Re: [Exim-Security] [oss-security] Exim < 4.95 heap overflow

[Roxana Bradescu <roxxbee () gmail com>]

Thank you for the clarification and we sincerely appreciate all the efforts the Exim project team!

—
Regards, Roxana


> On Aug 10, 2022, at 7:44 AM, Graeme Fowler <graeme+osssec () graemef net> wrote:
>
> On 7 Aug 2022, at 16:39, Roxana Bradescu via Security <security () exim org> wrote:
> > Adding the Exim security folks to this thread to shed some light on the original report and CVE discussion.
>
> Responding separately to each list...
>
> The Exim developers don't use github to track bugs, there is a bugzilla instance used for that which is detailed on 
> the Github Readme.pod page.
>
> This issue (and others) weren't "silently fixed"; they were openly tracked in Bugzilla, and an example is here:
>
> https://bugs.exim.org/show_bug.cgi?id=2747 (fixing the observed issue in this thread).
>
> The pages detailing CVEs were regularly updated by a developer who is no longer involved. These have not been updated 
> since 2019 as you observe, yet there have been 23 CVEs addressed by the developers. These are fairly easy to find 
> using your favourite CVE tracker.
>
> The development process - excepting times when a CVE has been allocated - is pretty open and easy to find, as all the 
> commits are in the Git repo and bugzilla updates are mirrored into the exim-dev mailing list, often including the 
> commit also.
>
> Regards
>
> Graeme
> (wearing my exim mailing list admin hat)

Attachment: signature.asc
Description: Message signed with OpenPGP