alt.hn

5/12/2026 at 5:52:34 PM

Dead.Letter (CVE-2026-45185) – How XBOW found an unauthenticated RCE on Exim

 https://xbow.com/blog/dead-letter-cve-2026-45185-xbow-found-rce-exim

by fedek_

5/12/2026 at 6:39:18 PM

It says coordinated distro release today, and I've received a notice earlier today but that does not include the CVE number. That's confusing / does not seem very coordinated to release 2 separate security update notices in a day.

https://lists.debian.org/debian-security-announce/2026/msg00...

by kro

5/13/2026 at 6:28:11 AM

Yes, this was weird.

I saw that announcement yesterday, went through the list of fixed issues and decided to wait with the upgrade since none of them were relevant for me.

If I haven't just seen this on the second page of HN I would have probably deferred this upgrade for a few more days.

by avian

5/12/2026 at 9:08:25 PM

That mentions 4.98.2-1+deb13u2, and its changelog has:

    exim4 (4.98.2-1+deb13u2) trixie-security; urgency=high
    
      * Backport fix for Use-After-Free in GnuTLS BDAT/CHUNKING code path.
        This is Exim-Security-2026-05-01.1, fixed upstream in 4.99.3.
    
     -- Andreas Metzler <ametzler@debian.org>  Mon, 11 May 2026 19:14:46 +0200
The ID is now in the CVE database, but it was missing from the upstream advisory, too: https://exim.org/static/doc/security/EXIM-Security-2026-05-0...

Not ideal, but at least we got the fix.

by fweimer

5/12/2026 at 6:10:55 PM

>What follows is, before anything else, a story. One of those old, well-worn ones.

Gag.

by ofjcihen

5/13/2026 at 3:22:09 AM

> also it is, more quietly, the account of how I tried to make peace with the new shape of the world we are now living in.

by gwern

5/12/2026 at 9:11:12 PM

[flagged]

by AntiUSAbah

5/12/2026 at 9:32:23 PM

I suspect the revulsion is that he did not write a full blog post, the time and effort was not consumed, instead there was an engine that did it for him. At which point interest drops significantly.

I too suffer from lack of interest in machine written posts. but the real sociological problem is because it is hard to tell the difference, disinterest turns into paranoia. And this hurts everyone.

However in this case, the article in question does not read like machine written, so perhaps the revulsion was just over the hyperbolic tone.

by somat

5/12/2026 at 9:39:19 PM

Nah I’m just sick of the melodramatic style of writing that seems to pervade all of the major tech blogs and companies now.

These people write like they picture themselves as sages describing the end times to scared children.

by ofjcihen

5/12/2026 at 9:41:56 PM

Yeah, that extremely purple paragraph about how the blog was documenting that liminal period where humans worked together with AI as partners was embarrassing.

by plorg

5/12/2026 at 9:40:55 PM

And? then keep it for yourself. Why do i have to read your ignorant comment?

You complain about their writing style, no one forced you to read, which you could summarize with an AI if you even cared for the conent but no.

And i read A LOT and i do not come across this writing style at all.

by AntiUSAbah

5/13/2026 at 12:58:00 AM

Complaining about someone's comment is inconsistent with your world view, if complaining about a blogger's writing style is verboten.

by linkregister

5/12/2026 at 11:36:10 PM

>And? then keep it for yourself. Why do i have to read your ignorant comment?

On a site dedicated to commenting on articles? I think you have a misunderstanding of how HN works. People (hopefully) read the article and share uninformed^H informed opinions on the article.

That has always included critique of the way that the content is written.

In this case, very valid critique. I'm astounded you're somehow managing to read "A LOT" and not run into it regularly. At least we seem to be moving away from the absolutely awful "I'm a crazy frat bro" style of writing where it feels like half the action sentences should be appended with "because I'm crazy!" that was spreading far too far and wide (hopefully because it's hard to coax AI into that style.)

by Twirrim

5/13/2026 at 8:23:50 AM

Its not valid critique at all.

And its disrespectful to people who create proper content and do the work.

by AntiUSAbah

5/12/2026 at 10:01:34 PM

Hey, knock it off. If you disagree with someone, be polite.

by otterley

5/12/2026 at 9:43:06 PM

> then keep it for yourself.

Nah.

by ofjcihen

5/13/2026 at 4:33:57 AM

I've vouched no less than four reasonable comments under this post. Was there a mass flagging campaign?

by tardedmeme

5/12/2026 at 11:16:59 PM

I'm sorry but what the f is that timeline? (Condensed to relevant notifications:)

  2025-05-01 - Vulnerability submitted to security@exim.org
  2026-05-08 - Exim maintainers notified the Distros
  2026-05-10 - Restricted Access is provided for Distros
  2026-05-12 - Public release and Coordinated distro Release
4 (2 really) days for distros, and then nothing, zero, zilch, nada between "Coordinated distro Release" and "Public release"?

"I should retrain. Something with wood." is the appropriate German idiom for this, I guess.

by eqvinox

5/12/2026 at 7:31:36 PM

Previously (2023): https://www.bleepingcomputer.com/news/security/millions-of-e...

Previously (2020): https://www.exim.org/static/doc/security/CVE-2020-qualys/CVE...

Previously (2019): https://www.cvedetails.com/vulnerability-list/vendor_id-1091...

by fulafel

5/12/2026 at 11:09:34 PM

What are you actually trying to say with these links?

by eqvinox

5/13/2026 at 3:56:22 AM

That Exim seems to have a relatiely high density of RCE vulnerabilities that are being made public regularly.

