logoalt Hacker News

kroyesterday at 6:39 PM2 repliesview on HN

It says coordinated distro release today, and I've received a notice earlier today but that does not include the CVE number. That's confusing / does not seem very coordinated to release 2 separate security update notices in a day.

https://lists.debian.org/debian-security-announce/2026/msg00...

Replies

aviantoday at 6:28 AM

Yes, this was weird.

I saw that announcement yesterday, went through the list of fixed issues and decided to wait with the upgrade since none of them were relevant for me.

If I haven't just seen this on the second page of HN I would have probably deferred this upgrade for a few more days.

fweimeryesterday at 9:08 PM

That mentions 4.98.2-1+deb13u2, and its changelog has:

    exim4 (4.98.2-1+deb13u2) trixie-security; urgency=high
    
      * Backport fix for Use-After-Free in GnuTLS BDAT/CHUNKING code path.
        This is Exim-Security-2026-05-01.1, fixed upstream in 4.99.3.
    
     -- Andreas Metzler <[email protected]>  Mon, 11 May 2026 19:14:46 +0200
The ID is now in the CVE database, but it was missing from the upstream advisory, too: https://exim.org/static/doc/security/EXIM-Security-2026-05-0...

Not ideal, but at least we got the fix.