWyJqG34tzIELTszgKHhUM3e/0lxa6fVGgrvzuCL6bQDbNmAGqO0gpoqLUvAHnIH\n oOdOOSiQduxteTpgwfh9bz2mrBbqIXxRCZDmwHYQ+BEMHhfLUiWWTWDmpQDL/anqoB\n W/AkAYaCnQovzRfEbQhEXjREUHVx3riG+JhE5WquQ+tu7flbMylzAClmoVXswbQ0Gx\n ZX/bNjHiQaRNYKwsQ9QIN/9aRcb7wERwJeUq5lIHyni2QMNi5+obxrKKHyJ5MFb+Vs\n +TTZjh01o60n1Lpxv4c1qH/XCilZXT7aoNG97u2xKOXtZe0E5V8tHM5TBIx4vSfmLU\n 0Ndqc7dKsf52A==","X-Mailman-Original-Authentication-Results":["smtp4.osuosl.org;\n dmarc=pass (p=none dis=none)\n header.from=kuhls.net","smtp4.osuosl.org;\n dkim=pass (2048-bit key,\n unprotected) header.d=kuhls.net header.i=@kuhls.net header.a=rsa-sha256\n header.s=kas202511301023 header.b=iVWyJqG3"],"Subject":"[Buildroot] [PATCH 1/1] package/exim: security bump version to\n 4.99.2","X-BeenThere":"buildroot@buildroot.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Discussion and development of buildroot <buildroot.buildroot.org>","List-Unsubscribe":"<https://lists.buildroot.org/mailman/options/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=unsubscribe>","List-Archive":"<http://lists.buildroot.org/pipermail/buildroot/>","List-Post":"<mailto:buildroot@buildroot.org>","List-Help":"<mailto:buildroot-request@buildroot.org?subject=help>","List-Subscribe":"<https://lists.buildroot.org/mailman/listinfo/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=subscribe>","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"buildroot-bounces@buildroot.org","Sender":"\"buildroot\" <buildroot-bounces@buildroot.org>"},"content":"https://lists.exim.org/lurker/message/20260429.121733.f58d9686.en.html\n\nFixes CVEs:\n\nCVE-2026-40684     Possible crash with malicious DNS data when using musl libc\n\n   On systems using musl libc (not glibc) due to an oddity in octal printing\n   it is possible to crash the connection instance when malformed DNS data\n   is present in PTR records.\n\nCVE-2026-40685     Possible OOB read/write on corrupt JSON in header\n\n   configurations using json operators on invalid externally-provided input\n   could trigger heap corruption.\n\nCVE-2026-40686     Possible OOB read with large UTF8 trailing characters\n\n   configurations using utf8 operators on malformed utf8 in headers could\n   trigger OOB reads and might trigger some data leak if error\n   messages are required for subsequent emails in the current connection\n   and similar malformed headers are present.\n\nCVE-2026-40687     Possible OOB read/write with SPA authenticator\n\n   in configurations using the SPA authentication driver to a hostile/compromised\n   external SPA/NTLM connnection it is possible to trigger an OOB read/write\n   and crash the connection instance or possibly leak heap data to the instance.\n\nSigned-off-by: Bernd Kuhls <bernd@kuhls.net>\n---\n package/exim/exim.hash | 4 ++--\n package/exim/exim.mk   | 2 +-\n 2 files changed, 3 insertions(+), 3 deletions(-)","diff":"diff --git a/package/exim/exim.hash b/package/exim/exim.hash\nindex f9a62e0188..745b9f0977 100644\n--- a/package/exim/exim.hash\n+++ b/package/exim/exim.hash\n@@ -1,6 +1,6 @@\n # From https://ftp.exim.org/pub/exim/exim4/00-sha256sums.txt\n-sha256  eae967bd49a5f879933b8c6ec88c30475a1c6646232135f37f05b55dbc4e3447  exim-4.99.1.tar.xz\n+sha256  25364f19988270d846965689dd29c662cf5de152639875d0d5352a69fd753a47  exim-4.99.2.tar.xz\n # From https://ftp.exim.org/pub/exim/exim4/00-sha512sums.txt\n-sha512  41a280673b23a79684124dba9ba1db4da57047eefd7bac8560fab3e399659698160386c5369deb4aabdbcba1ba9278fb0a61fc1667dc2745c280b3004d02f45d  exim-4.99.1.tar.xz\n+sha512  e5c80a77dca642c132dda82166c919ba9f553436038b734ef66ae41666b8c9f5818e2cd6080e4c7c8b52e866f7f89d271233fb183c7e405feb15536d507098a3  exim-4.99.2.tar.xz\n # Locally calculated\n sha256  49240db527b7e55b312a46fc59794fde5dd006422e422257f4f057bfd27b3c8f  LICENCE\ndiff --git a/package/exim/exim.mk b/package/exim/exim.mk\nindex 47fe17b372..7129e2ebf6 100644\n--- a/package/exim/exim.mk\n+++ b/package/exim/exim.mk\n@@ -4,7 +4,7 @@\n #\n ################################################################################\n \n-EXIM_VERSION = 4.99.1\n+EXIM_VERSION = 4.99.2\n EXIM_SOURCE = exim-$(EXIM_VERSION).tar.xz\n EXIM_SITE = https://ftp.exim.org/pub/exim/exim4\n EXIM_LICENSE = GPL-2.0+\n","prefixes":["1/1"]}