On 2011-01-06 at 03:15 +0000, Andreas M. Kirchwitz wrote:
> Nigel Metheringham <nigel@???> wrote:
>
> > 1. TWO MAJOR SECURITY FIXES:-
> > + CVE-2010-4344 exim remote code execution flaw
> > + CVE-2010-4345 exim privilege escalation
>
> I've just updated from Exim 4.72 (which has been said to be secure
> already) to Exim 4.73 and haven't touched any of the security options
> like ALT_CONFIG_PREFIX or TRUSTED_CONFIG_LIST in Local/Makefile.
>
> Unfortunately, on installation (sudo make install) I get this error:
>
> 2011-01-06 02:53:43 Exim configuration file /dev/null has the wrong owner, group, or mode
>
> # ls -l /dev/null
> crw-rw-rw-. 1 root root 1, 3 Jan 5 21:39 /dev/null
>
> Of course, /dev/null is world-writable. ;-)
Deoh.
http://git.exim.org/exim.git/commit/fea24b2ea4e2c2a4b77d6fb222054e32e658b227
I've exempted /dev/null from these checks. If someone has messed with
he ownership or permissions of /dev/null, that's no longer reasonably
Exim's problem.
> Furtheremore, until now, I used to run exicyclog as user exim (why do
I've left this for further careful consideration.
Thanks,
-Phil
