[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DSA 3517-1] exim4 security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3517-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
March 14, 2016                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : exim4
CVE ID         : CVE-2016-1531

A local root privilege escalation vulnerability was found in Exim,
Debian's default mail transfer agent, in configurations using the
'perl_startup' option (Only Exim via exim4-daemon-heavy enables Perl
support).

To address the vulnerability, updated Exim versions clean the complete
execution environment by default, affecting Exim and subprocesses such
as transports calling other programs, and thus may break existing
installations. New configuration options (keep_environment,
add_environment) were introduced to adjust this behavior.

More information can be found in the upstream advisory at
https://www.exim.org/static/doc/CVE-2016-1531.txt

For the oldstable distribution (wheezy), this problem has been fixed
in version 4.80-7+deb7u2.

For the stable distribution (jessie), this problem has been fixed in
version 4.84.2-1.

For the testing distribution (stretch), this problem has been fixed
in version 4.86.2-1.

For the unstable distribution (sid), this problem has been fixed in
version 4.86.2-1.

We recommend that you upgrade your exim4 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJW5lBzAAoJEAVMuPMTQ89EGnwP/011ZNUNFZrPmxVlvdkbO7cr
duDxC9y5n0n0rsExDP4dKoeclsc+dCBRJn9IZzDjeBZ+ZVbzhYzji95NBx/RjoWO
3DvByrQJgeYN5KLu/hLcRslAMTjGrL4IwdQ4TVCiYip/GyyxmzoA0d2r6pkbSr5u
jFn79Yofc9AqPFJqrgZquY6wQl16oYHcqZsaUGE6SgRa9XnJYi3PYksG/JB8+mni
ImJggYTwjuX+uJSQEvDS6vKmEZ9k3+sTlTtn2Zu+wVOx/UZwK5Eg2Ec1fiI45yoQ
FEzzbEzuFHKkL+fHjHFjRlmzZ0W4C7wVmcV3eFqynXXpkbu/LKf6zpY9Cixq/DMs
WhNc4/Tie4u0ygdWWcvLpXnZt+KlQzw6RBm+XT//ajgdakKUgyeHu8PMqTR9I1M4
GbzEqDAfU+g5uQWed97OdJ+OJxkYYlt4IY/cLg/aYvDhJZsNxRy8OID/mmP0/Gv2
o8suOcReCJKVq1P+wZ+gU+zQGTyO1I3ATTVoN5teAVd63JpJKMofAvjRiDdIsDqo
+d9JnSwhZQhkQSoQN2EMHY/zzb+yFMfat5Rw6NmxIpBB3NIgNdL9zg08Yn4QsHyl
XMXPUOkuq4YjjmYDi87ZmVTryXXJYh209mKd2pY45n1SCCU4NOqnSrrtK6O1VNgd
Mky4/TT5s19NLEoGLxwI
=WpbR
-----END PGP SIGNATURE-----


Reply to: