X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/936e342d560e218c2aee5cb2295be925c27c2106..a355463cfc6479893c6212056a5ca7e6bf2d450b:/doc/doc-txt/ChangeLog diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 97987f014..c36718d7e 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -2,6 +2,35 @@ This document describes *changes* to previous versions, that might affect Exim's operation, with an unchanged configuration file. For new options, and new features, see the NewStuff file next to this ChangeLog. +Exim version 4.96.1 +------------------- + +This is a security release. + +JH/01 Bug 2999: Fix a possible OOB write in the external authenticator, which + could be triggered by externally-supplied input. Found by Trend Micro. + CVE-2023-42115 + +JH/02 Bug 3000: Fix a possible OOB write in the SPA authenticator, which could + be triggered by externally-controlled input. Found by Trend Micro. + CVE-2023-42116 + +JH/03 Bug 3001: Fix a possible OOB read in the SPA authenticator, which could + be triggered by externally-controlled input. Found by Trend Micro. + CVE-2023-42114 + + +JH/04 Bug 2903: avoid exit on an attempt to rewrite a malformed address. + Make the rewrite never match and keep the logging. Trust the + admin to be using verify=header-syntax (to actually reject the message). + + +Exim version 4.next +------------------- + +HS/01 Fix string_is_ip_address() CVE-2023-42117 (Bug 3031) + + Exim version 4.97 ----------------- @@ -193,11 +222,8 @@ JH/38 Taint-track intermediate values from the peer in multi-stage authentation JH/39 Bug 3023: Fix crash induced by some combinations of zero-length strings and ${tr...}. Found and diagnosed by Heiko Schlichting. -JH/40 Bug 2999: Fix a possible OOB write in the external authenticator, which - could be triggered by externally-supplied input. Found by Trend Micro. - -JH/41 Bug 3000: Fix a possible OOB write in the SPA authenticator, which could - be triggered by externally-controlled input. Found by Trend Micro. +JH/40 Support list of dkim results in the dkim_status ACL condition, making + it more usable in the data ACL. Exim version 4.96