https://bugs.exim.org/show_bug.cgi?id=2118
Phil Pennock <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] Resolution|--- |FIXED Status|NEW |RESOLVED --- Comment #8 from Phil Pennock <[email protected]> --- A stance and a code change by Exim. (1) This is not a vulnerability in Exim. Exim trusts the local user to be allowed access to their own account and is not appropriate for r* restricted environments. (2) Using `--` to end option processing has been part of POSIX for over two decades now; code passing untrusted data to other programs should be using it, no excuses. (3) Commit f33875c3a adds the new option `commandline_checks_require_admin` which should probably be set in hosting environments. (4) This change is probably pretty clean to backport. (5) I will not be setting this option true by default. If this option commandline_checks_require_admin protects you, then you've already messed up. But Exim can provide the suspenders for when your belt fails. The suspenders might snap, they're new and unproven. This is change PP/04 for the future 4.90 release. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
