Dead.Letter (CVE-2026-45185) – How XBOW found an unauthenticated RCE on Exim(xbow.com)
52 pointsby fedek_6 hours ago7 comments
  • kro5 hours ago
    It says coordinated distro release today, and I've received a notice earlier today but that does not include the CVE number. That's confusing / does not seem very coordinated to release 2 separate security update notices in a day.

    https://lists.debian.org/debian-security-announce/2026/msg00...

  • eqvinox30 minutes ago
    I'm sorry but what the f is that timeline? (Condensed to relevant notifications:)

      2025-05-01 - Vulnerability submitted to security@exim.org
  2026-05-08 - Exim maintainers notified the Distros
  2026-05-10 - Restricted Access is provided for Distros
  2026-05-12 - Public release and Coordinated distro Release
    4 (2 really) days for distros, and then nothing, zero, zilch, nada between "Coordinated distro Release" and "Public release"?

    "I should retrain. Something with wood." is the appropriate German idiom for this, I guess.

  • ofjcihen6 hours ago
    >What follows is, before anything else, a story. One of those old, well-worn ones.

    Gag.

    • AntiUSAbah3 hours ago
      No reason to be a dick.

      He writes a full blog post, takes time and effort to do so, and you quit it with 'Gag'.

      Get a grip

      • somat2 hours ago
        I suspect the revulsion is that he did not write a full blog post, the time and effort was not consumed, instead there was an engine that did it for him. At which point interest drops significantly.

        I too suffer from lack of interest in machine written posts. but the real sociological problem is because it is hard to tell the difference, disinterest turns into paranoia. And this hurts everyone.

        However in this case, the article in question does not read like machine written, so perhaps the revulsion was just over the hyperbolic tone.

      • ofjcihen2 hours ago
        Nah I’m just sick of the melodramatic style of writing that seems to pervade all of the major tech blogs and companies now.

        These people write like they picture themselves as sages describing the end times to scared children.

        • plorg2 hours ago
          Yeah, that extremely purple paragraph about how the blog was documenting that liminal period where humans worked together with AI as partners was embarrassing.
        • AntiUSAbah2 hours ago
          And? then keep it for yourself. Why do i have to read your ignorant comment?

          You complain about their writing style, no one forced you to read, which you could summarize with an AI if you even cared for the conent but no.

          And i read A LOT and i do not come across this writing style at all.

          • Twirrim11 minutes ago
            >And? then keep it for yourself. Why do i have to read your ignorant comment?

            On a site dedicated to commenting on articles? I think you have a misunderstanding of how HN works. People (hopefully) read the article and share uninformed^H informed opinions on the article.

            That has always included critique of the way that the content is written.

            In this case, very valid critique. I'm astounded you're somehow managing to read "A LOT" and not run into it regularly. At least we seem to be moving away from the absolutely awful "I'm a crazy frat bro" style of writing where it feels like half the action sentences should be appended with "because I'm crazy!" that was spreading far too far and wide (hopefully because it's hard to coax AI into that style.)

          • otterley2 hours ago
            Hey, knock it off. If you disagree with someone, be polite.
          • ofjcihen2 hours ago
            > then keep it for yourself.

            Nah.

  • aftbit6 hours ago
    Ok now do postfix
    • sys425905 hours ago
      Many years ago I used Exim because it was default for my distro of choice back then. But after a few emergency patchings caused by yet another RCE in Exim I learned that switching to Postfix massively improved my sleep quality.
      • tptacek5 hours ago
        There's a weird folk belief that Exim is a secure 2nd-generation MTA, but it's not; it's a 1st generation MTA, like Sendmail and Smail. The two "secure" 2nd generation MTAs are Postfix and qmail. You shouldn't use those either, really; there is no reason to run a memory-unsafe MTA, or, for that matter, an MTA that isn't backed by a real database.
        • aftbit2 hours ago
          I run postfix in a receive-only mode to power inbound email processing. I'm very very glad there's no database requirement. It just passes the processing of inbound emails to a filter over stdin, which can do whatever it wants with databases or whatever it needs.
        • loloquwowndueo4 hours ago
          Which one would you suggest using?

          I’ve been looking at Stalwart to replace my old exim setup, wondering if it’s a reasonable choice.

          • tptacek4 hours ago
            If security is your concern, Stalwart seems like a fine option, almost certainly better than Postfix.
        • 4 hours ago
          undefined
    • kees996 hours ago
      Nah, go straight for qmail. Give it your best try.
      • rs_rs_rs_rs_rs5 hours ago
        The usable qmail got owned by AI already, the unusable one not yet!
        • tptacek5 hours ago
          Not by AI, but by humans awhile ago. I think Qualys weaponized a wontfix LP64 integer overflow in it just a couple years ago?
          • rs_rs_rs_rs_rs5 hours ago
            The Calif people found a nice bug in a qmail fork(what I consider usable qmail) some weeks ago.
            • tptacek5 hours ago
              Right, and that fork is the only version of qmail people still run, and the bug they found was extremely funny given Bernstein's original qmail design (it was, if I remember right, a popen(3) vulnerability --- something that never would have showed up in Bernstein's code, but that's what happens when code gets abandoned, it gets picked up by people who don't really understand it). But it's hard to charge that vulnerability against the original qmail design.

              (I don't think anyone should run qmail.)

              • adrian_b2 hours ago
                Actually the original qmail still works fine.

                However it has some compatibility problems with modern practices, the most significant being that it does not know TLS.

                Having to use TLS is the main reason for running a qmail fork instead of the original.

                • eqvinox35 minutes ago
                  "works fine" and "has some compatibility problems" is a little bit of an oxymoron... I understand what you're trying to say, but that does mean it's essentially unusable, despite "working fine".
  • stackghost5 hours ago
    >The bug is a use-after-free triggered when a TLS connection is handled by GnuTLS

    Color me surprised. The GNU ecosystem has had more than its fair share of CVEs over the years to the point that it's now a common trope:

    https://soatok.blog/2020/07/08/gnu-a-heuristic-for-bad-crypt...

  • nhattruongadm4 hours ago
    [flagged]