Vulnerability & Exploit Database

Back to search

RHSA-2011:0153: exim security update

Severity CVSS Published Added Modified
7 (AV:L/AC:M/Au:N/C:C/I:C/A:C) December 13, 2010 January 24, 2011 July 03, 2017

Available Exploits 

Description

Exim is a mail transport agent (MTA) developed at the University ofCambridge for use on UNIX systems connected to the Internet.A privilege escalation flaw was discovered in Exim. If an attacker wereable to gain access to the "exim" user, they could cause Exim to executearbitrary commands as the root user. (CVE-2010-4345)This update adds a new configuration file, "/etc/exim/trusted-configs". Toprevent Exim from running arbitrary commands as root, Exim will now dropprivileges when run with a configuration file not listed as trusted. Thiscould break backwards compatibility with some Exim configurations, as thetrusted-configs file only trusts "/etc/exim/exim.conf" and"/etc/exim/exim4.conf" by default. If you are using a configuration filenot listed in the new trusted-configs file, you will need to add itmanually.Additionally, Exim will no longer allow a user to execute exim as root withthe -D command line option to override macro definitions. All macrodefinitions that require root permissions must now reside in a trustedconfiguration file.Users of Exim are advised to upgrade to these updated packages, whichcontain a backported patch to correct this issue. After installing thisupdate, the exim daemon will be restarted automatically.

Free Nexpose Download

Discover, prioritize, and remediate security risks today!

 Download now

References

Solution

redhat-upgrade-exim

Related Vulnerabilities