+++ /dev/null
-Security fix for CVE-2016-1531
-==============================
-
-All installations having Exim set-uid root and using 'perl_startup' are
-vulnerable to a local privilege escalation. Any user who can start an
-instance of Exim (and this is normally *any* user) can gain root
-privileges.
-
-New options
------------
-
-We had to introduce two new configuration options:
-
- keep_environment =
- add_environment =
-
-Both options are empty per default. That is, Exim cleans the complete
-environment on startup. This affects Exim itself and any subprocesses,
-as transports, that may call other programs via some alias mechanisms,
-as routers (queryprogram), lookups, and so on.
-
-** THIS MAY BREAK your existing installation **
-
-If both options are not used in the configuration, Exim issues a warning
-on startup. This warning disappears if at least one of these options is
-used (even if set to an empty value).
-
-keep_environment should contain a list of trusted environment variables.
-(Do you trust PATH?). This may be a list of names and REs.
-
- keep_environment = ^LDAP_ : FOO_PATH
-
-To add (or override) variables, you can use add_environment:
-
- add_environment = <; PATH=/sbin:/usr/sbin
-
-
-New behaviour
--------------
-
-Now Exim changes it's working directory to / right after startup,
-even before reading it's configuration. (Later Exim changes it's working
-directory to $spool_directory, as usual.)
-
-Exim only accepts an absolute configuration file path now, when using
-the -C option.
-
-
-Thank you for your understanding.
git://git.exim.org / exim-website.git / blobdiff