On Wed, Nov 07, 2007 at 08:41:00AM +0000, Dr Andrew C Aitchison wrote: > > [ Sorry for spamming exim-dev but I believe that the > PCRE maintainer lurks there and not on exim-users :-] [..] > exim-4.68 includes pcre 7.2, which is presumably vunerable. > > I suspect that within exim pcre does not parse user-supplied > expressions, so this is not a major vunerability, but is anyone > in a position to confirm this, or do we need to release an updated > version of exim ?
Well, that depends on site's setup. Exim can put user-supplied data into the regex value (there's a string expansion target "rxquote" for that), so I can imagine there are quite many of potentially vulnerable systems out there. -- Jan Srzednicki :: http://wrzask.pl/ "Remember, remember, the fifth of November" -- V for Vendetta -- ## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
