Foldi Tamas <crowat_private> probably said: > All of the downloadable versions are still buggy, and I can't understand > why does it recommend the main-main-developer to paste '%s' into the > source code. As I said before, the author was on vacation. There is a testing version with this fix available now. The offical release is waiting on some work on another bugfix. This problem only affects batch smtp, which means only someone with an account on the machine can cause problems with it. Not good, but better than a remote exploit. > At the moment, we know another 'ugly' bug in the exim main code, but > because of your tone it's not published. I can't understand, why do > you use this tone against people, who audits your shity code, which > has some errors in it. *sigh* This gets hashed over in bugtraq every so often. Go read the archives for the hundreds of messages listing how impolite and rude it is to announce a problem without informing the producers of the software and giving them time to release a fixed version if they respond well. Announcing something to bugtraq like that without letting the author get a patched version out and the OSen that release exim as the default MTA or as a packaged alternative to get fixed releases out was obnoxious. Full disclosure is a good thing, dealing with full disclosure in a responsible and reasonable manner is also a good thing. > These values are defaults in most linuxes. There is more to the world than linux. How the various linux distributions choose to package exim is not "the default". > On default linuxes exim is installed with setuid root. We speak about > the default install. The exim main source code has lot of setuid() call, > so it's developed for root usage also. Linux packages are not "the default install", and being suid root does not mean it runs as root all the time. The security section in the specification lists the possible uses of exim as suid root, suid something else, running as root most of the time (not recommended) or not. It is entirely possible (and allowed for in one of the security settings) to never run as root (beyond being started as root once to bind to port 25), not be suid root and never have root privs. No one with any sense should be running an MTA with root privs when it is accepting SMTP input be it port 25 or batch SMTP whatever the defaults are for a random package. P. -- pir pirat_private pirat_private
This archive was generated by hypermail 2b30 : Wed Jun 13 2001 - 14:06:06 PDT