Your message dated Thu, 11 Apr 2019 19:16:55 +0200
with message-id <[email protected]>
and subject line Re: Bug#854995: config comment says docs contain info about a
security issue but they don't
has caused the Debian Bug report #854995,
regarding config comment says docs contain info about a security issue but they
don't
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
854995: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854995
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: exim4
Version: 4.88-5
Severity: minor
Debian (not upstream) has this comment in 40_exim4-config_check_data in
reference to an example config which enables spamassassin.
# Please note that this is only suiteable as an example. There are
# multiple issues with this configuration method. For example, if you go
# this way, you'll give your spamassassin daemon write access to the
# entire exim spool which might be a security issue in case of a
# spamassassin exploit.
#
# See the exim docs and the exim wiki for more suitable examples.
This clearly implies that exim docs or the exim wiki have something
about dealing with the example security issue. They don't. Exim docs
suggest doing the same thing as this example with regard to spamassissin
access to the exim spool, except for excluding mail which is too big and
would cause performance problems or failures if sent to spamassassin.
This leads people like me spending a fair bit of time reading all the
exim documentation that mentions spamassassin with the false expectation
of finding something which is not there.
I also did not turn up any discussion of this issue with a few web
searches.
If I missed something, clarify the comment.
If not, reword and move the "for example ..." sentence outside the
context of "the solution is the docs", and directly state how someone
could deal with this issue. The only obvious thing to me is that you can
exclude classes of mail from going to spamassassin, so you might
classify and exclude security sensitive mail. For example, mail from
[email protected] which could inform the
user in the case of a security exploit in spamassassin.
--- End Message ---
--- Begin Message ---
Version: 4.92-5
On 2017-02-13 Ian Kelling <[email protected]> wrote:
> Package: exim4
> Version: 4.88-5
> Severity: minor
> Debian (not upstream) has this comment in 40_exim4-config_check_data in
> reference to an example config which enables spamassassin.
> # Please note that this is only suiteable as an example. There are
> # multiple issues with this configuration method. For example, if you go
> # this way, you'll give your spamassassin daemon write access to the
> # entire exim spool which might be a security issue in case of a
> # spamassassin exploit.
> #
> # See the exim docs and the exim wiki for more suitable examples.
> This clearly implies that exim docs or the exim wiki have something
> about dealing with the example security issue. They don't. Exim docs
[...]
> If not, reword and move the "for example ..." sentence outside the
[...]
Hello,
this was fixed in 4.92-5 as part of this change:
Improved spam-scanning example with accompaning information in
README.Debian. Explicitly warn about adding the default
SpamAssassin report in a header, which Closes: #774553
https://salsa.debian.org/exim-team/exim4/commit/486aa5e7f6712c9bf3a3724276b9962ccf7c6b05
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
--- End Message ---
