Re: [SECURITY] [DSA-2154-1] exim4 security update

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA-2154-1] exim4 security update
From: Kai Moritz <kai@coolibri.de>
Date: Sun, 30 Jan 2011 14:31:11 +0100
Message-id: <[🔎] 1296394271.8789.2.camel@macbook>
In-reply-to: <E1PjUjG-00024b-RF@chopin.debian.org>
References: <E1PjUjG-00024b-RF@chopin.debian.org>

Das prüfe ich lieber erst mal auf meinem Root-Server, denn...

Am Sonntag, den 30.01.2011, 10:41 +0000 schrieb Stefan Fritsch:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> - ------------------------------------------------------------------------
> Debian Security Advisory DSA-2154-1                  security@debian.org
> http://www.debian.org/security/                           Stefan Fritsch
> January 30, 2011                      http://www.debian.org/security/faq
> - ------------------------------------------------------------------------
> 
[..]
> If you use the -C
> or -D options or use the system filter facility, you should evaluate
> the changes carefully and adjust your configuration accordingly.
... es könnte mit der greylisting-Einbindung Probleme bereiten!

>  The
> Debian default configuration is not affected by the changes.
> 
> The detailed list of changes is described in the NEWS.Debian file in
> the packages. The relevant sections are also reproduced below.
> 
> In addition to that, missing error handling for the setuid/setgid
> system calls allowed the Debian-exim user to cause root to append
> log data to arbitrary files (CVE-2011-0017).
> 
> For the stable distribution (lenny), these problems have been fixed in
> version 4.69-9+lenny3.
> 
> For the testing distribution (squeeze) and the unstable distribution
> (sid), these problem have been fixed in version 4.72-4.
> 
> Further information about Debian Security Advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: http://www.debian.org/security/
> 
> - ------------------------------------------------------------------------
> Excerpt from the NEWS.Debian file from the packages exim4-daemon-light
> and exim4-daemon-heavy:
> 
> Exim versions up to and including 4.72 are vulnerable to
> CVE-2010-4345. This is a privilege escalation issue that allows the
> exim user to gain root privileges by specifying an alternate
> configuration file using the -C option. The macro override facility
> (-D) might also be misused for this purpose.
> 
> In reaction to this security vulnerability upstream has made a number
> of user visible changes. This package includes these changes.
> 
> If exim is invoked with the -C or -D option the daemon will not regain
> root privileges though re-execution. This is usually necessary for
> local delivery, though. Therefore it is generally not possible anymore
> to run an exim daemon with -D or -C options.
> 
> However this version of exim has been built with
> TRUSTED_CONFIG_LIST=/etc/exim4/trusted_configs. TRUSTED_CONFIG_LIST
> defines a list of configuration files which are trusted; if a config
> file is owned by root and matches a pathname in the list, then it may
> be invoked by the Exim build-time user without Exim relinquishing root
> privileges.
> 
> As a hotfix to not break existing installations of mailscanner we have
> also set WHITELIST_D_MACROS=OUTGOING. i.e. it is still possible to
> start exim with -DOUTGOING while being able to do local deliveries.
> 
> If you previously were using -D switches you will need to change your
> setup to use a separate configuration file. The ".include" mechanism
> makes this easy.
> 
> The system filter is run as exim_user instead of root by default.  If
> your setup requies root privileges when running the system filter you
> will need to set the system_filter_user exim main configuration
> option.
> - ------------------------------------------------------------------------
> 
> Mailing list: debian-security-announce@lists.debian.org
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> 
> iD8DBQFNRUAWbxelr8HyTqQRAnoKAJ9yvfLsBBM+zDddAF0Bg1PRknw1vQCgoL4q
> GRsuFBCpLRszeIrSYf6rIjk=
> =6Cy/
> -----END PGP SIGNATURE-----
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: http://lists.debian.org/E1PjUjG-00024b-RF@chopin.debian.org
> 

-- 
Kai Moritz
Entwicklung

Telefon: 0234/7090883
Mobil: 0176/20504747

E-Mail: kai@coolibri.de


---------------------------------------------------------
coolibri Büro in Bochum:

Telefon: 0234/93737-0
Fax: 0234/93737-99

E-Mail: info@coolibri.de

coolibri - Deutschlands meistgelesene Stadtillustrierte, 279.000 Leser
pro Ausgabe (AWA 2009)

www.coolibri.de - Freizeitverführer Metropole West

coolibri, Sponsorpartner von RUHR.2010

Roland Scherer Verlags- und Werbeservice GmbH
Ehrenfeldstr. 34
44789 Bochum
---------------------------------------------------------
Sitz der Gesellschaft: Bochum
Registergericht: Amtsgericht Bochum HRB 3259
Geschäftsführer: Roland Scherer

Reply to:

Prev by Date: Re: [SECURITY] [DSA-2154-1] exim4 security update
Next by Date: Re: [SECURITY] [DSA 2153-1] linux-2.6 security update
Previous by thread: Re: [SECURITY] [DSA-2154-1] exim4 security update
Next by thread: Re: [SECURITY] [DSA-2154-1] exim4 security update
Index(es):
- Date
- Thread