Re: [exim] Taint checking and exim 4.96rc0

Top Page
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: exim-users
Subject: Re: [exim] Taint checking and exim 4.96rc0
Andrew C Aitchison via Exim-users <exim-users@???> (Fr 29 Apr 2022 18:16:45 CEST):
> To which Jeremy replied:
> > The trouble with that is that it means the coverage of tracking
> > tainted data use can never be extended.
> >
> > The commit for that removal is fairly extensive:
> - see https://lists.exim.org/lurker/message/20220427.174941.443df2eb.en.html
> for the 27 reverts and 35 files changed.
>
> Given that taint checking appeared in Exim 4.93 and
> allow_insecure_tainted_data in Exim 4.95,
> this (Exim 4.96) would be the first time that allow_insecure_tainted_data
> would actually be helpful.
>
> Is it just me, or are others worried about the new taint checking
> having unexpected consequences and no way to disable it for debugging ?


The "allow_insecure_tainted_data" was introduced to ease the migration
from 4.94 to 4.95, giving you/us a timeframe to upgrade existing
configurations to be taintproof.

Before upgrading to 4.96 you should have a taintproof (secure)
configuration. The deprecation of "allow_insecure_tainted_data" was
announced with the advent of this option already.

Which point did I miss? Do we have *new* taintchecks that break
configurations that were considered secure with 4.95?

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
--
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -