On 2023-12-30 Salvatore Bonaccorso <car...@debian.org> wrote: > On Sat, Dec 30, 2023 at 03:40:42PM +0100, Andreas Metzler wrote: > > are you going to release a DSA (I can start preparing one) or should I > > aim for another stable update?
> We certainly can do. We have not fully evaluated yet, but it can be > sensible that we do release via a DSA. For postfix there were enough > mitigation options to do, so that it was good enough to schedule the > update via a point release (and fasttrack still trough a SUA, given > the update was a bugfix release rebase). > How is the situation for exim4? Are there similar workarounds which > can be put in place e.g. like the postfix forbid_unauth_pipelining > option? [...] Hello, https://git.exim.org/exim.git/blob/5a8fc079931410b30889e69f890857b05ca8d4b2:/doc/doc-txt/cve-2023-51766 says: 8X---------------------------- Workaround ========== Disable CHUNKING advertisement for incoming connections. [...] *or* Disable PIPELINING advertisement for incoming connections. 8X---------------------------- cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'