Saturday, September 30, 2023

Re: exim

Le 30/09/2023 à 15:27, Stuart Henderson a écrit :
> With OpenBSD release fast approaching and considering the lack of solid
> information about the vulnerabilities, I think we should probably mark
> mail/exim BROKEN for now.
>
> And also consider whether we want to keep this in ports at all...
> The response to this was much weaker than I'd expect from maintainers
> of software like this (note that it is a huge setuid root binary so
> it'd really be nice if they were a bit more active on that front)
>
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/mail/exim/Makefile,v
> retrieving revision 1.143
> diff -u -p -r1.143 Makefile
> --- Makefile 26 Sep 2023 12:28:11 -0000 1.143
> +++ Makefile 30 Sep 2023 12:52:52 -0000
> @@ -1,3 +1,7 @@
> +BROKEN = known unfixed remote vulnerabilities, likely serious
> +# https://www.openwall.com/lists/oss-security/2023/09/29/5
> +# https://www.openwall.com/lists/oss-security/2023/09/29/10
> +
> COMMENT-main = flexible mail transfer agent
> COMMENT-eximon = X11 monitor tool for Exim MTA
>
>

What would marking it BROKEN solve? People upgrading to 7.4 will keep
the old version, but indeed new user won't be able to install it.

I'd prefer to see it removed, including a quirks entry with the reason,
if it's such a trashfire that shouldn't be used

No comments:

Post a Comment