Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <aURskyC_etNY3SI9@jumper.schlittermann.de>
Date: Thu, 18 Dec 2025 22:05:23 +0100
From: Heiko Schlittermann <hs@...marc.schlittermann.de>
To: oss-security <oss-security@...ts.openwall.com>
Subject: Release: CVE-2025-67896: EXIM-Security-2025-12-09.1: Exim 4.99.1
 released

According to our previous CRD announcement we released
Exim 4.99.1 on 2025-12-17 at 15:00 UTC.

Credits to Andrew Fasano <andrew.fasano@...t.gov>, for pointing out the
issue.

His original report can be found here: https://code.exim.org/exim/exim/src/commit/d46a6727798fc48d1756190a6d46d19216348c25/doc/doc-txt/exim-security-2025-12-09.1/report.txt

Short version: Exim configurations using SQLite lookups or using SQLite
hint dbs where vulnerable to SQL injection attacks, which could lead to
heap corruption. Distro Exim packages usually do not use SQLite hint dbs (It
is a build time option. Grep the output of `exim -bV` for "Hints DB".)
But many packages allow SQLite lookups in the runtime config (Grep the output of `exim -bV`
for "Lookups".)


The original release announcement, as sent to exim-announce@...ts.exim.org:
--------------------------------------------------------------------------

Dear Exim users and maintainers,

we are pleased to announce the availability of release 4.99.1 of Exim.

This is a security release. It fixes CVE-2025-67896 (aka
EXIM-Security-2025-12-09.1), which was introduced with 4.99. Older Exim
versions may or may not be vulnerable and are not activly maintained
anymore by the Exim maintainers. (To the best of our knowledge, 4.98.2¹
should be safe.)

Configurations using SQlite for lookups and hintdb were vulnerable.
Details: https://code.exim.org/exim/exim/src/branch/exim-4.99+fixes/doc/doc-txt/exim-security-2025-12-09.1/report.txt

Exim 4.99.1 is available:

 * as tarball
   * https://ftp.exim.org/pub/exim/exim4/
   * https://code.exim.org/exim/exim/releases

 * directly from Git: https://code.exim.org/exim/exim
   tag: exim-4.99.1

The signatures on the release tarballs and Git tag should be

 *  The release files are signed by key DD98D92359DE9E3C2663F291697F0EDD680=
99F6F
    "Heiko Schlittermann (Dresden) <hs@...littermann.de>"
    aka "Heiko Schlittermann (Exim MTA Maintainer) <heiko@...m.org>"

¹) The original announcement mentioned a wrong version number.

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
--
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.