LWN: Comments on "Exim 4.92.3 security release"

Exim 4.92.3 security release

Comet — Fri, 04 Oct 2019 00:46:38 +0000

With my Exim maintainer hat on: current development master has many fixes related to introducing a "taint" concept for sources of data, to more systematically prevent some security problems. This has triggered many cleanups and exposed some issues.

But it means that this latest problem had already been independently fixed in git master, in a different way. So the code cleanups Jeremy is doing are yielding real benefits for robustness. The 4.92.x status sucks for everyone (but the problems getting fixed is good). 4.93 should be a marked improvement though.

If anyone wants to poke at the current git master and spot issues and contribute fixes or bug reports, they'll be most welcome. Please help.

Thanks, -Phil

Exim 4.92.3 security release

joey — Wed, 02 Oct 2019 22:51:07 +0000

Previous exim EHLO vulnerabilites include one in 2003.

Exim 4.92.3 security release

dfsmith — Mon, 30 Sep 2019 22:39:55 +0000

Before somebody points it out, the Debian version is 4.92-8+deb10u3. (Dash, not dot.)

Exim 4.92.3 security release

dfsmith — Mon, 30 Sep 2019 22:36:02 +0000

Be glad someone is looking at the code and releasing fixes! Also, Debian buster went from u2 to 4.92.8+deb10u3. I'm not sure if debian4.92.8 maps to exim4.92.3 (the changelog suggests 4.92.2), however 'apt-get changelog' shows the string_vformat fix.

Exim 4.92.3 security release

Trelane — Mon, 30 Sep 2019 22:03:22 +0000

Didn't we just upgrade for a severe vulnerability this month?