Re: [exim] Security release for CVE-2016-1531: 4.84.2, 4.85.…

Góra strony
Delete this message
Reply to this message
Autor: Heiko Schlittermann
Data:  
Dla: exim-users
Temat: Re: [exim] Security release for CVE-2016-1531: 4.84.2, 4.85.2, 4.86.2, 4.87 RC5
Cyborg <cyborg2@???> (Mi 09 Mär 2016 18:07:33 CET):
> The question is, who stops the attacker from loading a config he likes
> directly into exim WITH the new vars set ?


Nobody stop the attacker, but if you ask Exim to open the config you
like (via -C …) Exim drops the root privileges before reading the
configuration.

For the Configs of the built in list Jeremy explained, why it can be
considered safe.

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -