[exim] Older versions of Exim (CVE-2016-1531)

Top Page
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: exim-users
Subject: [exim] Older versions of Exim (CVE-2016-1531)
Hi,

I'd like to share an (obvious?) observation …

As I used to install Exim from the git checkout via make && make install:
The build and installation process creates copies of the old exim
binaries, with full suid-root permissions.

As long as you do not use the new configuration options keep_environment
or add_environment, these old versions will start happily and having a
fixed version installed additionally doesn't help a lot.

So, hopefully you put the keep_environment or add_environment option
into your configuration (at least to avoid the warning at startup)
already. Older versions of Exim don't understand these options and just
die.

Maybe I'm the only stupid one, maybe someone else got bitten too :)

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -