Hi, finally a follow-up.
> In one word "upvote". > > I am all for improved security but a single "step change" that breaks > existing configurations is IMHO going too far. > > taint_mode = off | warn | enforce .ifdef _OPT_MAIN_ALLOW_INSECURE_TAINTED_DATA allow_insecure_tainted_data = yes .endif The EDITME contains a new build time option "ALLOW_INSECURE_TAINTED_DATA", currently enabled. Using this build time option provides a new runtime option "allow_insecure_tainted_data", which turns taint errors into warnings (and spams your log file). If you do not want the warnings logged, you can use the "tainted" log selector to switch off the warnings. The *allow_insecure_tainted_data" is deprecated already today and future versions of Exim (no schedule yet) will ignore this option. It's purely meant as mitigation during upgrades. I hope we can introduce this mitigation into 4.94+fixes and into the upcoming 4.95. But we need testing. For now I'm doing the work on my own but public Exim repos: - https://gitea.schlittermann.de/HeikoSchlittermann/exim/src/branch/exim-4.94+fixes+taintwarn - https://git.exim.org/users/heiko/exim.git/shortlog/refs/heads/exim-4.94+fixes+taintwarn But as soon as the work stabilizes, it will be merged into the upstream source. (For now, please expect changes in the commit history!) Currently I'm running this on a production systems without any issues so far. You're invited to do tests in your systems too. (The above mentioned branch is cherry-picked and squashed from the "hs/wip/taintwarn" branch, which is based on the current master. - https://gitea.schlittermann.de/HeikoSchlittermann/exim/src/branch/hs/wip/taintwarn - https://git.exim.org/users/heiko/exim.git/shortlog/refs/heads/hs/wip/taintwarn Same here, please expect rewrites of the Git history, as long as I'm working on it. Suggestions, question, remarks are welcome. Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --------------- key ID: F69376CE -
signature.asc
Description: PGP signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/