On 30/09/2023 15:37, Theo de Raadt wrote:
Stuart Henderson <s...@spacehopper.org> wrote:

With OpenBSD release fast approaching and considering the lack of solid
information about the vulnerabilities, I think we should probably mark
mail/exim BROKEN for now.

That's almost too kind.

This is not the first time that exim security issues are discovered just before an OpenBSD release. This time, removing a feature in the build solves one of the biggest issues, but not everything. For example, there is an issue in one of the libraries exim uses. Some fixes are already available but are somehow kind of embargoed (not that I find any kind of embargo on security fixes a good idea at all). They are supposed to be made public in something like 2 weeks.

I don't know what is the best step to take. I don't think marking it as broken is really the best idea, just as Solène said.
So in my mind, the choices are
- we completely remove that port because OpenBSD is security focused
- we wait until 4.97 with fixes is released
- we publish a version without the affected feature now (although that will reveal to everyone where the problem is, might break some installations and is probably not enough anyway)


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to