Post Syndicated from corbet original https://lwn.net/Articles/946004/

The “Zero Day Initiative” site has posted a number of advisories (1, 2, 3, 4, 5, 6)
describing a number of flaws in the Exim mail server, some of which are
exploitable remotely. These problems, allegedly, were first reported to
the project in June 2022, well over one year ago. There is some
disagreement over the timing of events, with Exim developer Heiko
Schlittermann claiming
that no actual information was received until last May, and an anonymous
ZDI representative disputing
that story.

Either way, the vulnerabilities are now disclosed, but patches are not yet
on offer; Schlittermann said that “Fixes are available in a protected
repository and are ready to be applied by the distribution
maintainers“, so hopefully that situation will change soon.