https://bugs.exim.org/show_bug.cgi?id=2118
--- Comment #9 from Sandor Takacs <t...@alkoholista.hu> --- (In reply to Phil Pennock from comment #8) > A stance and a code change by Exim. > > (1) This is not a vulnerability in Exim. Exim trusts the local user to be > allowed access to their own account and is not appropriate for r* restricted > environments. > (2) Using `--` to end option processing has been part of POSIX for over two > decades now; code passing untrusted data to other programs should be using > it, no excuses. > (3) Commit f33875c3a adds the new option `commandline_checks_require_admin` > which should probably be set in hosting environments. > (4) This change is probably pretty clean to backport. > (5) I will not be setting this option true by default. > > If this option commandline_checks_require_admin protects you, then you've > already messed up. But Exim can provide the suspenders for when your belt > fails. The suspenders might snap, they're new and unproven. > > This is change PP/04 for the future 4.90 release. Thanks for the changes. I know that the main security problem were in Wordpress (which isn't a problem if you configure your webserver correctly) but if you can reduce the chance to utilize something you have to do it. Thanks for it again. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
