Author: Todd Lyons Date: To: exim-users, exim-dev Subject: [exim] Attribution for Recent Vulnerability
During the scramble to release the security fix Exim 4.82.1, I made a
few rookie mistakes. One of those was not giving attribution to those
who discovered and reported the vulnerability to us.
Two employees of Imperial College London, David Stockdale and Matt
Hubbard analyzed a problem they were seeing, and realized that it was
caused by a function which could be tricked into doing macro
expansion. They acted responsibly and notified an Exim developer
directly. The Exim team worked to design and test a patch to fix the
problem, verified the fix was correct, tested it (in this case,
testing was able to be done on a production deployment), and released
notifications.
We would like to publicly thank David and Matt for doing responsible
disclosure to us so that we could handle it rapidly and still have
enough time for adequate testing.
...Todd
--
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine