Re: [exim] While expecting fix for CVE-2019-15846

Top Page

Reply to this message
Author: Niels Dettenbach
Date:  
To: exim-users
Subject: Re: [exim] While expecting fix for CVE-2019-15846
Am Donnerstag, 5. September 2019, 11:37:27 CEST schrieb Konstantin Boyandin
via Exim-users:
> Just curious, whether Exim is regularly tested for vulnerabilities as
> it's developed?


This is a bit simple view onto software security. There is no internet
software without any security issues as it is impossible to "write secure
software".

At least one of the CVEs was initiated by a exim developer who found problems
while working on "his" own (earlier) code - this is not a "standard case" in
many OS software projects (even less proprietary).

And at least some of the CVE only affected a sub-amount of the users.

>From my view it seems that EXIMs code is getting much more auditing attention

since 2019 then before (what - for mke - is a good sign).


> The critical security updates are being announced way too often last
> year.

hmm, another option would be to choose software which did not get any
security updates, because no one checks / audits them so far or if, publishes
it's knowledge to the users....

regular / fast security updates / patches are necessary on any internet host
today (is no "honeypot" or similiar) - independent from exim.


best regards,


niels.

--
---
Niels Dettenbach
Syndicat IT & Internet
http://www.syndicat.com
PGP: https://syndicat.com/pub_key.asc
---