Bug#880905: exim4-config: Sender verification could be exploited for brute-force scan
Marc Haber
mh+debian-packages at zugschlus.de
Sun Nov 5 17:59:52 UTC 2017
On Sun, Nov 05, 2017 at 04:09:37PM +0100, Andreas Metzler wrote:
> I do not see the attacker gain, the same information can be extracted by
> trying out RCPT TO *@omega-software.com with FROM attacker at gmail.com.
Additionally, we are desperately trying to stay close to the upstream
configuration. If this is really an issue, then all non-Debian exim
installations are vulnerable as well.
What I am trying to say is, this issue should be reported and
discussed with upstream _before_ we make this change. Paul, can you do
that to make your point there?
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
More information about the Pkg-exim4-maintainers
mailing list