Bug 2297728

Summary: exim 4.98 announced - CVE-2024-39929 fixed - Update required
Product: [Fedora] Fedora Reporter: customercare
Component: eximAssignee: David Woodhouse <dwmw2>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: rawhideCC: bennie.joubert, dwmw2, jskarvad, martin.fraenzl
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-07-16 13:37:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description customercare 2024-07-14 07:22:27 UTC 
Announce:


Dear Exim users and maintainers,

We are pleased to announce the availability of release 4.98 of Exim.

Thanks to everybody who tested release-candidates.  There are no substantive changes since RC3

Security Changes:

  * Fixed CVE-2024-39929 - Incorrect parsing of multiline rfc2231 header filename

This release also contains the previous fixes for CVE-2023-51766  in 4.97.1


New stuff we've added since 4.97:

  * The dkim_status ACL condition may now be used in data ACLs
  * The dkim_verbose logging control also enables logging of signing
  * The dkim_timestamps signing option now accepts zero to include a current
      timestamp but no expiry timestamp.  Code by Simon Arlott; testsuite additions by jgh.
  * The recipients_max main option is now expanded.
  * Setting variables for "exim -be" can set a tainted value.
  * A dns:fail event.
  * The dsearch lookup supports search for a sub-path.
  * Include mailtest utility for simple connection checking.
  * Add SMTP WELLKNOWN extension.
  * Sqlite3 can be used for the hints databases (vs. DBD, NDB, GBDM, TDB).
      Add "USE_SQLITE = y" and "DBMLIB = -lsqlite3" in Local/Makefile, to override
      the settings done in the OS/Makefile-<platform> file.

Notable changes:

  * Fix TLS resumption for TLS-on-connect.
  * Tighten up parsing of DKIM DNS records.



For other changes, please see the ChangeLog file.  Where possible the
documentation has been marked up with changebars.


Exim 4.98 is available

  * as tarball: https://ftp.exim.org/pub/exim/exim4
  * directly via Git: https://git.exim.org/exim.git
                   tag exim-4.98

The signatures on the release tarballs should be,

  * key ID 0xBCE58C8CE41F32DF
  * Email: jgh@???

FTP site verification:

SIZE(00-sha256sums.txt)= 1180
SIZE(00-sha512sums.txt)= 1948
SIZE(00-sizes.txt)= 470
SIZE(exim-4.98.tar.bz2)= 2099901
SIZE(exim-4.98.tar.gz)= 2655731
SIZE(exim-4.98.tar.xz)= 1936984
SIZE(exim-html-4.98.tar.bz2)= 650008
SIZE(exim-html-4.98.tar.gz)= 1288570
SIZE(exim-html-4.98.tar.xz)= 575720
SIZE(exim-pdf-4.98.tar.bz2)= 2186363
SIZE(exim-pdf-4.98.tar.gz)= 2212291
SIZE(exim-pdf-4.98.tar.xz)= 2148892
SIZE(exim-postscript-4.98.tar.bz2)= 1150095
SIZE(exim-postscript-4.98.tar.gz)= 1548956
SIZE(exim-postscript-4.98.tar.xz)= 1145484

SHA2-256(00-sha256sums.txt)= d5a1d8a1dbaed4f26a17d57cf65f80011758898b502bcac0e4eb63a49c1add10
SHA2-256(00-sha512sums.txt)= 9387d3fd80115a55aa481695fc999a4fac1d35ed2e6f57adcfece8354f734935
SHA2-256(00-sizes.txt)= 6dfc5e4f305b9f1748f2d9a9bc2d16cedc2a6d77f788775a580c77e79eab29b2
SHA2-256(exim-4.98.tar.bz2)= acfd93f6e4a38e4887867614770ea062b2453ed93e355772adeae6c6598b0d92
SHA2-256(exim-4.98.tar.gz)= 28f2bc0943f3196760391501e7929ccdd49596fb4de93234453584616342c1c2
SHA2-256(exim-4.98.tar.xz)= 0ebc108a779f9293ba4b423c20818f9a3db79b60286d96abc6ba6b85a15852f7
SHA2-256(exim-html-4.98.tar.bz2)= 89a4f17a18461f7156d0f7779a292612a547cedb13e5eb10fc70b0973d0a1001
SHA2-256(exim-html-4.98.tar.gz)= b883d1fe3ad8586bc503c7bbb8a49feede29ff4a8b5de6eef44ce5c499cc3c7a
SHA2-256(exim-html-4.98.tar.xz)= 28434993c97f62df8384e5044b6484f0d211ea9eac8c556528ae7d706b08d9a0
SHA2-256(exim-pdf-4.98.tar.bz2)= 90def6b48a47d3dab0513dcb61b5a7c896eeca8f233b1d412d441b1067ca7e0d
SHA2-256(exim-pdf-4.98.tar.gz)= 2fb4331bfe7f48b20acf076e57b4b714a9531b2683e378bbca91858f488d203e
SHA2-256(exim-pdf-4.98.tar.xz)= a5db367be145dff4282566acafbfb00c6c5e4d6ec59a6243e762943bb24432ae
SHA2-256(exim-postscript-4.98.tar.bz2)= 8d405ef9024d72255534c7ab7af3da98d5e1a83acbf528d97cbddfb014e24a5c
SHA2-256(exim-postscript-4.98.tar.gz)= 55c868f72f5c4b041213b4bd9aa2090c68e74341efc1caf362fa3d634e787ddd
SHA2-256(exim-postscript-4.98.tar.xz)= 2e1f2497af25b30ac110efb5d1e3c21e8f40e82d16c76dacfbcf6275de6cd614

-- 
Bernard Quatermass
Comment 1 Jaroslav Škarvada 2024-07-16 13:37:03 UTC 

*** This bug has been marked as a duplicate of bug 2297124 ***