Ubuntu 2933-1: Exim vulnerabilities

    Date15 Mar 2016
    CategoryUbuntu
    42
    Posted ByLinuxSecurity Advisories
    Several security issues were fixed in Exim.
    ==========================================================================
    Ubuntu Security Notice USN-2933-1
    March 15, 2016
    
    exim4 vulnerabilities
    ==========================================================================
    
    A security issue affects these releases of Ubuntu and its derivatives:
    
    - Ubuntu 15.10
    - Ubuntu 14.04 LTS
    - Ubuntu 12.04 LTS
    
    Summary:
    
    Several security issues were fixed in Exim.
    
    Software Description:
    - exim4: Exim is a mail transport agent
    
    Details:
    
    It was discovered that Exim incorrectly filtered environment variables when
    used with the perl_startup configuration option. If the perl_startup option
    was enabled, a local attacker could use this issue to escalate their
    privileges to the root user. This issue has been fixed by having Exim clean
    the complete execution environment by default on startup, including any
    subprocesses such as transports that call other programs. This change in
    behaviour may break existing installations and can be adjusted by using two
    new configuration options, keep_environment and add_environment.
    (CVE-2016-1531)
    
    Patrick William discovered that Exim incorrectly expanded mathematical
    comparisons twice. A local attacker could possibly use this issue to
    perform arbitrary file operations as the Exim user. This issue only
    affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-2972)
    
    Update instructions:
    
    The problem can be corrected by updating your system to the following
    package versions:
    
    Ubuntu 15.10:
      exim4-daemon-heavy              4.86-3ubuntu1.1
      exim4-daemon-light              4.86-3ubuntu1.1
    
    Ubuntu 14.04 LTS:
      exim4-daemon-custom             4.82-3ubuntu2.1
      exim4-daemon-heavy              4.82-3ubuntu2.1
      exim4-daemon-light              4.82-3ubuntu2.1
    
    Ubuntu 12.04 LTS:
      exim4-daemon-custom             4.76-3ubuntu3.3
      exim4-daemon-heavy              4.76-3ubuntu3.3
      exim4-daemon-light              4.76-3ubuntu3.3
    
    This update introduces environment filtering, which may break certain
    existing installations. After performing a standard system update, the new
    keep_environment and add_environment configurations options can be used
    to adjust the new behaviour.
    
    References:
      http://www.ubuntu.com/usn/usn-2933-1
      CVE-2014-2972, CVE-2016-1531
    
    Package Information:
      https://launchpad.net/ubuntu/+source/exim4/4.86-3ubuntu1.1
      https://launchpad.net/ubuntu/+source/exim4/4.82-3ubuntu2.1
      https://launchpad.net/ubuntu/+source/exim4/4.76-3ubuntu3.3
    
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"38","type":"x","order":"1","pct":52.05,"resources":[]},{"id":"88","title":"Should be more technical","votes":"10","type":"x","order":"2","pct":13.7,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"25","type":"x","order":"3","pct":34.25,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.