Nigel Metheringham <nigel@???> wrote:
> 1. TWO MAJOR SECURITY FIXES:-
> + CVE-2010-4344 exim remote code execution flaw
> + CVE-2010-4345 exim privilege escalation
I've just updated from Exim 4.72 (which has been said to be secure
already) to Exim 4.73 and haven't touched any of the security options
like ALT_CONFIG_PREFIX or TRUSTED_CONFIG_LIST in Local/Makefile.
Unfortunately, on installation (sudo make install) I get this error:
2011-01-06 02:53:43 Exim configuration file /dev/null has the wrong owner, group, or mode
# ls -l /dev/null
crw-rw-rw-. 1 root root 1, 3 Jan 5 21:39 /dev/null
Of course, /dev/null is world-writable. ;-)
Might be just some "ugly" output (because the install script calls
the exim binary with "-C /dev/null") but it goes into the paniclog
which should receive only messages on really severe issues.
Furtheremore, until now, I used to run exicyclog as user exim (why do
a job as root if not necessary?) which now gives this error message:
# su -m - exim -c /usr/local/exim/bin/exicyclog
LOG: MAIN PANIC
exim user lost privilege for using -C option
Okay, for security reasons only root is allowed to use -C now.
But if I run exicyclog as root, it's not getting much better:
# /usr/local/exim/bin/exicyclog
LOG: MAIN PANIC DIE
Exim configuration file /dev/null has the wrong owner, group, or mode
Well, the script still does what it is intended to do, but that's
another "ugly" output written to the paniclog.
If that habit of using "-C /dev/null" is really necessary, maybe
it should be hardcoded into the exim binary that /dev/null is a
"safe" configuration file. Or a new option that makes exim ignore
any configuration file and stick with its internal defaults.
(At least if run as root.)
However, besides those cosmetic problems, let me close this message
with something positive. On CentOS 5.5 and Fedora 14, Exim 4.73
compiles just fine for me and seems to run pretty well. Thanks to
you and everybody else involved for keeping this great MTA alive!
Happy new year ... Andreas