On 30/09/2023 15:37, Theo de Raadt wrote:
> Stuart Henderson <stu@spacehopper.org> wrote:
>
>> With OpenBSD release fast approaching and considering the lack of solid
>> information about the vulnerabilities, I think we should probably mark
>> mail/exim BROKEN for now.
>
> That's almost too kind.
This is not the first time that exim security issues are discovered just
before an OpenBSD release.
This time, removing a feature in the build solves one of the biggest
issues, but not everything. For example, there is an issue in one of the
libraries exim uses.
Some fixes are already available but are somehow kind of embargoed (not
that I find any kind of embargo on security fixes a good idea at all).
They are supposed to be made public in something like 2 weeks.
I don't know what is the best step to take. I don't think marking it as
broken is really the best idea, just as Solène said.
So in my mind, the choices are
- we completely remove that port because OpenBSD is security focused
- we wait until 4.97 with fixes is released
- we publish a version without the affected feature now (although that
will reveal to everyone where the problem is, might break some
installations and is probably not enough anyway)
No comments:
Post a Comment