Andreas Metzler uploaded new packages for exim4 which fixed the
following security problem:
CVE-2026-48840
PROXYv2 parser: reject PROXY frames whose declared payload
length is too short for the claimed address family (12 bytes for
TCPv4/0x11, 36 bytes for TCPv6/0x21). Previously a frame with
family=0x21 and len=0 caused 16 bytes of uninitialized stack to be
formatted as the sender's IPv6 address and disclosed in the SMTP
greeting banner. Affects configurations with SUPPORT_PROXY and
`hosts_proxy` set. Reported by Warisjeet Singh (sin99xx).
EXIM-Security-2026-05-19.1
For the trixie-backports distribution the problem has been fixed in
version 4.99.3-2~bpo13+1.