https://bugs.exim.org/show_bug.cgi?id=2118
Phil Pennock <pdp@???> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |pdp@???
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #8 from Phil Pennock <pdp@???> ---
A stance and a code change by Exim.
(1) This is not a vulnerability in Exim. Exim trusts the local user to be
allowed access to their own account and is not appropriate for r* restricted
environments.
(2) Using `--` to end option processing has been part of POSIX for over two
decades now; code passing untrusted data to other programs should be using it,
no excuses.
(3) Commit f33875c3a adds the new option `commandline_checks_require_admin`
which should probably be set in hosting environments.
(4) This change is probably pretty clean to backport.
(5) I will not be setting this option true by default.
If this option commandline_checks_require_admin protects you, then you've
already messed up. But Exim can provide the suspenders for when your belt
fails. The suspenders might snap, they're new and unproven.
This is change PP/04 for the future 4.90 release.
--
You are receiving this mail because:
You are on the CC list for the bug.
