 
| Subject: | |
| From: | |
| Reply To: | |
| Date: | Wed, 19 Jan 2011 13:13:14 -0600 |
| Content-Type: | text/plain |
| Parts/Attachments: |
|
|
Synopsis: Moderate: exim security update
Issue date: 2011-01-17
CVE Names: CVE-2010-4345
A privilege escalation flaw was discovered in Exim. If an attacker were
able to gain access to the "exim" user, they could cause Exim to execute
arbitrary commands as the root user. (CVE-2010-4345)
This update adds a new configuration file, "/etc/exim/trusted-configs".
To prevent Exim from running arbitrary commands as root, Exim will now
drop privileges when run with a configuration file not listed as
trusted. This could break backwards compatibility with some Exim
configurations, as the trusted-configs file only trusts
"/etc/exim/exim.conf" and "/etc/exim/exim4.conf" by default. If you are
using a configuration file not listed in the new trusted-configs file,
you will need to add it manually.
Additionally, Exim will no longer allow a user to execute exim as root
with the -D command line option to override macro definitions. All macro
definitions that require root permissions must now reside in a trusted
configuration file.
After installing this update, the exim daemon will be restarted
automatically.
SL 4.x
SRPMS:
exim-4.43-1.RHEL4.5.el4_8.3.src.rpm
i386:
exim-4.43-1.RHEL4.5.el4_8.3.i386.rpm
exim-doc-4.43-1.RHEL4.5.el4_8.3.i386.rpm
exim-mon-4.43-1.RHEL4.5.el4_8.3.i386.rpm
exim-sa-4.43-1.RHEL4.5.el4_8.3.i386.rpm
x86_64:
exim-4.43-1.RHEL4.5.el4_8.3.x86_64.rpm
exim-doc-4.43-1.RHEL4.5.el4_8.3.x86_64.rpm
exim-mon-4.43-1.RHEL4.5.el4_8.3.x86_64.rpm
exim-sa-4.43-1.RHEL4.5.el4_8.3.x86_64.rpm
SL 5.x
SRPMS:
exim-4.63-5.el5_6.2.src.rpm
i386:
exim-4.63-5.el5_6.2.i386.rpm
exim-mon-4.63-5.el5_6.2.i386.rpm
exim-sa-4.63-5.el5_6.2.i386.rpm
x86_64:
exim-4.63-5.el5_6.2.x86_64.rpm
exim-mon-4.63-5.el5_6.2.x86_64.rpm
exim-sa-4.63-5.el5_6.2.x86_64.rpm
-Connie Sieh
-Troy Dawson
|
|
|
