https://bugs.exim.org/show_bug.cgi?id=2118
--- Comment #9 from Sandor Takacs <taki@???> ---
(In reply to Phil Pennock from comment #8)
> A stance and a code change by Exim.
>
> (1) This is not a vulnerability in Exim. Exim trusts the local user to be
> allowed access to their own account and is not appropriate for r* restricted
> environments.
> (2) Using `--` to end option processing has been part of POSIX for over two
> decades now; code passing untrusted data to other programs should be using
> it, no excuses.
> (3) Commit f33875c3a adds the new option `commandline_checks_require_admin`
> which should probably be set in hosting environments.
> (4) This change is probably pretty clean to backport.
> (5) I will not be setting this option true by default.
>
> If this option commandline_checks_require_admin protects you, then you've
> already messed up. But Exim can provide the suspenders for when your belt
> fails. The suspenders might snap, they're new and unproven.
>
> This is change PP/04 for the future 4.90 release.
Thanks for the changes. I know that the main security problem were in Wordpress
(which isn't a problem if you configure your webserver correctly) but if you
can reduce the chance to utilize something you have to do it.
Thanks for it again.
--
You are receiving this mail because:
You are on the CC list for the bug.
