[kro]

It says coordinated distro release today, and I've received a notice earlier today but that does not include the CVE number. That's confusing / does not seem very coordinated to release 2 separate security update notices in a day.

https://lists.debian.org/debian-security-announce/2026/msg00...

[fweimer]

That mentions 4.98.2-1+deb13u2, and its changelog has:

    exim4 (4.98.2-1+deb13u2) trixie-security; urgency=high
    
      * Backport fix for Use-After-Free in GnuTLS BDAT/CHUNKING code path.
        This is Exim-Security-2026-05-01.1, fixed upstream in 4.99.3.
    
     -- Andreas Metzler <ametzler@debian.org>  Mon, 11 May 2026 19:14:46 +0200

The ID is now in the CVE database, but it was missing from the upstream advisory, too: https://exim.org/static/doc/security/EXIM-Security-2026-05-0...

Not ideal, but at least we got the fix.

[avian]

Yes, this was weird.

I saw that announcement yesterday, went through the list of fixed issues and decided to wait with the upgrade since none of them were relevant for me.

If I haven't just seen this on the second page of HN I would have probably deferred this upgrade for a few more days.