> After our disclosure timeline was exceeded by many months, we notified the maintainer of our intent to publicly disclose these bugs, at which time we were told, "you do what you do."
One of these requires having the spa challenge authentication method active, which concerns NTLM passwords. I’m going to guess that approximately zero currently running exim mailservers are using this authentication method. It’s not even mentioned in the default Debian configuration files.
Another is a stack overflow, which will hopefully be caught be the stack-protector hardening on Debian/Ubuntu.
Which leaves the worst of them - the buffer overflow :(
3 comments
[ 3.0 ms ] story [ 272 ms ] threadother: https://security-tracker.debian.org/tracker/CVE-2023-42115
> After our disclosure timeline was exceeded by many months, we notified the maintainer of our intent to publicly disclose these bugs, at which time we were told, "you do what you do."
Another is a stack overflow, which will hopefully be caught be the stack-protector hardening on Debian/Ubuntu.
Which leaves the worst of them - the buffer overflow :(