Le 30/09/2023 à 15:27, Stuart Henderson a écrit :
With OpenBSD release fast approaching and considering the lack of solid
information about the vulnerabilities, I think we should probably mark
mail/exim BROKEN for now.
And also consider whether we want to keep this in ports at all...
The response to this was much weaker than I'd expect from maintainers
of software like this (note that it is a huge setuid root binary so
it'd really be nice if they were a bit more active on that front)
Index: Makefile
===================================================================
RCS file: /cvs/ports/mail/exim/Makefile,v
retrieving revision 1.143
diff -u -p -r1.143 Makefile
--- Makefile 26 Sep 2023 12:28:11 -0000 1.143
+++ Makefile 30 Sep 2023 12:52:52 -0000
@@ -1,3 +1,7 @@
+BROKEN = known unfixed remote vulnerabilities, likely serious
+# https://www.openwall.com/lists/oss-security/2023/09/29/5
+# https://www.openwall.com/lists/oss-security/2023/09/29/10
+
COMMENT-main = flexible mail transfer agent
COMMENT-eximon = X11 monitor tool for Exim MTA
What would marking it BROKEN solve? People upgrading to 7.4 will keep
the old version, but indeed new user won't be able to install it.
I'd prefer to see it removed, including a quirks entry with the reason,
if it's such a trashfire that shouldn't be used
