diff --git a/backport-bug3099-Fix-MIME-parsing-of-filenames-specified-using-multiple-parameters.patch b/backport-bug3099-Fix-MIME-parsing-of-filenames-specified-using-multiple-parameters.patch new file mode 100644 index 0000000000000000000000000000000000000000..bded9f044a0c79b79b00b454c003de94fd746983 --- /dev/null +++ b/backport-bug3099-Fix-MIME-parsing-of-filenames-specified-using-multiple-parameters.patch @@ -0,0 +1,172 @@ +From 6ce5c70cff8989418e05d01fd2a57703007a6357 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Thu, 17 Oct 2024 11:47:59 +0800 +Subject: [PATCH] Fix MIME parsing of filenames specified using multiple + parameters. Bug 3099 +--- + doc/ChangeLog | 3 +++ + doc/spec.txt | 10 +++++----- + src/mime.c | 53 ++++++++++++++++++++++++++++----------------------- + src/string.c | 1 + + 4 files changed, 38 insertions(+), 29 deletions(-) + +diff --git a/doc/ChangeLog b/doc/ChangeLog +index c88454c..635f408 100644 +--- a/doc/ChangeLog ++++ b/doc/ChangeLog +@@ -221,6 +221,9 @@ JH/43 Bug 2903: avoid exit on an attempt to rewrite a malformed address. + JH/44 Bug 3033: Harden dnsdb lookups against crafted DNS responses. + CVE-2023-42219 + ++JH/45 Bug 3099: fix parsing of MIME filenames split over multiple paramemters. ++ Previously the $mime_filename variable would have an incorrect value. ++ + HS/02 Fix string_is_ip_address() CVE-2023-42117 (Bug 3031) + + Exim version 4.96 +diff --git a/doc/spec.txt b/doc/spec.txt +index 6bb656e..8f598e7 100644 +--- a/doc/spec.txt ++++ b/doc/spec.txt +@@ -32280,13 +32280,13 @@ The right hand side is expanded before use. After expansion, the value can be: + the default path is then used. + + The decode condition normally succeeds. It is only false for syntax errors or +-unusual circumstances such as memory shortages. You can easily decode a file +-with its original, proposed filename using ++errors or unusual circumstances such as memory shortages. + +-decode = $mime_filename ++The variable &$mime_filename$& will have the suggested name for the file. ++Note however that this might contain anything, and is very difficult ++to safely use as all or even part of the filename. + +-However, you should keep in mind that $mime_filename might contain anything. If +-you place files outside of the default path, they are not automatically ++If you place files outside of the default path, they are not + unlinked. + + For RFC822 attachments (these are messages attached to messages, with a +diff --git a/src/mime.c b/src/mime.c +index 975ddca..b11959c 100644 +--- a/src/mime.c ++++ b/src/mime.c +@@ -587,10 +587,10 @@ while(1) + + while (*p) + { +- DEBUG(D_acl) debug_printf_indent("MIME: considering paramlist '%s'\n", p); ++ DEBUG(D_acl) ++ debug_printf_indent("MIME: considering paramlist '%s'\n", p); + +- if ( !mime_filename +- && strncmpic(CUS"content-disposition:", header, 20) == 0 ++ if ( strncmpic(CUS"content-disposition:", header, 20) == 0 + && strncmpic(CUS"filename*", p, 9) == 0 + ) + { /* RFC 2231 filename */ +@@ -604,12 +604,12 @@ while(1) + + if (q && *q) + { +- uschar * temp_string, * err_msg; ++ uschar * temp_string, * err_msg, * fname = q; + int slen; + + /* build up an un-decoded filename over successive + filename*= parameters (for use when 2047 decode fails) */ +- ++/*XXX could grow a gstring here */ + mime_fname_rfc2231 = string_sprintf("%#s%s", + mime_fname_rfc2231, q); + +@@ -623,26 +623,31 @@ while(1) + /* look for a ' in the "filename" */ + while(*s != '\'' && *s) s++; /* s is 1st ' or NUL */ + +- if ((size = s-q) > 0) +- mime_filename_charset = string_copyn(q, size); +- +- if (*(p = s)) p++; +- while(*p == '\'') p++; /* p is after 2nd ' */ ++ if (*s) /* there was a ' */ ++ { ++ if ((size = s-q) > 0) ++ mime_filename_charset = string_copyn(q, size); ++ if (*(fname = s)) fname++; ++ while(*fname == '\'') fname++; /* fname is after 2nd ' */ ++ } + } +- else +- p = q; + +- DEBUG(D_acl) debug_printf_indent("MIME: charset %s fname '%s'\n", +- mime_filename_charset ? mime_filename_charset : US"", p); ++ DEBUG(D_acl) ++ debug_printf_indent("MIME: charset %s fname '%s'\n", ++ mime_filename_charset ? mime_filename_charset : US"", ++ fname); + +- temp_string = rfc2231_to_2047(p, mime_filename_charset, &slen); +- DEBUG(D_acl) debug_printf_indent("MIME: 2047-name %s\n", temp_string); ++ temp_string = rfc2231_to_2047(fname, mime_filename_charset, ++ &slen); ++ DEBUG(D_acl) ++ debug_printf_indent("MIME: 2047-name %s\n", temp_string); + + temp_string = rfc2047_decode(temp_string, FALSE, NULL, ' ', +- NULL, &err_msg); +- DEBUG(D_acl) debug_printf_indent("MIME: plain-name %s\n", temp_string); ++ NULL, &err_msg); ++ DEBUG(D_acl) ++ debug_printf_indent("MIME: plain-name %s\n", temp_string); + +- if (!temp_string || (size = Ustrlen(temp_string)) == slen) ++ if (!temp_string || (size = Ustrlen(temp_string)) == slen) + decoding_failed = TRUE; + else + /* build up a decoded filename over successive +@@ -651,9 +656,9 @@ while(1) + mime_filename = mime_fname = mime_fname + ? string_sprintf("%s%s", mime_fname, temp_string) + : temp_string; +- } +- } +- } ++ } /*!decoding_failed*/ ++ } /*q*/ ++ } /*2231 filename*/ + + else + /* look for interesting parameters */ +@@ -682,7 +687,7 @@ while(1) + + + /* There is something, but not one of our interesting parameters. +- Advance past the next semicolon */ ++ Advance past the next semicolon */ + p = mime_next_semicolon(p); + if (*p) p++; + } /* param scan on line */ +@@ -800,5 +805,5 @@ return rc; + + #endif /*WITH_CONTENT_SCAN*/ + +-/* vi: sw ai sw=2 ++/* vi: aw ai sw=2 + */ +diff --git a/src/string.c b/src/string.c +index dfe0f24..2f77cc7 100644 +--- a/src/string.c ++++ b/src/string.c +@@ -1347,6 +1347,7 @@ Field width: decimal digits, or * + Precision: dot, followed by decimal digits or * + Length modifiers: h L l ll z + Conversion specifiers: n d o u x X p f e E g G % c s S T Y D M ++Alternate-form: %#s is silent about a null string + + Returns the possibly-new (if copy for growth or taint-handling was needed) + string, not nul-terminated. +-- +2.43.0 + diff --git a/backport-bug3099-MIME-support-RFC-2331-for-name.patch b/backport-bug3099-MIME-support-RFC-2331-for-name.patch new file mode 100644 index 0000000000000000000000000000000000000000..f30a741e51cfc9aa1d647f12dd305e304177627d --- /dev/null +++ b/backport-bug3099-MIME-support-RFC-2331-for-name.patch @@ -0,0 +1,440 @@ +From 1b3209b0577a9327ebb076f3b32b8a159c253f7b Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Thu, 17 Oct 2024 13:55:10 +0800 +Subject: [PATCH] MIME: support RFC 2331 for name=. Bug 3099 + +--- + ...-specified-using-multiple-parameters.patch | 172 +++++++++++++++++ + doc/ChangeLog | 2 + + src/mime.c | 180 +++++++++--------- + 3 files changed, 267 insertions(+), 87 deletions(-) + create mode 100644 backport-bug3099-Fix-MIME-parsing-of-filenames-specified-using-multiple-parameters.patch + +diff --git a/backport-bug3099-Fix-MIME-parsing-of-filenames-specified-using-multiple-parameters.patch b/backport-bug3099-Fix-MIME-parsing-of-filenames-specified-using-multiple-parameters.patch +new file mode 100644 +index 0000000..bded9f0 +--- /dev/null ++++ b/backport-bug3099-Fix-MIME-parsing-of-filenames-specified-using-multiple-parameters.patch +@@ -0,0 +1,172 @@ ++From 6ce5c70cff8989418e05d01fd2a57703007a6357 Mon Sep 17 00:00:00 2001 ++From: Jeremy Harris ++Date: Thu, 17 Oct 2024 11:47:59 +0800 ++Subject: [PATCH] Fix MIME parsing of filenames specified using multiple ++ parameters. Bug 3099 ++--- ++ doc/ChangeLog | 3 +++ ++ doc/spec.txt | 10 +++++----- ++ src/mime.c | 53 ++++++++++++++++++++++++++++----------------------- ++ src/string.c | 1 + ++ 4 files changed, 38 insertions(+), 29 deletions(-) ++ ++diff --git a/doc/ChangeLog b/doc/ChangeLog ++index c88454c..635f408 100644 ++--- a/doc/ChangeLog +++++ b/doc/ChangeLog ++@@ -221,6 +221,9 @@ JH/43 Bug 2903: avoid exit on an attempt to rewrite a malformed address. ++ JH/44 Bug 3033: Harden dnsdb lookups against crafted DNS responses. ++ CVE-2023-42219 ++ +++JH/45 Bug 3099: fix parsing of MIME filenames split over multiple paramemters. +++ Previously the $mime_filename variable would have an incorrect value. +++ ++ HS/02 Fix string_is_ip_address() CVE-2023-42117 (Bug 3031) ++ ++ Exim version 4.96 ++diff --git a/doc/spec.txt b/doc/spec.txt ++index 6bb656e..8f598e7 100644 ++--- a/doc/spec.txt +++++ b/doc/spec.txt ++@@ -32280,13 +32280,13 @@ The right hand side is expanded before use. After expansion, the value can be: ++ the default path is then used. ++ ++ The decode condition normally succeeds. It is only false for syntax errors or ++-unusual circumstances such as memory shortages. You can easily decode a file ++-with its original, proposed filename using +++errors or unusual circumstances such as memory shortages. ++ ++-decode = $mime_filename +++The variable &$mime_filename$& will have the suggested name for the file. +++Note however that this might contain anything, and is very difficult +++to safely use as all or even part of the filename. ++ ++-However, you should keep in mind that $mime_filename might contain anything. If ++-you place files outside of the default path, they are not automatically +++If you place files outside of the default path, they are not ++ unlinked. ++ ++ For RFC822 attachments (these are messages attached to messages, with a ++diff --git a/src/mime.c b/src/mime.c ++index 975ddca..b11959c 100644 ++--- a/src/mime.c +++++ b/src/mime.c ++@@ -587,10 +587,10 @@ while(1) ++ ++ while (*p) ++ { ++- DEBUG(D_acl) debug_printf_indent("MIME: considering paramlist '%s'\n", p); +++ DEBUG(D_acl) +++ debug_printf_indent("MIME: considering paramlist '%s'\n", p); ++ ++- if ( !mime_filename ++- && strncmpic(CUS"content-disposition:", header, 20) == 0 +++ if ( strncmpic(CUS"content-disposition:", header, 20) == 0 ++ && strncmpic(CUS"filename*", p, 9) == 0 ++ ) ++ { /* RFC 2231 filename */ ++@@ -604,12 +604,12 @@ while(1) ++ ++ if (q && *q) ++ { ++- uschar * temp_string, * err_msg; +++ uschar * temp_string, * err_msg, * fname = q; ++ int slen; ++ ++ /* build up an un-decoded filename over successive ++ filename*= parameters (for use when 2047 decode fails) */ ++- +++/*XXX could grow a gstring here */ ++ mime_fname_rfc2231 = string_sprintf("%#s%s", ++ mime_fname_rfc2231, q); ++ ++@@ -623,26 +623,31 @@ while(1) ++ /* look for a ' in the "filename" */ ++ while(*s != '\'' && *s) s++; /* s is 1st ' or NUL */ ++ ++- if ((size = s-q) > 0) ++- mime_filename_charset = string_copyn(q, size); ++- ++- if (*(p = s)) p++; ++- while(*p == '\'') p++; /* p is after 2nd ' */ +++ if (*s) /* there was a ' */ +++ { +++ if ((size = s-q) > 0) +++ mime_filename_charset = string_copyn(q, size); +++ if (*(fname = s)) fname++; +++ while(*fname == '\'') fname++; /* fname is after 2nd ' */ +++ } ++ } ++- else ++- p = q; ++ ++- DEBUG(D_acl) debug_printf_indent("MIME: charset %s fname '%s'\n", ++- mime_filename_charset ? mime_filename_charset : US"", p); +++ DEBUG(D_acl) +++ debug_printf_indent("MIME: charset %s fname '%s'\n", +++ mime_filename_charset ? mime_filename_charset : US"", +++ fname); ++ ++- temp_string = rfc2231_to_2047(p, mime_filename_charset, &slen); ++- DEBUG(D_acl) debug_printf_indent("MIME: 2047-name %s\n", temp_string); +++ temp_string = rfc2231_to_2047(fname, mime_filename_charset, +++ &slen); +++ DEBUG(D_acl) +++ debug_printf_indent("MIME: 2047-name %s\n", temp_string); ++ ++ temp_string = rfc2047_decode(temp_string, FALSE, NULL, ' ', ++- NULL, &err_msg); ++- DEBUG(D_acl) debug_printf_indent("MIME: plain-name %s\n", temp_string); +++ NULL, &err_msg); +++ DEBUG(D_acl) +++ debug_printf_indent("MIME: plain-name %s\n", temp_string); ++ ++- if (!temp_string || (size = Ustrlen(temp_string)) == slen) +++ if (!temp_string || (size = Ustrlen(temp_string)) == slen) ++ decoding_failed = TRUE; ++ else ++ /* build up a decoded filename over successive ++@@ -651,9 +656,9 @@ while(1) ++ mime_filename = mime_fname = mime_fname ++ ? string_sprintf("%s%s", mime_fname, temp_string) ++ : temp_string; ++- } ++- } ++- } +++ } /*!decoding_failed*/ +++ } /*q*/ +++ } /*2231 filename*/ ++ ++ else ++ /* look for interesting parameters */ ++@@ -682,7 +687,7 @@ while(1) ++ ++ ++ /* There is something, but not one of our interesting parameters. ++- Advance past the next semicolon */ +++ Advance past the next semicolon */ ++ p = mime_next_semicolon(p); ++ if (*p) p++; ++ } /* param scan on line */ ++@@ -800,5 +805,5 @@ return rc; ++ ++ #endif /*WITH_CONTENT_SCAN*/ ++ ++-/* vi: sw ai sw=2 +++/* vi: aw ai sw=2 ++ */ ++diff --git a/src/string.c b/src/string.c ++index dfe0f24..2f77cc7 100644 ++--- a/src/string.c +++++ b/src/string.c ++@@ -1347,6 +1347,7 @@ Field width: decimal digits, or * ++ Precision: dot, followed by decimal digits or * ++ Length modifiers: h L l ll z ++ Conversion specifiers: n d o u x X p f e E g G % c s S T Y D M +++Alternate-form: %#s is silent about a null string ++ ++ Returns the possibly-new (if copy for growth or taint-handling was needed) ++ string, not nul-terminated. ++-- ++2.43.0 ++ +diff --git a/doc/ChangeLog b/doc/ChangeLog +index 635f408..5d8b2a1 100644 +--- a/doc/ChangeLog ++++ b/doc/ChangeLog +@@ -223,6 +223,8 @@ JH/44 Bug 3033: Harden dnsdb lookups against crafted DNS responses. + + JH/45 Bug 3099: fix parsing of MIME filenames split over multiple paramemters. + Previously the $mime_filename variable would have an incorrect value. ++ While in the code, extend coverage to name= which previously was only ++ supported for single parameters, despite also filling in $mime_filename. + + HS/02 Fix string_is_ip_address() CVE-2023-42117 (Bug 3031) + +diff --git a/src/mime.c b/src/mime.c +index b11959c..3319f1d 100644 +--- a/src/mime.c ++++ b/src/mime.c +@@ -30,10 +30,10 @@ static int mime_header_list_size = nelem(mime_header_list); + + static mime_parameter mime_parameter_list[] = { + /* name namelen value */ +- { US"name=", 5, &mime_filename }, +- { US"filename=", 9, &mime_filename }, +- { US"charset=", 8, &mime_charset }, +- { US"boundary=", 9, &mime_boundary } ++ { US"name=", 4, &mime_filename }, ++ { US"filename=", 8, &mime_filename }, ++ { US"charset=", 7, &mime_charset }, ++ { US"boundary=", 8, &mime_boundary } + }; + + +@@ -577,8 +577,8 @@ while(1) + if (*(p = q)) p++; /* jump past the ; */ + + { +- uschar * mime_fname = NULL; +- uschar * mime_fname_rfc2231 = NULL; ++ gstring * mime_fname = NULL; ++ gstring * mime_fname_rfc2231 = NULL; + uschar * mime_filename_charset = NULL; + BOOL decoding_failed = FALSE; + +@@ -590,88 +590,91 @@ while(1) + DEBUG(D_acl) + debug_printf_indent("MIME: considering paramlist '%s'\n", p); + +- if ( strncmpic(CUS"content-disposition:", header, 20) == 0 +- && strncmpic(CUS"filename*", p, 9) == 0 +- ) +- { /* RFC 2231 filename */ +- uschar * q; +- +- /* find value of the filename */ +- p += 9; +- while(*p != '=' && *p) p++; +- if (*p) p++; /* p is filename or NUL */ +- q = mime_param_val(&p); /* p now trailing ; or NUL */ +- +- if (q && *q) ++ /* look for interesting parameters */ ++ for (mime_parameter * mp = mime_parameter_list; ++ mp < mime_parameter_list + nelem(mime_parameter_list); ++ mp++ ++ ) if (strncmpic(mp->name, p, mp->namelen) == 0) ++ { ++ p += mp->namelen; ++ if (*p == '*') /* RFC 2231 */ + { +- uschar * temp_string, * err_msg, * fname = q; +- int slen; +- +- /* build up an un-decoded filename over successive +- filename*= parameters (for use when 2047 decode fails) */ +-/*XXX could grow a gstring here */ +- mime_fname_rfc2231 = string_sprintf("%#s%s", +- mime_fname_rfc2231, q); +- +- if (!decoding_failed) ++ while (isdigit(*++p)) ; /* ignore cont-cnt values */ ++ if (*p == '*') p++; /* step over sep chset mark */ ++ if (*p == '=') + { +- int size; +- if (!mime_filename_charset) ++ uschar * q; ++ p++; /* step over = */ ++ q = mime_param_val(&p); /* p now trailing ; or NUL */ ++ ++ if (q && *q) /* q is the dequoted value */ + { +- uschar * s = q; ++ uschar * err_msg, * fname = q; ++ int slen; + +- /* look for a ' in the "filename" */ +- while(*s != '\'' && *s) s++; /* s is 1st ' or NUL */ ++ /* build up an un-decoded filename over successive ++ filename*= parameters (for use when 2047 decode fails) */ ++ mime_fname_rfc2231 = string_cat(mime_fname_rfc2231, q); + +- if (*s) /* there was a ' */ ++ if (!decoding_failed) + { +- if ((size = s-q) > 0) +- mime_filename_charset = string_copyn(q, size); +- if (*(fname = s)) fname++; +- while(*fname == '\'') fname++; /* fname is after 2nd ' */ +- } +- } +- +- DEBUG(D_acl) +- debug_printf_indent("MIME: charset %s fname '%s'\n", +- mime_filename_charset ? mime_filename_charset : US"", +- fname); +- +- temp_string = rfc2231_to_2047(fname, mime_filename_charset, +- &slen); +- DEBUG(D_acl) +- debug_printf_indent("MIME: 2047-name %s\n", temp_string); +- +- temp_string = rfc2047_decode(temp_string, FALSE, NULL, ' ', +- NULL, &err_msg); +- DEBUG(D_acl) +- debug_printf_indent("MIME: plain-name %s\n", temp_string); +- +- if (!temp_string || (size = Ustrlen(temp_string)) == slen) +- decoding_failed = TRUE; +- else +- /* build up a decoded filename over successive +- filename*= parameters */ +- +- mime_filename = mime_fname = mime_fname +- ? string_sprintf("%s%s", mime_fname, temp_string) +- : temp_string; +- } /*!decoding_failed*/ +- } /*q*/ +- } /*2231 filename*/ +- +- else +- /* look for interesting parameters */ +- for (mime_parameter * mp = mime_parameter_list; +- mp < mime_parameter_list + nelem(mime_parameter_list); +- mp++ +- ) if (strncmpic(mp->name, p, mp->namelen) == 0) +- { +- uschar * q; +- uschar * dummy_errstr; ++ if (!mime_filename_charset) ++ { /* try for RFC 2231 chset/lang */ ++ uschar * s = q; ++ ++ /* look for a ' in the raw paramval */ ++ while(*s != '\'' && *s) s++; /* s is 1st ' or NUL */ ++ ++ if (*s) /* there was a ' */ ++ { ++ int size; ++ if ((size = s-q) > 0) ++ mime_filename_charset = string_copyn(q, size); ++ ++ if (*(fname = s)) fname++; ++ while(*fname == '\'') fname++; /*fname is after 2nd '*/ ++ } ++ } ++ ++ DEBUG(D_acl) ++ debug_printf_indent("MIME: charset %s fname '%s'\n", ++ mime_filename_charset ? mime_filename_charset : US"", ++ fname); ++ ++ fname = rfc2231_to_2047(fname, mime_filename_charset, ++ &slen); ++ DEBUG(D_acl) ++ debug_printf_indent("MIME: 2047-name %s\n", fname); ++ ++ fname = rfc2047_decode(fname, FALSE, NULL, ' ', ++ NULL, &err_msg); ++ DEBUG(D_acl) debug_printf_indent( ++ "MIME: plain-name %s\n", fname); ++ ++ if (!fname || Ustrlen(fname) == slen) ++ decoding_failed = TRUE; ++ else if (mp->value == &mime_filename) ++ { ++ /* build up a decoded filename over successive ++ filename*= parameters */ ++ ++ mime_fname = string_cat(mime_fname, fname); ++ mime_filename = string_from_gstring(mime_fname); ++ } ++ } /*!decoding_failed*/ ++ } /*q*/ ++ ++ if (*p) p++; /* p is past ; */ ++ goto param_done; /* done matching param names */ ++ } /*2231 param coding extension*/ ++ } ++ else if (*p == '=') ++ { /* non-2231 param */ ++ uschar * q, * dummy_errstr; + + /* grab the value and copy to its expansion variable */ +- p += mp->namelen; ++ ++ if (*p) p++; /* step over = */ + q = mime_param_val(&p); /* p now trailing ; or NUL */ + + *mp->value = q && *q +@@ -682,27 +685,30 @@ while(1) + "MIME: found %s parameter in %s header, value '%s'\n", + mp->name, mh->name, *mp->value); + +- break; /* done matching param names */ ++ if (*p) p++; /* p is past ; */ ++ goto param_done; /* done matching param names */ + } +- ++ } /* interesting parameters */ + + /* There is something, but not one of our interesting parameters. + Advance past the next semicolon */ ++ + p = mime_next_semicolon(p); + if (*p) p++; +- } /* param scan on line */ ++ param_done: ++ } /* param scan on line */ + + if (strncmpic(CUS"content-disposition:", header, 20) == 0) + { +- if (decoding_failed) mime_filename = mime_fname_rfc2231; +- ++ if (decoding_failed) ++ mime_filename = string_from_gstring(mime_fname_rfc2231); + DEBUG(D_acl) debug_printf_indent( + "MIME: found %s parameter in %s header, value is '%s'\n", + "filename", mh->name, mime_filename); + } + } +- } +- ++ break; ++ } /* interesting headers */ + /* set additional flag variables (easier access) */ + if ( mime_content_type + && Ustrncmp(mime_content_type,"multipart",9) == 0 +-- +2.43.0 + diff --git a/exim.spec b/exim.spec index 40f4c4864ec6ccb8a7a382760e2dd416ee3d2b73..b8ec726f1568db49f12aa2b7731b54c12283079b 100644 --- a/exim.spec +++ b/exim.spec @@ -4,7 +4,7 @@ Summary: The exim mail transfer agent Name: exim Version: 4.97.1 -Release: 2 +Release: 3 License: GPLv2+ Url: https://www.exim.org/ @@ -40,6 +40,9 @@ Patch1: exim-4.94-libdir.patch Patch2: exim-4.97-dlopen-localscan.patch Patch3: exim-4.96-pic.patch Patch4: CVE-2023-51766.patch +# CVE-2024-39929 +Patch5: backport-bug3099-Fix-MIME-parsing-of-filenames-specified-using-multiple-parameters.patch +Patch6: backport-bug3099-MIME-support-RFC-2331-for-name.patch Requires: /etc/pki/tls/certs /etc/pki/tls/private Requires: setup @@ -480,6 +483,9 @@ fi %{_sysconfdir}/cron.daily/greylist-tidy.sh %changelog +* Thu Oct 17 2024 changtao - 4.97.1-3 +- fix CVE-2024-39929 + * Tue Jul 9 2024 technology208 - 4.97-2 - Fix CVE-2023-51766 @@ -492,7 +498,7 @@ fi * Tue Aug 29 2023 zhuchao - 4.96-3 - DESC:fix bug about print error message in install exim-clamav and exim-greylist -* Thur Feb 16 2023 zhuchao - 4.96-2 +* Thu Feb 16 2023 zhuchao - 4.96-2 - DESC:add build requirement init * Tue Oct 18 2022 zhuchao - 4.96-1