Multiple Exim security vulnerabilities disclosed

Posted Sep 30, 2023 20:58 UTC (Sat) by cmeerw (guest, #555)
In reply to: Multiple Exim security vulnerabilities disclosed by dskoll
Parent article: Multiple Exim security vulnerabilities disclosed

My understanding (so far, after looking a bit into what information is publicly available about it) is that it heavily depends on the actual configuration and will probably only affect a tiny percentage of servers.

(btw, postfix might not even implement the functionality that's affected by these vulnerabilities)

Multiple Exim security vulnerabilities disclosed

Posted Oct 1, 2023 17:33 UTC (Sun) by cmeerw (guest, #555) [Link] (1 responses)

this has now been confirmed: https://www.mail-archive.com/exim-users@lists.exim.org/ms...

Multiple Exim security vulnerabilities disclosed

Posted Oct 1, 2023 19:55 UTC (Sun) by pharm (guest, #22305) [Link]

So stock Debian config is basically unaffected: CONFIG_RCPT_SPF is not set by default, there’s no NTLM auth & no external auth.

So long as your DNS resolver is sane, you’re OK it seems.