Re: [exim-dev] Security issues in exim4 local delivery

Top Page

Reply to this message
Author: Dan Rosenberg
Date:  
To: Nigel Metheringham, Dan Rosenberg, pdp, exim-dev
Subject: Re: [exim-dev] Security issues in exim4 local delivery
Good to hear Exim may continue to be developed after all. What does
this mean in regards to fixing these particular issues? Will you have
time after this week to work on a fix? Should I bother waiting, or
should I just release an advisory describing how to mitigate the
issues with configuration changes and mention that a new release is
pending? I'd rather public sooner than later, especially since the
Bugzilla entries appear to be public - as in, the vulnerabilities
themselves are technically public already.

Thanks,
Dan

On Wed, May 26, 2010 at 7:14 PM, Phil Pennock <pdp@???> wrote:
> On 2010-05-26 at 20:36 +0100, Nigel Metheringham wrote:
>> I can't give a good answer to that.
>>
>> Exim development is currently effectively dead. We are averaging
>> maybe one CVS commit a month (and worse, we are still = on CVS).
>
> I've a list of TODOs which I got discouraged from pursuing, when it was
> hard to get them committed.  Now that I have commit access, I'm willing
> to go back and try to work through them.
>
> My inclination is to come up with an MBX fix based on fstat(), figure
> out the test harness set-up and work with Graeme on producing a release.
> I'd be willing to do that.  I'm just on-call this week at work
> (midday-midnight PDT) so this particular week I'm short on time.
>
> My PGP key is in the strong set; any reason not to sign with 0x3903637F ?
>
> I expect to be in the UK, in Yorkshire, somewhere in the June 17th-20th
> timeframe (and spoken for on the 19th).  If there's anything to cover
> face-to-face, I can try to set aside some time for that.  I could
> perhaps even stay in the UK an extra day (if my employer consents, which
> they might, if it's important for the future of Exim).
>
>> If there is no one else taking this on then I will build a release,
>> however I will also document it as being the last exim release as
>> the development community is unable to sustain further work, so the
>> only reasonable recommendation is for people to transition to a
>> mailer that has long term support.
>
> Separately, I have some more ambitious projects longer-term, which might
> be more controversial.  I really want to look into some experimental
> SMTP extensions for per-recipient DATA responses, for instance.
>
> Regards,
> -Phil
>