Re: [exim] [exim-announce] Exim 4.73 Release

Página superior
Eliminar este mensaje
Responder a este mensaje
Autor: Phil Pennock
Fecha:  
A: Andreas M. Kirchwitz
Cc: exim-users
Asunto: Re: [exim] [exim-announce] Exim 4.73 Release
On 2011-01-06 at 03:15 +0000, Andreas M. Kirchwitz wrote:
> Nigel Metheringham <nigel@???> wrote:
>
>  >  1. TWO MAJOR SECURITY FIXES:-
>  >        + CVE-2010-4344 exim remote code execution flaw
>  >        + CVE-2010-4345 exim privilege escalation

>
> I've just updated from Exim 4.72 (which has been said to be secure
> already) to Exim 4.73 and haven't touched any of the security options
> like ALT_CONFIG_PREFIX or TRUSTED_CONFIG_LIST in Local/Makefile.
>
> Unfortunately, on installation (sudo make install) I get this error:
>
> 2011-01-06 02:53:43 Exim configuration file /dev/null has the wrong owner, group, or mode
>
> # ls -l /dev/null
> crw-rw-rw-. 1 root root 1, 3 Jan 5 21:39 /dev/null
>
> Of course, /dev/null is world-writable. ;-)


Deoh.

http://git.exim.org/exim.git/commit/fea24b2ea4e2c2a4b77d6fb222054e32e658b227

I've exempted /dev/null from these checks. If someone has messed with
he ownership or permissions of /dev/null, that's no longer reasonably
Exim's problem.

> Furtheremore, until now, I used to run exicyclog as user exim (why do


I've left this for further careful consideration.

Thanks,
-Phil