Re: [exim] The most used Exim version is the vulnerable one

Página Inicial
Delete this message
Reply to this message
Autor: Heiko Schlittermann
Data:  
Para: exim-users
Assunto: Re: [exim] The most used Exim version is the vulnerable one
Niels Dettenbach via Exim-users <exim-users@???> (Di 11 Jun 2019 19:58:14 CEST):
> The "initial official" date for patch releases was "officially set" by Exim
> project / security list onto the 11.06.2019 (today) - so possibly some "less
> aware" (LTS) distributors will use that date ("in respect for the project")
> for their release...


The distros got the "original", and updated info on the
"rescheduled" release date on distros@???.

There *should* be responsible persons of all major distros.
But, this doesn't imply, that they act immediatly, as for some of them
Exim isn't in the set of official packages.

Some of the distros even responded personally in a very timely manner (while
such response wasn't requested in the first place, later it was, but
with the same result).

I'll not give more details, as I think, it's not worth having arguments
about good and bad distros. At least not here on this list :)

Using the banner's version as an indicator for vulnerability is a silly
approach. As already stated here, distros backport important patches and
do not touch the visible version number.

You are free to configure the banner to hide the real version, the same
is true for the received header. And, starting with the next release you
can even configure the version number, that is used in several places
(received-header, banner)

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
--
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -