Ubuntu 2933-1: Exim vulnerabilities

    Date15 Mar 2016
    Posted ByLinuxSecurity Advisories
    Several security issues were fixed in Exim.
    Ubuntu Security Notice USN-2933-1
    March 15, 2016
    exim4 vulnerabilities
    A security issue affects these releases of Ubuntu and its derivatives:
    - Ubuntu 15.10
    - Ubuntu 14.04 LTS
    - Ubuntu 12.04 LTS
    Several security issues were fixed in Exim.
    Software Description:
    - exim4: Exim is a mail transport agent
    It was discovered that Exim incorrectly filtered environment variables when
    used with the perl_startup configuration option. If the perl_startup option
    was enabled, a local attacker could use this issue to escalate their
    privileges to the root user. This issue has been fixed by having Exim clean
    the complete execution environment by default on startup, including any
    subprocesses such as transports that call other programs. This change in
    behaviour may break existing installations and can be adjusted by using two
    new configuration options, keep_environment and add_environment.
    Patrick William discovered that Exim incorrectly expanded mathematical
    comparisons twice. A local attacker could possibly use this issue to
    perform arbitrary file operations as the Exim user. This issue only
    affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-2972)
    Update instructions:
    The problem can be corrected by updating your system to the following
    package versions:
    Ubuntu 15.10:
      exim4-daemon-heavy              4.86-3ubuntu1.1
      exim4-daemon-light              4.86-3ubuntu1.1
    Ubuntu 14.04 LTS:
      exim4-daemon-custom             4.82-3ubuntu2.1
      exim4-daemon-heavy              4.82-3ubuntu2.1
      exim4-daemon-light              4.82-3ubuntu2.1
    Ubuntu 12.04 LTS:
      exim4-daemon-custom             4.76-3ubuntu3.3
      exim4-daemon-heavy              4.76-3ubuntu3.3
      exim4-daemon-light              4.76-3ubuntu3.3
    This update introduces environment filtering, which may break certain
    existing installations. After performing a standard system update, the new
    keep_environment and add_environment configurations options can be used
    to adjust the new behaviour.
      CVE-2014-2972, CVE-2016-1531
    Package Information:

    LinuxSecurity Poll

    What do you think of the LinuxSecurity Privacy news articles?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    [{"id":"90","title":"Love them!","votes":"90","type":"x","order":"1","pct":78.95,"resources":[]},{"id":"91","title":"I'm indifferent","votes":"18","type":"x","order":"2","pct":15.79,"resources":[]},{"id":"92","title":"Not interested in this topic","votes":"6","type":"x","order":"3","pct":5.26,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.