[exim] Re: Exim Zero Day?

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MAndreas Barth at <-
MRainer Dorsch at ->
Delete this message
Reply to this message
Author: Viktor Dukhovni via Exim-users
Date:  
To: exim-users
Subject: [exim] Re: Exim Zero Day?
On Sun, Oct 01, 2023 at 05:50:00PM +0200, Andreas Barth via Exim-users wrote:

> I have seen the security side as debian release manager for quite many
> software products. And I doubt much that postfix would do it much
> different.

Coordinated release of security updates is standard industry practice.

The only similar CVE in Postfix is CVE-2011-1720. 

    https://www.postfix.org/CVE-2011-1720.html#timeline


Another CVE instead led to coordination with multiple other SMTP
implementations (really anything that involved transition from cleartext
to TLS via a STARTTLS-like mechanism). This did not involve any risk of
system compromise, just injection of pre-TLS content into the TLS
stream: 

    https://www.postfix.org/CVE-2011-0411.html#timeline


-- 
    Viktor.


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-[exim] The current CVEs[exim] Re: Exim Zero Day?->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)