CVE-2022-3620

NameCVE-2022-3620
DescriptionA vulnerability was found in Exim and classified as problematic. This issue affects the function dmarc_dns_lookup of the file dmarc.c of the component DMARC Handler. The manipulation leads to use after free. The attack may be initiated remotely. The name of the patch is 12fb3842f81bcbd4a4519d5728f2d7e0e3ca1445. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211919.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1022556

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
exim4 (PTS)jessie, jessie (lts)4.84.2-2+deb8u13vulnerable
stretch (security)4.89-2+deb9u8vulnerable
stretch (lts), stretch4.89-2+deb9u14vulnerable
buster, buster (lts)4.92-8+deb10u11fixed
buster (security)4.92-8+deb10u9fixed
bullseye4.94.2-7+deb11u3fixed
bullseye (security)4.94.2-7+deb11u4fixed
bookworm4.96-15+deb12u6fixed
bookworm (security)4.96-15+deb12u5fixed
trixie4.98-2fixed
sid4.98-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
exim4sourcebuster(not affected)
exim4sourcebullseye(not affected)
exim4source(unstable)4.96-7unimportant1022556

Notes

[bullseye] - exim4 <not-affected> (Vulnerable code not present)
[buster] - exim4 <not-affected> (Vulnerable code not present)
Introduced by: https://git.exim.org/exim.git/commit/92583637b25b6bde926f9ca6be7b085e5ac8b1e6 (exim-4.95-RC0)
Fixed by: https://git.exim.org/exim.git/commit/12fb3842f81bcbd4a4519d5728f2d7e0e3ca1445
Debian binary packages not built with DMARC support

Search for package or bug name: Reporting problems