That mentions 4.98.2-1+deb13u2, and its changelog has: exim4 (4.98.2-1+deb13u2) tri...

fweimer • yesterday at 9:08 PM • 0 replies • view on HN

That mentions 4.98.2-1+deb13u2, and its changelog has:

    exim4 (4.98.2-1+deb13u2) trixie-security; urgency=high
    
      * Backport fix for Use-After-Free in GnuTLS BDAT/CHUNKING code path.
        This is Exim-Security-2026-05-01.1, fixed upstream in 4.99.3.
    
     -- Andreas Metzler <[email protected]>  Mon, 11 May 2026 19:14:46 +0200

The ID is now in the CVE database, but it was missing from the upstream advisory, too: https://exim.org/static/doc/security/EXIM-Security-2026-05-0...

Not ideal, but at least we got the fix.

alt Hacker News