Quoting Adam Borowski ([email protected]): > Note: there indeed was one security vulnerability, but it was discovered in > 2014, while all the "it's dead" brouchacha happened years before.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3618 It's a heap-based buffer overflow in /usr/bin/formail (specifically in formisc.c). The threat model is a bit far-fetched, IMO. (Normally, LDA handling only rarely involves formail, which is a filter for munging messages.) Distros immediately patched it. AFAIK, basically instead of a single upstream, there is timely maintenace by various distributions. Which makes the 'Oh noes! procmail isn't safe!' noises a bit exaggerated. https://serverfault.com/questions/876336/is-it-safe-to-use-procmail-in-2017 _______________________________________________ Dng mailing list [email protected] https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
