RHSA-2011:0153: exim security update
|7||(AV:L/AC:M/Au:N/C:C/I:C/A:C)||December 13, 2010||January 24, 2011||July 03, 2017|
Exim is a mail transport agent (MTA) developed at the University ofCambridge for use on UNIX systems connected to the Internet.A privilege escalation flaw was discovered in Exim. If an attacker wereable to gain access to the "exim" user, they could cause Exim to executearbitrary commands as the root user. (CVE-2010-4345)This update adds a new configuration file, "/etc/exim/trusted-configs". Toprevent Exim from running arbitrary commands as root, Exim will now dropprivileges when run with a configuration file not listed as trusted. Thiscould break backwards compatibility with some Exim configurations, as thetrusted-configs file only trusts "/etc/exim/exim.conf" and"/etc/exim/exim4.conf" by default. If you are using a configuration filenot listed in the new trusted-configs file, you will need to add itmanually.Additionally, Exim will no longer allow a user to execute exim as root withthe -D command line option to override macro definitions. All macrodefinitions that require root permissions must now reside in a trustedconfiguration file.Users of Exim are advised to upgrade to these updated packages, whichcontain a backported patch to correct this issue. After installing thisupdate, the exim daemon will be restarted automatically.
Free Nexpose Download
Discover, prioritize, and remediate security risks today!
- FreeBSD: exim -- local privilege escalation (CVE-2010-4345)
- USN-1060-1: Exim vulnerabilities
- Gentoo Linux: CVE-2010-4345: Exim: Multiple vulnerabilities
- Cent OS: CVE-2010-4345: CESA-2011:0153 (exim)
- SUSE Linux Security Advisory: SUSE-SA:2010:059
- SUSE Linux Security Vulnerability: CVE-2010-4345
- ELSA-2011-0153 Moderate: Oracle Linux exim security update