[oss-security] Release: CVE-2025-67896: EXIM-Security-2025-12-09.1: Exim 4.99.1 released

Thu, 18 Dec 2025 13:05:49 -0800 

According to our previous CRD announcement we released
Exim 4.99.1 on 2025-12-17 at 15:00 UTC.

Credits to Andrew Fasano <[email protected]>, for pointing out the
issue.

His original report can be found here: 
https://code.exim.org/exim/exim/src/commit/d46a6727798fc48d1756190a6d46d19216348c25/doc/doc-txt/exim-security-2025-12-09.1/report.txt

Short version: Exim configurations using SQLite lookups or using SQLite
hint dbs where vulnerable to SQL injection attacks, which could lead to
heap corruption. Distro Exim packages usually do not use SQLite hint dbs (It
is a build time option. Grep the output of `exim -bV` for "Hints DB".)
But many packages allow SQLite lookups in the runtime config (Grep the output 
of `exim -bV`
for "Lookups".)


The original release announcement, as sent to [email protected]:
--------------------------------------------------------------------------

Dear Exim users and maintainers,

we are pleased to announce the availability of release 4.99.1 of Exim.

This is a security release. It fixes CVE-2025-67896 (aka
EXIM-Security-2025-12-09.1), which was introduced with 4.99. Older Exim
versions may or may not be vulnerable and are not activly maintained
anymore by the Exim maintainers. (To the best of our knowledge, 4.98.2¹
should be safe.)

Configurations using SQlite for lookups and hintdb were vulnerable.
Details: 
https://code.exim.org/exim/exim/src/branch/exim-4.99+fixes/doc/doc-txt/exim-security-2025-12-09.1/report.txt

Exim 4.99.1 is available:

 * as tarball
   * https://ftp.exim.org/pub/exim/exim4/
   * https://code.exim.org/exim/exim/releases

 * directly from Git: https://code.exim.org/exim/exim
   tag: exim-4.99.1

The signatures on the release tarballs and Git tag should be

 *  The release files are signed by key DD98D92359DE9E3C2663F291697F0EDD680=
99F6F
    "Heiko Schlittermann (Dresden) <[email protected]>"
    aka "Heiko Schlittermann (Exim MTA Maintainer) <[email protected]>"

¹) The original announcement mentioned a wrong version number.

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
--
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -

Attachment: signature.asc
Description: PGP signature

Reply via email to