Todd Lyons wrote, on 28/05/14 14:25: > This issue is known by the CVE ID of CVE-2014-2957, was reported > directly to the Exim development team by a company which uses Exim for > its mail server. An Exim developer constructed a small patch which > altered the way the contents of the From header is parsed by converting > it to use safer and better internal functions. It was applied and > tested on a production server for correctness. We were notified of the > vulnerability Friday night, created a patch on Saturday, applied and > tested it on Sunday, notified OS packagers on Monday/Tuesday, and are > releasing on the next available work day, which is Wednesday.
Reading the diff... besides the improved coding, was this the same issue also fixed by http://bugs.exim.org/show_bug.cgi?id=1433 ? The CVE number is not accessible yet. Greetings, Wolfgang -- Wolfgang Breyha <wbre...@gmx.net> | http://www.blafasel.at/ Vienna University Computer Center | Austria
signature.asc
Description: OpenPGP digital signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##