> > "Motivation: Thomas Ptacek posted a summary of exim's security problems
> > in April [...]"
>
> Can someone track that down? Maybe it should be reposted here (was it
> originally) and looked at. And April what year? I am sure that people
> here will give it an honest treatment. Indeed, it is exactly the people
> on this list who want exim to be secure against attack and abuse.
Thomas Ptacek's comments were posted to comp.security.unix in April
'97, and quoted in full in exim-users in September '98 - I'm sure there
was some discussion then. DJB's comments (and a root exploit for exim
1.62 which relied on a buffer overflow) were posted to csu in July
'97 and also appeared in BUGTRAQ around that time.
Both Dan Bernstein and Thomas Ptacek are abrasive characters, but have
a track record in security and deserve to be listened to (you need to
filter out the attitude, though). The latter was particularly critical
of bounds checking in exim, and believed that numerous buffer overflow
exploits were probably possible. Of course, this was more than 3 years
ago, and the code has moved on since then.
> That strikes me as peculiar behavior. Many people switched from sendmail
> to exim because of security issues among others. But it appears that in
> the qmail circles there is a wide spread belief of security problems with
> exim. I suspect that that is mostly rumour based on very out-of-date
> inuendo and some hype. But like most such things, there is often some
> grain of something somewhere that should be looked at. I'm sure that
> people here will look at it in good faith.
An in-depth and independent security audit of exim would be a Good
Thing.
--
Malcolm Ray University of London Computer Centre
