Re: [exim] Security release for CVE-2016-1531: 4.84.2, 4.85.…

Top Page
Delete this message
Reply to this message
Author: Andreas M. Kirchwitz
Date:  
To: exim-users
Subject: Re: [exim] Security release for CVE-2016-1531: 4.84.2, 4.85.2, 4.86.2, 4.87 RC5
Heiko Schlittermann <hs@???> wrote:

>> Clearing the complete environment also raises some questions like
>> do I have to make exceptions for LANG and TZ? And will Exim work
>> without any PATH?
>
> Tha't not totally clear. Exim itself doesn't use any environment. BUT it
> may use the environment indirect, by using libraries (LDAP being some
> example). I suppose that libldap check LDAP* variables. I'm not sure
> about other lookups (Berkeley DB?)


If I may ask, what was the reason to clear the environment
in the first place? It's a significant change, so I guess
certain environment settings imposed serious problems.

I'm a little scared now that I add exactly those variables
to keep_environment which should be avoided at all costs.

    Greetings, Andreas