State of procmail [was Re: Is this the official procmail list?]

An interesting article from 2010 on the state of procmail, the question
of the meaning of "dead" open source software, and
security:

https://lwn.net/Articles/416901/

"The mail delivery agent (MDA)
procmail is a Linux and Unix
mainstay; for years it has been the recommended solution for sorting
large volume email and filtering out spam. The trouble is that it is
dead, and it has been for close to a decade. Or at least that may
be the problem, depending on how you look at it. The question of when (or
if) to declare an open source project dead does not have a clear
answer, and many people still use procmail to process email on
high-capacity systems..."

"...But there are risks inherent in running abandonware, even if it
was of stellar quality at the last major release. First and foremost are
unfixed security flaws. Mitre.org lists two vulnerabilities affecting
procmail since 2001:

CVE-2002-2034, which allows remote attackers to bypass the filter and
execute arbitrary code by way of specially-crafted MIME attachments, and

CVE-2006-5449, which uses a procmail exploit to gain access to the
Horde application framework. In addition, of course, there are other bugs
that remain unfixed. Matthew G. Saroff pointed out one

long-standing bug, and the procmail site itself
lists a dozen or so known
bugs as of 2001.

"Just as importantly, the email landscape and the system
administration marketplace have not stood still since 2001, either. Ed
Blackman
noted
that procmail cannot correctly handle MIME headers adhering to
RFC 2047 (which include
non-ASCII text), despite the fact that RFC 2047 dates back to 1996. RFC
2047-formatted headers are far from mandatory, but they do continue to
rise in frequency."






____________________________________________________________
procmail mailing list   Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)de
http://mailman.rwth-aachen.de/mailman/listinfo/procmail