Release date:
2026-06-12 13:13:18 UTC
Description:
* SECURITY UPDATE: TLS close_notify use-after-free during active BDAT/CHUNKING
transfer that can lead to unauthenticated remote code execution
- debian/patches/CVE-2026-45185.patch: introduce tls_close_notify() that
pops the BDAT receive layer, reinstalls plaintext receive callbacks via
a new smtp_rcv_cleartext() helper, then re-pushes the BDAT layer before
closing the TLS channel; switch the GnuTLS and OpenSSL receive paths
from a bare tls_close() to tls_close_notify()
- CVE-2026-45185
Updated packages:
-
exim4_4.93-13ubuntu1.12+tuxcare.els2_all.deb
sha:a2fca705030f1059969568b00006b12bc7c14fbf
-
exim4-base_4.93-13ubuntu1.12+tuxcare.els2_amd64.deb
sha:c656095685f67c0c3f109a3c7c486b51fd48c1d6
-
exim4-config_4.93-13ubuntu1.12+tuxcare.els2_all.deb
sha:2bd8dbd92ab2ecab7ec65017baefdf02ca2f5c5f
-
exim4-daemon-heavy_4.93-13ubuntu1.12+tuxcare.els2_amd64.deb
sha:fcd04c289a87dd63543f758ee922a80dcdecda57
-
exim4-daemon-light_4.93-13ubuntu1.12+tuxcare.els2_amd64.deb
sha:6dbeb103833c0012191b02cbfb11e889a215eebc
-
exim4-dev_4.93-13ubuntu1.12+tuxcare.els2_amd64.deb
sha:a8f8aabd3bf65bb6bb6e1a57b729a3d7b2a1ce32
-
eximon4_4.93-13ubuntu1.12+tuxcare.els2_amd64.deb
sha:f630dcb19b3f1262ef2f73be3c961ca26b496ebf
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
