I feel the same way about this security issue (if it exists).
First, the proper protocol wasn't followed by notifying the author and
giving a reasonable amount of time for a response. Secondly, this so called
"utility" has not been released for it's own audit, has a questionable
origin (in my eyes), and hasn't even been released as a beta as far as I can
see. This whole thing smells of bad juju.
CK
-----Original Message-----
From: exim-users-admin@??? [
mailto:exim-users-admin@exim.org]On
Behalf Of Phil Brutsche
Sent: Wednesday, February 13, 2002 10:49 PM
To: exim-users@???
Subject: Re: [Exim] Fw: (bugtraq) Exim 3.34 and lower
On Wed, 2002-02-13 at 21:44, Suresh Ramasubramanian wrote:
> Eh?
My same thought.
I can verify the segfault with the command line, and parts of the patch
make sense (ie replacing strcpy with strncpy).
I would wait to hear from Philip Hazel before I do anything rash like
apply it, though.
My only question is: why didn't contact Philip Hazel before sending it
off to bugtraq? That is the most logical course of action.
--
Phil
--
## List details at
http://www.exim.org/mailman/listinfo/exim-users Exim
details at
http://www.exim.org/ ##