From: Heiko Schlittermann (HS12-RIPE) Date: Wed, 6 Apr 2016 20:11:12 +0000 (+0200) Subject: Add CVE-2016-1531.txt to support links from external X-Git-Tag: exim-4_89_1~15 X-Git-Url: https://git.exim.org/exim-website.git/commitdiff_plain/5a35ca8c7b28178f412b93ecdeee627367029500?hp=092c2b588e76a2917d5bbfd81638d2487bbd51e5 Add CVE-2016-1531.txt to support links from external --- diff --git a/templates/static/doc/CVE-2016-1531.txt b/templates/static/doc/CVE-2016-1531.txt new file mode 100644 index 0000000..7a2bf41 --- /dev/null +++ b/templates/static/doc/CVE-2016-1531.txt @@ -0,0 +1,63 @@ +Security fix for CVE-2016-1531 +============================== + +All installations having Exim set-uid root and using 'perl_startup' are +vulnerable to a local privilege escalation. Any user who can start an +instance of Exim (and this is normally *any* user) can gain root +privileges. + +The official fix is in Exim release 4.86.2. (tagged as exim-4_86_2) + +For your convenience we released 4.85.2 (tagged as exim-4_85_2) + 4.84.2 (tagged as exim-4_84_2) + +To support package maintainers on older systems we maintain (on a best +effort basis) GIT branches with backported patches for older releases: + + exim-4_80_1+CVE-2016-1531 + exim-4_82_1+CVE-2016-1531 + +(We didn't assign GIT tags, to indicate that's nothing real official.) + + +New options +----------- + +We had to introduce two new configuration options: + + keep_environment = + add_environment = + +Both options are empty per default. That is, Exim cleans the complete +environment on startup. This affects Exim itself and any subprocesses, +as transports, that may call other programs via some alias mechanisms, +as routers (queryprogram), lookups, and so on. + +** THIS MAY BREAK your existing installation ** + +If both options are not used in the configuration, Exim issues a warning +on startup. This warning disappears if at least one of these options is +used (even if set to an empty value). + +keep_environment should contain a list of trusted environment variables. +(Do you trust PATH?). This may be a list of names and REs. + + keep_environment = ^LDAP_ : FOO_PATH + +To add (or override) variables, you can use add_environment: + + add_environment = <; PATH=/sbin:/usr/sbin + + +New behaviour +------------- + +Now Exim changes its working directory to / right after startup, +even before reading its configuration. (Later Exim changes its working +directory to $spool_directory, as usual.) + +Exim only accepts an absolute configuration file path now, when using +the -C option. + + +Thank you for your understanding.