With OpenBSD release fast approaching and considering the lack of solid information about the vulnerabilities, I think we should probably mark mail/exim BROKEN for now.
And also consider whether we want to keep this in ports at all... The response to this was much weaker than I'd expect from maintainers of software like this (note that it is a huge setuid root binary so it'd really be nice if they were a bit more active on that front) Index: Makefile =================================================================== RCS file: /cvs/ports/mail/exim/Makefile,v retrieving revision 1.143 diff -u -p -r1.143 Makefile --- Makefile 26 Sep 2023 12:28:11 -0000 1.143 +++ Makefile 30 Sep 2023 12:52:52 -0000 @@ -1,3 +1,7 @@ +BROKEN = known unfixed remote vulnerabilities, likely serious +# https://www.openwall.com/lists/oss-security/2023/09/29/5 +# https://www.openwall.com/lists/oss-security/2023/09/29/10 + COMMENT-main = flexible mail transfer agent COMMENT-eximon = X11 monitor tool for Exim MTA