Re: [exim] Security release for CVE-2016-1531: 4.84.2, 4.85.…

Top Page
This message is part of the following thread:
M-\the complete thread tree sorted by date
M\MCyborg at <-
MMHeiko Schlittermann at ->
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: Re: [exim] Security release for CVE-2016-1531: 4.84.2, 4.85.2, 4.86.2, 4.87 RC5
On 09/03/16 17:07, Cyborg wrote:
> The question is, who stops the attacker from loading a config he likes
> directly into exim WITH the new vars set ?

The config filename is compiled-in, or the filename carrying permitted
config file names is compiled-in. Also the config file must be owned
by root or a user that is compiled-in, and not world-writable.

See Chapter 6, first few paragraphs.
--
Cheers,
Jeremy



This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Security release for CVE-2016-1531: 4.84.2, 4.85.2, 4.86.2, 4.87 RC5Re: [exim] Security release for CVE-2016-1531: 4.84.2, 4.85.2, 4.86.2, 4.87 RC5->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)