We sent email to <email address hidden> and got the following response, but we don't agree that this is an intentionally made.
This patch appears to be outside the scope of CVE. For issues of this type, the scope of CVE is limited to unintentional implementation mistakes. Here, the vendor intentionally did not do a hostname check because (quoting http://bugs.exim.org/show_bug.cgi?id=1479#c2) "Exim is an MTA, there has been no sane approach to determining a hostname suitable for verification of certificate identity." The vendor went on to implement a useful security enhancement in response to your report.
This is a very good outcome, but security enhancements are not assigned CVE-IDs.
We sent email to <email address hidden> and got the following response, but we don't agree that this is an intentionally made.
This patch appears to be outside the scope of CVE. For issues of this type, the scope of CVE is limited to unintentional implementation mistakes. Here, the vendor intentionally did not do a hostname check because (quoting http:// bugs.exim. org/show_ bug.cgi? id=1479# c2) "Exim is an MTA, there has been no sane approach to determining a hostname suitable for verification of certificate identity." The vendor went on to implement a useful security enhancement in response to your report.
This is a very good outcome, but security enhancements are not assigned CVE-IDs.