Bug 1314259 - Reminder for : Security fix for CVE-2016-1531
Reminder for : Security fix for CVE-2016-1531
Status: CLOSED DUPLICATE of bug 1314294
Product: Fedora
Classification: Fedora
Component: exim (Show other bugs)
All All
unspecified Severity urgent
: ---
: ---
Assigned To: Jaroslav Škarvada
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2016-03-03 05:02 EST by customercare
Modified: 2016-03-03 07:22 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-03-03 07:22:06 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description customercare 2016-03-03 05:02:10 EST
As i do not see any new packages in koji for exim,
here a quick reminder, that exim has an important security issue.



We just released:

    Version             Git tag
    Exim 4.84.2         exim-4_84_2
    Exim 4.85.2         exim-4_85_2
    Exim 4.86.2         exim-4_86_2
    Exim 4.87 RC 5      exim-4_87_RC5

(It's an updated version of 4.8{4,5,6}.1, fixing minor portability
issues for *BSD and OS/X).

The known download area contains packed tarballs. The tarballs for fixed
older versions (4.84.2, 4.85.2) are below the old/ directory.

Every tarball and the relevant commits and tags are signed with my GPG
key (as used for signing this mail).

Security fix for CVE-2016-1531

All installations having Exim set-uid root and using 'perl_startup' are
vulnerable to a local privilege escalation. Any user who can start an
instance of Exim (and this is normally *any* user) can gain root
privileges. If you do not use 'perl_startup' you *should* be safe.

New options

We had to introduce two new configuration options:

    keep_environment =
    add_environment =

Both options are empty per default. That is, Exim cleans the complete
environment on startup. This affects Exim itself and any subprocesses,
as transports, that may call other programs via some alias mechanisms,
as routers (queryprogram), lookups, and so on. This may affect used
libraries (e.g. LDAP).

** THIS MAY BREAK your existing installation **

If both options are not used in the configuration, Exim issues a warning
on startup. This warning disappears if at least one of these options is
used (even if set to an empty value).

keep_environment should contain a list of trusted environment variables.
(Do you trust PATH?). This may be a list of names and REs.

    keep_environment = ^LDAP_ : FOO_PATH

To add (or override) variables, you can use add_environment:

    add_environment = <; PATH=/sbin:/usr/sbin

New behaviour

Now Exim changes it's working directory to / right after startup,
even before reading it's configuration. (Later Exim changes it's working
directory to $spool_directory, as usual.)

Exim only accepts an absolute configuration file path now, when using
the -C option.

Thank you for your understanding.

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -

## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Comment 1 Jaroslav Škarvada 2016-03-03 05:08:30 EST
I will take care about it today. I waited yesterday for the officially announced release, but it was delayed, so I had to quit.
Comment 2 customercare 2016-03-03 05:16:18 EST
short question about bugzilla changes:

I missed the security flag option while writing the bugreport. Is that gone, or disabled for exim and other components ?
Comment 3 Jaroslav Škarvada 2016-03-03 05:19:47 EST
(In reply to customercare from comment #2)
> short question about bugzilla changes:
> I missed the security flag option while writing the bugreport. Is that gone,
> or disabled for exim and other components ?

Sorry, I have no idea. Try to ask on devel@lists.fedoraproject.org or #fedora-devel Freenode IRC channel.
Comment 4 Jaroslav Škarvada 2016-03-03 07:22:06 EST

*** This bug has been marked as a duplicate of bug 1314294 ***

Note You need to log in before you can comment on or make changes to this bug.