https://lists.debian.org/debian-security-announce/2026/msg00...

Gag.

  2025-05-01 - Vulnerability submitted to security@exim.org
  2026-05-08 - Exim maintainers notified the Distros
  2026-05-10 - Restricted Access is provided for Distros
  2026-05-12 - Public release and Coordinated distro Release

"I should retrain. Something with wood." is the appropriate German idiom for this, I guess.

Previously (2020): https://www.exim.org/static/doc/security/CVE-2020-qualys/CVE...

Previously (2019): https://www.cvedetails.com/vulnerability-list/vendor_id-1091...

Color me surprised. The GNU ecosystem has had more than its fair share of CVEs over the years to the point that it's now a common trope:

https://soatok.blog/2020/07/08/gnu-a-heuristic-for-bad-crypt...

There's a pattern here worth noting: the riskiest attack surfaces in complex C software often aren't in the core logic but at integration boundaries — where one component (Exim) makes assumptions about object lifecycles managed by another (GnuTLS). Those boundaries require simultaneous deep familiarity with both codebases, which is cognitively expensive for humans but maps well to automated analysis.

This is also why "use a well-audited TLS library" doesn't fully transfer safety — you inherit the library's correctness guarantees only for the paths the library authors tested, not for how you call it under load or error conditions.

> Exim is an open-source Mail Transfer Agent (MTA) designed for Unix-like systems to receive, route, and deliver email.

what's the significance of this? do people use this in production systems?