There has been found a security in all exim versions prior to 4.21. Perhaps we should apply the patch in the stable version of the ebuild to provide stable-users security? The bugreport can be found here: http://www.exim.org/pipermail/exim-users/Week-of-Mon-20030811/057720.html A minor security problem has been found in Exim 3 and 4 (many thanks to Nick Cleaton). The bug is not thought to be exploitable, but one can never be absolutely certain. The bug is fixed in Exim 4.21, which I have just released. Patches for Exim 4.20 and Exim 3.36 are below. For other releases, these patches may also work, or can be trivially adapted if the patch program has problems with the line numbers. The actual code in question has hardly changed for many years. Reproducible: Always Steps to Reproduce:
[Security dept.: The patches are at the URL if you are confused] Forwarding on to security dept.
exim-4.21 is now in portage. including ipv6 support. exiscan has been deprecated. exiscan-acl is now the only choice. 4.20 and 3.36 still need the patches added.
exim-4.22 has been added to portage. I will be adding the patch for 3.36 but as we have newer version fof exim available I think it would be wise to make 4.22 stable after we get a couple more "this one works fine" reports.
Okay... I take that back. I thought we still had a 3.x build in portage. Guess we don't ;)
anyone could tell how long it would take to get a fixed stable version?
This bug is now on bugtraq and major news sites (heise.de). I think we should definitely get a stable ebuild, either with patch or with 2.4.21. Also a GLSA would be in need, i think.
Bugs have been fixed ( thanks to Nick raker@gentoo.org ) A GLSA was sent http://forums.gentoo.org/viewtopic.php?t=84447 Changing resolution to FIXED