Re: [exim-dev] [Bug 1864] New: CVE-2016-1238: Important unsa…

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Andrew C Aitchison
Datum:  
To: exim-dev
Alte Treads: [exim-dev] [Bug 1864] New: CVE-2016-1238: Important unsafe module load path flaw
Betreff: Re: [exim-dev] [Bug 1864] New: CVE-2016-1238: Important unsafe module load path flaw

This is about a perl security issue that was not accepted directly into
exim in July/August 2016.

Patch 915 does not apply cleanly to exim 4.89_RC3
(which adds "use warnings;" in the same place the change made by 915).
A suitable alternative is:

--- src/eximstats.src.CVE-2016-1238     2017-02-10 02:50:40.000000000 +0000
+++ src/eximstats.src   2017-02-10 12:54:28.235197704 +0000
@@ -547,6 +547,8 @@


=cut

+BEGIN { pop @INC if $INC[-1] eq '.' }
+
use warnings;
use integer;
use strict;



On Mon, 25 Jul 2016, admin@??? wrote:

> https://bugs.exim.org/show_bug.cgi?id=1864
>
>            Bug ID: 1864
>           Summary: CVE-2016-1238: Important unsafe module load path flaw
>           Product: Exim
>           Version: 4.87
>          Hardware: x86
>                OS: Linux
>            Status: NEW
>          Severity: bug
>          Priority: medium
>         Component: Eximstats
>          Assignee: nigel@???
>          Reporter: eximusers@???
>                CC: exim-dev@???

>
> Created attachment 915
> --> https://bugs.exim.org/attachment.cgi?id=915&action=edit
> patch used by Debian 4.84.2-1+deb8u1
>
> Hello,
>
> as part of fixing CVE-2016-1238 in DSA 3628-1 Debian has applied the attached
> patch to eximstats.
>
> Please review and apply. TIA