Changelog
exim4 (4.97-3) unstable; urgency=medium
* Fixes from upstream GIT master:
77_01-Reject-dot-LF-as-ending-data-phase.-Bug-3063.patch
77_02-Use-enum-for-body-data-input-state-machine.patch
77_03-Reject-dot-LF-as-ending-data-phase-pt.-2-.-Bug-3063.patch
+ Enforce a data synch check before emitting the 354 "go ahead".
Previously this was only done if a pre-data ACL was configured.
+ Refuse to accept a line "dot, LF" as end-of-DATA unless operating in
LF-only mode (as detected from the first header line). Previously we
did accept that in (normal) CRLF mode; this has been raised as a
possible attack scenario (under the name "smtp smuggling").
Closes: #1059387 CVE-2023-51766
-- Andreas Metzler <email address hidden> Mon, 25 Dec 2023 07:50:16 +0100