I'm now running on this updated version (plus I have added pledge/unveil into
lib/Amavis.pm).

On Thu, Jun 25, 2026 at 08:39:47AM +0100, Stuart Henderson wrote:
> On 2026/06/25 08:36, Stuart Henderson wrote:
> > On 2026/06/22 08:04, James J. Lippard wrote:
> > > The mail/amavisd-new port is broken in OpenBSD 7.9 and also contains
> > > the vulnerability CVE-2024-28054 (MIME boundary confusion which allows
> > > bypassing scanners for attachments). The vuln is fixed in 2.13.1 and
> > > current stable release is 2.14.0.  Attached is a unified diff that
> > > modifies Makefile and the existing patches to work on 2.14.0. (It's
> > > also possible to add a few lines to do some pledge and unveil
> > > restrictions in Amavis.pm which I'm running on my systems, but I've
> > > left that out of this minimal set of changes to make it work.)
> > > 
> > > Sent at giovanni's request since he no longer uses amavisd.
> > 
> > Updated diff below.
> 
> actually, I've just committed Johan's small fix, so we've got something
> working before the bigger change goes in. here's an updated diff taking
> that into account.

-- 
Jim Lippard        [email protected]       http://www.discord.org/
GPG Key ID: 0x99FD5CD6


Reply via email to