Re: [SECURITY] [DSA-2154-1] exim4 security update

To: debian-security@lists.debian.org
Cc: Dario Ernst <reply@nebuk.de>
Subject: Re: [SECURITY] [DSA-2154-1] exim4 security update
From: Stefan Fritsch <sf@sfritsch.de>
Date: Sun, 30 Jan 2011 20:42:26 +0100
Message-id: <[🔎] 201101302042.26564.sf@sfritsch.de>
In-reply-to: <[🔎] 20110130141151.GH17847@dyn.kanojo.de>
References: <E1PjUjG-00024b-RF@chopin.debian.org> <[🔎] 20110130141151.GH17847@dyn.kanojo.de>

On Sunday 30 January 2011, Dario Ernst wrote:
> If i am not using -D or -C anywhere in my exim setup (e.g. using
> the debian default initscripts and have not added any of those
> options in /etc/default/exim4) and installed the update ... am i
> okay to go with that?
> 
> Sorry for asking those stupid questions, but the instructions are a
> little ambiguous there...

Yes, that's what I meant with "The Debian default configuration is not 
affected by the changes". How would you have worded it to be less 
ambigous?

> On Sun, Jan 30, 2011 at 10:41:58AM +0000, Stefan Fritsch wrote:
> > A design flaw (CVE-2010-4345) in exim4 allowed the loal
> > Debian-exim user to obtain root privileges by specifying an
> > alternate configuration file using the -C option or by using the
> > macro override facility (-D option).
> > ....
> > 
> >  The Debian default configuration is not affected by the changes.

Cheers,
Stefan

Reply to:

References:
- Re: [SECURITY] [DSA-2154-1] exim4 security update
  - From: Dario Ernst <reply@nebuk.de>

Prev by Date: Re: [SECURITY] [DSA-2154-1] exim4 security update
Next by Date: regression in exim4 DSA-2154-1
Previous by thread: Re: [SECURITY] [DSA-2154-1] exim4 security update
Next by thread: Re: [SECURITY] [DSA-2154-1] exim4 security update
Index(es):
- Date
- Thread