[exim] Re: Exim Zero Day?

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Viktor Dukhovni via Exim-users
Date:  
À: exim-users
Sujet: [exim] Re: Exim Zero Day?
On Sun, Oct 01, 2023 at 05:50:00PM +0200, Andreas Barth via Exim-users wrote:

> I have seen the security side as debian release manager for quite many
> software products. And I doubt much that postfix would do it much
> different.


Coordinated release of security updates is standard industry practice.

The only similar CVE in Postfix is CVE-2011-1720.

    https://www.postfix.org/CVE-2011-1720.html#timeline


Another CVE instead led to coordination with multiple other SMTP
implementations (really anything that involved transition from cleartext
to TLS via a STARTTLS-like mechanism). This did not involve any risk of
system compromise, just injection of pre-TLS content into the TLS
stream:

    https://www.postfix.org/CVE-2011-0411.html#timeline


-- 
    Viktor.


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/