How serious is CVE-2022-37452: buffer overflow for the alias list in
host_name_lookup? I was surprised not to see it discussed on exim-users
or exim-announce, or listed in http://exim.org/static/doc/security/.
I upgraded to 4.96 to be sure.
Ken
--
## Lis
I found out about CVE-2022-37452 when I got this notice from Ubuntu
security: https://ubuntu.com/security/notices/USN-5574-1 . It says
"Exim could be made to execute arbitrary code", though in the details it
says "possibly". Naturally this worried me, and I was alarmed that I
hadn't heard of it b
When exim fails to send a message to a host that is down, it remembers
that fact and doesn't try to send any more messages to that same host
for some interval. Does it then not send delay warnings for those
additional messages that it did not retry?
I have the situation where a host is not accept
I have a spam checking system which until recently worked as follows:
In my RCPT acl, I first verify the recipient. If this succeeds, I put
$address_data in a list of local users who want this message checked for
being spam, in an ACL variable. Then in my DATA acl, I go through this
list and use
Thanks for the messages. I didn't understand before how my setup
worked. The recipient verify worked by calling the localuser router,
and that's where I was saving the address_data using $local_part, so it
got tainted. Saving it with $local_part_data solved the problem.
From: Jeremy Harris via Exim-users
Date: Wed, 3 Jun 2020 18:15:25 +0100
> == marie@localhost R=local_user T=mail_spool defer (-6): mailbox
> /var/mail/ has wrong uid (0 != 1000)
That looks like it thinks the *mailbox* (as opposed to the
directory it lives in), is called "/var
Hi, Jeremy. This problem keeps coming up and you answer
From: Jeremy Harris via Exim-users
Date: Fri, 19 Jun 2020 13:29:00 +0100
Docs, concept index, de-tainting.
The concept "de-tainting" appears in the index, but not in the manual.
This index entry gets you to some useful locations,
