On Fri, May 07, 2021 at 11:56:21AM +0100, Andy Bennett wrote:
>Hi,
>
>>>And indeed I see the
>>>same presumably vulnerable version listed for buster here:
>>>
>>>https://packages.debian.org/search?keywords=exim4&searchon=names&exact=1&suite=all§ion=all
>>>
>>>That list suggests that only sid (unstable), bullseye (testing), and
>>>buster-backports have a fix. ...
>>
>>Well that was slightly more painful than it probably should have been,
>
>There were some notes in the exim advisories (Linked via the LWN
>article) that 4.94 has some data tainting protection and that this
>might need some attention when upgrading from earlier releases.
Yes, I saw that. Another case of missing information, unfortunately:
"Your configuration needs to be reworked."
without providing anything explaining how or why it needs to be
reworked. It should not have been hard to include some pointers to
this, or perhaps a link to some documentation. The hint to add the
"allow_insecure_tainted_data" option as an alternative to reworking
the config which somehow magically avoids the taint errors is better
than nothing, but it leaves a strong taste of voodoo in the mouth.
In an ideal world, everyone would have time to read the entire exim4
documentation and become experts in exim4 configuration, but that's
not how the real world works. For such a prominent open source
project used by so many, I'd expect better communication. But don't
mind me, I just needed to vent because this derailed some of my
morning ;-)
