חדשות, עדכונים, מדריכים ועזרים | עדכוני תוכנות ואפליקציות - (02.03.16) - גרסה חדשה: Exim 4.86.2 - Security fix for CVE-2016-1531

(02.03.16) - גרסה חדשה: Exim 4.86.2 - Security fix for CVE-2016-1531

עדכוני תוכנות ואפליקציות

חדשות, עדכונים, מדריכים ועזרים


פרטים נוספים:
https://lists.exim.org/lurker/message/20160302.195554.d8f9b6f7.en.html

מה חדש:

(It's an updated version of 4.8{4,5,6}.1, fixing minor portability 
issues for *BSD and OS/X). 

The known download area contains packed tarballs. The tarballs for fixed 
older versions (4.84.2, 4.85.2) are below the old/ directory. 

Every tarball and the relevant commits and tags are signed with my GPG 
key (as used for signing this mail). 


Security fix for CVE-2016-1531 
============================== 

All installations having Exim set-uid root and using 'perl_startup' are 
vulnerable to a local privilege escalation. Any user who can start an 
instance of Exim (and this is normally *any* user) can gain root 
privileges. If you do not use 'perl_startup' you *should* be safe. 

New options 
----------- 

We had to introduce two new configuration options: 

    keep_environment =
    add_environment =


Both options are empty per default. That is, Exim cleans the complete 
environment on startup. This affects Exim itself and any subprocesses, 
as transports, that may call other programs via some alias mechanisms, 
as routers (queryprogram), lookups, and so on. This may affect used 
libraries (e.g. LDAP). 

** THIS MAY BREAK your existing installation ** 

If both options are not used in the configuration, Exim issues a warning 
on startup. This warning disappears if at least one of these options is 
used (even if set to an empty value). 

keep_environment should contain a list of trusted environment variables. 
(Do you trust PATH?). This may be a list of names and REs. 

    keep_environment = ^LDAP_ : FOO_PATH


To add (or override) variables, you can use add_environment: 

    add_environment = <; PATH=/sbin:/usr/sbin



New behaviour 
------------- 

Now Exim changes it's working directory to / right after startup, 
even before reading it's configuration. (Later Exim changes it's working 
directory to $spool_directory, as usual.) 

Exim only accepts an absolute configuration file path now, when using 
the -C option. 

Thank you for your understanding.