[CLSA-2026:1779369819] Fix CVE(s): CVE-2026-40686, CVE-2026-40687

Type:

security

Severity:

Critical

Release date:

2026-05-21 13:23:43 UTC

Description:

   * SECURITY UPDATE: heap read out-of-bounds in UTF-8 expansion
     - debian/patches/CVE-2026-40686.patch: harden ${from_utf8:} expansion
       operator against malformed UTF-8 trailing bytes.
     - CVE-2026-40686
   * SECURITY UPDATE: SPA authenticator buffer hardening
     - debian/patches/CVE-2026-40687.patch: zero spa_base64_to_bits output
       buffer and replace static 1024-byte buffers in unicodeToString,
       strToUnicode, toString with dynamic store_get allocations sized to
       input.
     - CVE-2026-40687

Updated packages:

exim4_4.90.1-1ubuntu1.10+tuxcare.els6_all.deb
sha:44b696ae8deedad20164b2fb07f4b69aa8077300
exim4-base_4.90.1-1ubuntu1.10+tuxcare.els6_amd64.deb
sha:f299e7cd6501f7d9a41e9430b0e00905d6895448
exim4-config_4.90.1-1ubuntu1.10+tuxcare.els6_all.deb
sha:b1fb9c6ce628678db592cbed95ee76db1c787e24
exim4-daemon-heavy_4.90.1-1ubuntu1.10+tuxcare.els6_amd64.deb
sha:d96b3fae32e07916e37ebeb81463ed5ceab915b5
exim4-daemon-light_4.90.1-1ubuntu1.10+tuxcare.els6_amd64.deb
sha:71dc46f7290983024eb933574a806a5c0d5b5585
exim4-dev_4.90.1-1ubuntu1.10+tuxcare.els6_amd64.deb
sha:368627291c198ae0bedcbcce48cec763dfed5159
eximon4_4.90.1-1ubuntu1.10+tuxcare.els6_amd64.deb
sha:4bb1fa7d9d2a1efbc3046ec9a8541f6f3991fefe

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.