TechPulseTechPulse
Back to News
Advertisement
Advertisement

⚡ Community Insights

Discussion Sentiment

50% Positive

Analyzed from 248 words in the discussion.

Trending Topics

#https#exim#security#mta#previously#www#cve#postfix#years#ago

Discussion (14 Comments)Read Original on HackerNews

ofjcihenabout 2 hours ago
>What follows is, before anything else, a story. One of those old, well-worn ones.

Gag.

fulafelabout 1 hour ago
Previously (2023): https://www.bleepingcomputer.com/news/security/millions-of-e...

Previously (2020): https://www.exim.org/static/doc/security/CVE-2020-qualys/CVE...

Previously (2019): https://www.cvedetails.com/vulnerability-list/vendor_id-1091...

kroabout 2 hours ago
It says coordinated distro release today, and I've received a notice earlier today but that does not include the CVE number. That's confusing / does not seem very coordinated to release 2 separate security update notices in a day.

https://lists.debian.org/debian-security-announce/2026/msg00...

aftbitabout 2 hours ago
Ok now do postfix
sys42590about 2 hours ago
Many years ago I used Exim because it was default for my distro of choice back then. But after a few emergency patchings caused by yet another RCE in Exim I learned that switching to Postfix massively improved my sleep quality.
tptacekabout 1 hour ago
There's a weird folk belief that Exim is a secure 2nd-generation MTA, but it's not; it's a 1st generation MTA, like Sendmail and Smail. The two "secure" 2nd generation MTAs are Postfix and qmail. You shouldn't use those either, really; there is no reason to run a memory-unsafe MTA, or, for that matter, an MTA that isn't backed by a real database.
loloquwowndueoabout 1 hour ago
Which one would you suggest using?

I’ve been looking at Stalwart to replace my old exim setup, wondering if it’s a reasonable choice.

kees99about 2 hours ago
Nah, go straight for qmail. Give it your best try.
rs_rs_rs_rs_rsabout 2 hours ago
The usable qmail got owned by AI already, the unusable one not yet!
tptacekabout 2 hours ago
Not by AI, but by humans awhile ago. I think Qualys weaponized a wontfix LP64 integer overflow in it just a couple years ago?
stackghostabout 2 hours ago
>The bug is a use-after-free triggered when a TLS connection is handled by GnuTLS

Color me surprised. The GNU ecosystem has had more than its fair share of CVEs over the years to the point that it's now a common trope:

https://soatok.blog/2020/07/08/gnu-a-heuristic-for-bad-crypt...