On 2022-08-24 17:49, Andrew C Aitchison wrote:
[...]
> www.exim.org/static/doc/security/CVE-2021-38371.txt
> is advertised on a couple of CVE sites but does not exist.
> Like CVE-2022-37452, CVE-2021-38371 was fixed in 4.95 (the fix in git
> actually predates the NO STARTTLS announcement).
> I wrote up some text for it but Jeremy didn't like the tone of it
> - my page sounded as if we agreed that the bug was a security issue.
> He clearly did not believe that CVE-2021-38371 is an insecurity;
> I agree that there is no evidence that it is one, but lack of evidence is
> not evidence of lack, and the fix has been applied.
> Like you, I think that we should respond to each CVE, whether they
> are security issues or not, but Jeremy gave me the impression that
> he does not.
> If you are happy to stick to your guns on this one, I will rewrite
> mine and report it in the bugzilla, which is what Jeremy suggested.
> Since Jeremy does most of the work on exim I am not keen
> to make a fuss.
Hello Andrew
the CVE status is still marked as "applies to 4.94.2, might be fixed in
later versions" in all security trackers. Could you point to the fixing
GIT commit?
TIA, cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'