Your submission was sent successfully! Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

USN-1060-1: Exim vulnerabilities

10 February 2011

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Releases

Packages

Details

It was discovered that Exim contained a design flaw in the way it processed
alternate configuration files. An attacker that obtained privileges of the
"Debian-exim" user could use an alternate configuration file to obtain
root privileges. (CVE-2010-4345)

It was discovered that Exim incorrectly handled certain return values when
handling logging. An attacker that obtained privileges of the "Debian-exim"
user could use this flaw to obtain root privileges. (CVE-2011-0017)

Dan Rosenberg discovered that Exim incorrectly handled writable sticky-bit
mail directories. If Exim were configured in this manner, a local user
could use this flaw to cause a denial of service or possibly gain
privileges. This issue only applied to Ubuntu 6.06 LTS, 8.04 LTS, 9.10,
and 10.04 LTS. (CVE-2010-2023)

Dan Rosenberg discovered that Exim incorrectly handled MBX locking. If
Exim were configured in this manner, a local user could use this flaw to
cause a denial of service or possibly gain privileges. This issue only
applied to Ubuntu 6.06 LTS, 8.04 LTS, 9.10, and 10.04 LTS. (CVE-2010-2024)

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 9.10
Ubuntu 8.04
Ubuntu 6.06
Ubuntu 10.10
Ubuntu 10.04

In general, a standard system update will make all the necessary changes.

ATTENTION: This security update brings changes to Exim's behaviour. Please
review the following information carefully, as your Exim configuration may
need to be adjusted after applying this update.

Exim no longer runs alternate configuration files specified with the -C
option as root. The new /etc/exim4/trusted_configs file can be used to
override this new behaviour. Files listed in trusted_configs and owned by
root will be run with root privileges when using the -C option.

In addition, Exim no longer runs as root when the -D option is used. Macro
definitions that require root privileges should now be placed in trusted
configuration files.

Please see the /usr/share/doc/exim4-*/NEWS.Debian file for detailed
information.