During the scramble to release the security fix Exim 4.82.1, I made a few rookie mistakes. One of those was not giving attribution to those who discovered and reported the vulnerability to us.
Two employees of Imperial College London, David Stockdale and Matt Hubbard analyzed a problem they were seeing, and realized that it was caused by a function which could be tricked into doing macro expansion. They acted responsibly and notified an Exim developer directly. The Exim team worked to design and test a patch to fix the problem, verified the fix was correct, tested it (in this case, testing was able to be done on a production deployment), and released notifications. We would like to publicly thank David and Matt for doing responsible disclosure to us so that we could handle it rapidly and still have enough time for adequate testing. ...Todd -- The total budget at all receivers for solving senders' problems is $0. If you want them to accept your mail and manage it the way you want, send it the way the spec says to. --John Levine -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
