CVE-2025-26794

Dear Distro maintainers,

please fetch the latest security update from

  ssh://git@code.exim.org/exim/exim-distros.git
  tag: exim-4.98.1

We are going to make patches available to the public on 
Friday, Feb 21th, 2025, at 12:00 UTC (coordiated release date).

In case you're not able to follow this schedule, please tell us
immediatly. Otherwise we'll announce the upcoming release (w/o further
details) to other public channels during the next 24 hours.

Please do not publish anything (information, sources, binaries) in
advance.

As most of you ship source *and* binary packages, we ask you to publish this
security release, even your build time configuration isn't affected.
Your users may use your source packages for custom builds.

The issue is limited to systems which meet all of the following
conditions:

- Exim version == 4.98
  (check the output of `exim -bV`)

- Build time config enables SQLITE3 for hint dbs
  (check the output of `exim -bV` and search for `Hints DB:`, or check
  the build time config Local/Makefile for "USE_SQLITE", not to be
  confused with the SQLITE3 lookup driver)

- Run time config allows the use of ETRN
  (acl_smtp_etrn returns accept (defaults to deny))

- Run time config enforces serialization of ETRN commands
  (smtp_etrn_serialize (defaults to true))

Thank you for maintaining the Exim packages for your distribution.

