-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 02 May 2026 11:33:47 +0200
Source: exim4
Architecture: source
Version: 4.96-15+deb12u8
Distribution: bookworm
Urgency: medium
Maintainer: Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>
Changed-By: Andreas Metzler <ametzler@debian.org>
Closes: 1134984
Changes:
 exim4 (4.96-15+deb12u8) bookworm; urgency=medium
 .
   * Fix GnuTLS hostname verify of a server certificate with a zero-length
     Subject. Patch from upstream GIT master (Closes: #1134984)
   * Pull CVE-fixes from 4.99.2
     +CVE-2026-40684  Possible crash with malicious DNS data when using musl
      libc On systems using musl libc (not glibc) due to an oddity in octal
      printing it is possible to crash the connection instance when malformed
      DNS data is present in PTR records.
     +CVE-2026-40685  Possible OOB read/write on corrupt JSON in header
      configurations using json operators on invalid externally-provided input
      could trigger heap corruption.
     +CVE-2026-40686  Possible OOB read with large UTF8 trailing characters
      configurations using utf8 operators on malformed utf8 in headers could
      trigger OOB reads and might trigger some data leak if error messages are
      required for subsequent emails in the current connection and similar
      malformed headers are present.
     +CVE-2026-40687  Possible OOB read/write with SPA authenticator in
      configurations using the SPA authentication driver to a
      hostile/compromised external SPA/NTLM connection it is possible to
      trigger an OOB read/write and crash the connection instance or possibly
      leak heap data to the instance.
     +As a pre-dependeny to the patchset also add the fix for upstream Bug
      3106 from 4.99.
Checksums-Sha1: 
 dd1cdc14573010c47f6adcc86d60184f88deb3f5 2923 exim4_4.96-15+deb12u8.dsc
 c6fad317505ae338b469f3744b97d75825b304cb 518040 exim4_4.96-15+deb12u8.debian.tar.xz
Checksums-Sha256: 
 81e485dba59d696c93b205cd3bdcc1ca19bc600a606080d1937551b55424b7b0 2923 exim4_4.96-15+deb12u8.dsc
 4f0b97836206d3b30c221e05ad571f2df88e856a6213dc7e39ee8262b2c7db0e 518040 exim4_4.96-15+deb12u8.debian.tar.xz
Files: 
 86bad2b4b5ec640fd5cac3a153f65d5f 2923 mail standard exim4_4.96-15+deb12u8.dsc
 76490c2928c445b0a7686e4c0d4ef6a1 518040 mail standard exim4_4.96-15+deb12u8.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE0uCSA5741Jbt9PpepU8BhUOCFIQFAmn3L7MACgkQpU8BhUOC
FIT4Fw//cD+XboouXR7SPn0/AhdX5JLW81l5/MQ9N49M6HuCk9y4JuChuShNei6a
TERvgHDUncYSXIROcAEN1/DoDgCzHu6aYo6OfAceAZQ5NNg5S2r2u/Bh/tELDERb
em9pB+kvNaGxe3Xkf1jMUkgGR/jgxznAj7fpMfnULl3c5TRcB0rfSff0klgzNAc/
cuzWI2KSQa72X1lird73V9VpRbfbZCXaWjzPnuFTrPQCA6zJnLtI8Y8ZDvcyzjTa
xERlonaGkxG9Cpe4GExKs4ywAgWv2+lywBzpAeYjC3Xf9375H9fJVBCHVdee76dw
VnIPRdoMr+72WesXZnCuEiL12nw0aIB46+krQtmKbxvtxm14sDP6Uw/Ojk5I1PoD
3jGuPoB+oUX1qUN1jRwGYw4MEwNZ1uuUZCrbChvdHGeNdSrE6eMBML3ih9WsGPlz
T931R/bnTjmM7PkKnJp/U1X1/e90eC3pN9jNSqd9Vfz0NYraLz3jqagFUr/6hWrO
n9YA/pjMZiIUV2S8xsqKwfd+5Nu5fJtQliXAN/W/hthrUdz+35T8SO3YGEPG08DP
SjkhQYuVKnJ4f1n9Jqe7p75rlChuBUsYlIZcMrDEbyUnBTWbajBt+LXNXpUR8i+h
JDAbX7Ccpwc7+Huxb8X5Eyx412PlplRpH7kM3L+YM4oFqikapwY=
=Z+xd
-----END PGP SIGNATURE-----