Exim 4.99.3 security update

tomputer · 2026-05-13T00:06:11-0600

Exim 4.99.3 has been released:

Title: Exim Security Advisory for EXIM-Security-2026-05-01.1 / CVE-TBD
Announced: 2026-05-12
Affects: Exim 4.97 up to and including 4.99.2
Corrected: Exim 4.99.3

Exim Security Advisory for EXIM-Security-2026-05-01.1
Dead.Letter (CVE-2026-45185) How XBOW Found an Unauthenticated RCE on Exim

ccto · 2026-05-13T00:29:16-0600

It looks our DA Exim shall be compiled with OpenSSL, not with GNUTLS (hopefully)

From https://exim.org/static/doc/security/EXIM-Security-2026-05-01.1/EXIM-Security-2026-05-01.1.txt

Affected Versions
-----------------

- All Exim versions from 4.97 up to and including 4.99.2 are affected.
- This vulnerability only impacts builds that use USE_GNUTLS=yes. Builds using OpenSSL or other TLS libraries are not affected.

In my AL9, I tried to "ldd /usr/sbin/exim" , it showed -
libssl.so.3 => /lib64/libssl.so.3
libcrypto.so.3 => /lib64/libcrypto.so.3
where /lib64/libssl.so.3 and libcrypto.so.3 are shipped by openssl-libs

I hope we are not vulnerable.

fln · 2026-05-13T00:47:39-0600

Standard DA installations are not affected by this vulnerability. Exim 4.99.3 is already available in alpha release channel.

tomputer · 2026-05-13T01:00:14-0600

Builds using OpenSSL or other TLS libraries are not affected.

Can confirm for Debian that it was build with openssl:

ldd /usr/sbin/exim
libssl.so.1.1 => /usr/lib/x86_64-linux-gnu/libssl.so.1.1

Exim 4.99.3 security update

tomputer

Verified User

ccto

Verified User

fln

Administrator

tomputer

Verified User