| Package | exim4 |
|---|---|
| Version | 4.89-2+deb9u15 (stretch), 4.92-8+deb10u12 (buster) |
| Related CVEs | CVE-2026-48840 |
Warisjeet Singh discovered that Exim, a mail transport agent, does not properly handle PROXY frames whose declared payload length is too short for the claimed address family, which may result in information disclosure in configurations with SUPPORT_PROXY and ‘host_proxy’ set.
For Debian 10 buster, these problems have been fixed in version 4.92-8+deb10u12.
For Debian 9 stretch, these problems have been fixed in version 4.89-2+deb9u15.
We recommend that you upgrade your exim4 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.