(The track record is considerably worse than other widely used Unix MTAs, roughly on par with MS Exchange.)

by fulafel

5/13/2026 at 2:20:59 AM

"No way to prevent this!" say users of only language where this regularly happens.

by chadgpt1

5/12/2026 at 6:05:14 PM

Ok now do postfix

by aftbit

5/12/2026 at 6:54:40 PM

Many years ago I used Exim because it was default for my distro of choice back then. But after a few emergency patchings caused by yet another RCE in Exim I learned that switching to Postfix massively improved my sleep quality.

by sys42590

5/12/2026 at 7:06:41 PM

There's a weird folk belief that Exim is a secure 2nd-generation MTA, but it's not; it's a 1st generation MTA, like Sendmail and Smail. The two "secure" 2nd generation MTAs are Postfix and qmail. You shouldn't use those either, really; there is no reason to run a memory-unsafe MTA, or, for that matter, an MTA that isn't backed by a real database.

by tptacek

5/12/2026 at 9:51:00 PM

I run postfix in a receive-only mode to power inbound email processing. I'm very very glad there's no database requirement. It just passes the processing of inbound emails to a filter over stdin, which can do whatever it wants with databases or whatever it needs.

by aftbit

5/13/2026 at 2:34:32 AM

The problem with qmail is, everybody use a fork. No body use the real thing.

The official release is not standard compliance. It does not support anything modern spam filter need. It don't get new updates or features. It have funny license.

You can use a fork... but I need to ask: which fork?

by j16sdiz

5/12/2026 at 7:28:25 PM

Which one would you suggest using?

I’ve been looking at Stalwart to replace my old exim setup, wondering if it’s a reasonable choice.

by loloquwowndueo

5/13/2026 at 7:35:15 AM

Another memory-safe option is Haraka, which I’ve been using for several years now. I recommend it but only for people who need extreme customizability. For everyone else, the customizability is a bit of a footgun, since you can easily end up with accidental open relays and other misconfigurations (as I learned the hard way).

by comex

5/12/2026 at 7:36:18 PM

If security is your concern, Stalwart seems like a fine option, almost certainly better than Postfix.

by tptacek

5/12/2026 at 6:11:47 PM

Nah, go straight for qmail. Give it your best try.

by kees99

5/12/2026 at 6:29:17 PM

The usable qmail got owned by AI already, the unusable one not yet!

by rs_rs_rs_rs_rs

5/12/2026 at 6:54:13 PM

Not by AI, but by humans awhile ago. I think Qualys weaponized a wontfix LP64 integer overflow in it just a couple years ago?

by tptacek

5/12/2026 at 7:06:43 PM

The Calif people found a nice bug in a qmail fork(what I consider usable qmail) some weeks ago.

by rs_rs_rs_rs_rs

5/12/2026 at 7:09:28 PM

Right, and that fork is the only version of qmail people still run, and the bug they found was extremely funny given Bernstein's original qmail design (it was, if I remember right, a popen(3) vulnerability --- something that never would have showed up in Bernstein's code, but that's what happens when code gets abandoned, it gets picked up by people who don't really understand it). But it's hard to charge that vulnerability against the original qmail design.

(I don't think anyone should run qmail.)

by tptacek

5/12/2026 at 9:59:26 PM

Actually the original qmail still works fine.

However it has some compatibility problems with modern practices, the most significant being that it does not know TLS.

Having to use TLS is the main reason for running a qmail fork instead of the original.

by adrian_b

5/12/2026 at 11:11:33 PM

"works fine" and "has some compatibility problems" is a little bit of an oxymoron... I understand what you're trying to say, but that does mean it's essentially unusable, despite "working fine".

by eqvinox

5/12/2026 at 6:47:50 PM

>The bug is a use-after-free triggered when a TLS connection is handled by GnuTLS

Color me surprised. The GNU ecosystem has had more than its fair share of CVEs over the years to the point that it's now a common trope:

https://soatok.blog/2020/07/08/gnu-a-heuristic-for-bad-crypt...

by stackghost

5/13/2026 at 2:22:18 AM

If you read the rest of the post, gnutls wasn't the cause.

by chadgpt1

5/12/2026 at 7:37:27 PM

The finding method is almost as interesting as the bug itself. XBOW is an AI-based offensive security tool, and UAF bugs at library integration points are exactly the kind of thing that slips past human code review — reviewers focus on protocol logic, not on what happens to object lifetimes when a TLS session tears down mid-flight in an error path.

There's a pattern here worth noting: the riskiest attack surfaces in complex C software often aren't in the core logic but at integration boundaries — where one component (Exim) makes assumptions about object lifecycles managed by another (GnuTLS). Those boundaries require simultaneous deep familiarity with both codebases, which is cognitively expensive for humans but maps well to automated analysis.

This is also why "use a well-audited TLS library" doesn't fully transfer safety — you inherit the library's correctness guarantees only for the paths the library authors tested, not for how you call it under load or error conditions.

by nhattruongadm

5/13/2026 at 12:26:38 AM

Never heard of Exim, I'm just realizing what it is:

> Exim is an open-source Mail Transfer Agent (MTA) designed for Unix-like systems to receive, route, and deliver email.

what's the significance of this? do people use this in production systems?

by alpb

5/13/2026 at 12:44:11 AM

Exim is apparently the largest email server these days... it used to be postfix, but with most people using Gmail or 365, running your own email seems to be an afterthought. /shrug

by nubinetwork

5/13/2026 at 12:44:02 AM

I had the exact same reaction - never heard of this.

by hjilk