Rapid7 Vulnerability & Exploit Database

RHSA-2001:176: Updated exim packages fix security problem

Back to Search

RHSA-2001:176: Updated exim packages fix security problem

Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
12/19/2001
Created
07/25/2018
Added
03/24/2010
Modified
07/04/2017

Description

Updated exim packages are available, which fix a problem when handling certain types of addresses with some configurations. The default configuration does not exhibit this problem.

When the local exim configuration directs or routes an address to a pipe transport without verifying that the local part is valid, the command encoded in the local part will be executed. This problem does not apply to pipes run from alias or forward files since the local part is verified in that case. However if, for example, all incoming mail is filtered in some way (perhaps with a virus checker) without verifying that the local part is valid then your site may be affected by this problem. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2001-0889 to this issue. It is recommended that all exim users upgrade to provided packages.

Solution(s)

  • redhat-upgrade-exim
  • redhat-upgrade-exim-doc
  • redhat-upgrade-exim-mon

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;