Exim-4.96.2

[Douglas R. Reno]

New point version (according to oss-security, a security release)

[pierre]

Exim version 4.96.2+fixes

This is the security release 4.96.2 and all the additional fixes that where applied on top of 4.96.

JH/01 Bug 3033: Harden dnsdb lookups against crafted DNS responses. CVE-2023-42219

HS/01 Fix string_is_ip_address() CVE-2023-42117 (Bug 3031)

[pierre]

Summary of CVE's against exim at ​https://exim.org/static/doc/security/CVE-2023-zdi.txt

The part that concerns the present release:

ZDI-23-1471 | ZDI-CAN-17554 | CVE-2023-42117 | Exim Bug 3031
-------------------------------------------------------------
Subject:    Improper Neutralization of Special Elements
CVSS Score: 8.1
Mitigation: Do not use Exim behind an untrusted proxy-protocol proxy
Subsystem:  proxy protocol (not socks!)
Fix:        a355463cf, >= 4.96.2, 4.97

ZDI-23-1473 | ZDI-CAN-17643 | CVE-2023-42119 | Exim Bug 3033
------------------------------------------------------------
Subject:    dnsdb Out-Of-Bounds Read
CVSS Score: 3.1
Mitigation: Use a trustworthy DNS resolver which is able to
            validate the data according to the DNS record types.
Subsystem:  dns lookups
Fix:        f6b1f8e7d, >= 4.96.2, 4.97

Note that there is also:

ZDI-23-1472 | ZDI-CAN-17578 | CVE-2023-42118 | Exim Bug 3032
------------------------------------------------------------
Subject:    libspf2 Integer Underflow
CVSS Score: 7.5
Mitigation: Do not use the `spf` condition in your ACL
Subsystem:  spf
Remark:     This CVE should be filed against libspf2.

We don't even mention libspf2 in our dependencies.

[pierre]

Update committed at b053f5437. SA coming.

[pierre]

SA committed at 529c60134 and e57ab70488 in www.git.