Since we're coming up to release (where we have to maintain it for
another 6 months), I thought I'd revisit this. History of security
issues + setuid root is a terrible combo.

Are there any strong reasons to keep exim in ports?

If not, ok to remove?


----- Forwarded message from Stuart Henderson <stu@spacehopper.org> -----

From: Stuart Henderson <stu@spacehopper.org>
Date: Mon, 19 Aug 2024 15:13:40 +0100
Subject: Re: exim SIGSEGV on TLS connections on latest amd64 snapshot

On 2024/08/19 15:26, Theo Buehler wrote:
<snip>
> While it is impossible to be sure where exactly the bug lies, it sure
> looks as if exim had another pretty bad bug in a release. The diff
> doesn't show much information since it's mostly pointless churn.
> 
> I think it is about time to seriously consider removing exim from the
> ports tree for good.

That would be OK with me. Of course people can still fetch from the
Attic and build themselves if they really need it, but the extra
steps needed for that (+ OS updates) will increase the motivation
to port the config across to another MTA.
<snip>


----- End forwarded message -----


---------------------
PatchSet 215 
Date: 2025/12/18 21:39:26
Author: tb
Branch: HEAD
Tag: (none) 
Log:
Security update to exim 4.99.1 from maintainer

1. Incomplete SQL injection fix - CVE-2025-26794's patch doesn't escape single quotes
2. Heap buffer overflow - Unvalidated database field used as array bound (NEW)
https://code.exim.org/exim/exim/src/commit/d46a6727798fc48d1756190a6d46d19216348c25/doc/doc-txt/exim-security-2025-12-09.1/report.txt

Is it finally time to take this behind the barn?

Members: 
	Makefile:1.156->1.157 
	distinfo:1.52->1.53 

---------------------