Re: [exim-dev] [exim-announce] Exim 4.96-RC0 released

Pàgina inicial
Delete this message
Reply to this message
Autor: Andrew C Aitchison
Data:  
A: exim-dev
Assumpte: Re: [exim-dev] [exim-announce] Exim 4.96-RC0 released
On Mon, 25 Apr 2022, Kirill Miazine via Exim-dev wrote:

> Beware that the just released RC0 for Exim 4.96 may break your Dovecot
> LDA delivery. It did break mine, which is similar to what is described
> on https://wiki.dovecot.org/LDA/Exim
>
> Here is the relevant ChangeLog entry:
>
> JH/25 Taint-check exec arguments for transport-initiated external processes.
>      Previously, tainted values could be used.  This affects "pipe", "lmtp" and
>      "queryprogram" transport, transport-filter, and ETRN commands.
>      The ${run} expansion is also affected: in "preexpand" mode no part of
>      the command line may be tainted, in default mode the executable name
>      may not be tainted.


> • Jeremy Harris via Exim-announce [2022-04-23 20:23]:
>> Notable removals since 4.95:
>>
>>   - the "allow_insecure_tainted_data" main config option and the
>>     "taint" log_selector.  These were previously deprecated.


That isn't a good combination. Please could we keep the option to
allow_insecure_tainted_data if there are new taint features ?

That way we can continue to run live systems while we resolve
these sort of problems.

Thanks,

-- 
Andrew C. Aitchison                    Kendal, UK
             andrew@???