From: Heiko Schlittermann (HS12-RIPE) Date: Fri, 4 Mar 2016 11:51:04 +0000 (+0100) Subject: Add text about security update. Please remove before next release! X-Git-Tag: exim-4_89_1~21 X-Git-Url: https://git.exim.org/exim-website.git/commitdiff_plain/989c3af24c4d867034ddefc4f6125353e364973c Add text about security update. Please remove before next release! --- diff --git a/templates/static/doc/CVE-2016-1531.txt b/templates/static/doc/CVE-2016-1531.txt new file mode 100644 index 0000000..a95875e --- /dev/null +++ b/templates/static/doc/CVE-2016-1531.txt @@ -0,0 +1,49 @@ +Security fix for CVE-2016-1531 +============================== + +All installations having Exim set-uid root and using 'perl_startup' are +vulnerable to a local privilege escalation. Any user who can start an +instance of Exim (and this is normally *any* user) can gain root +privileges. + +New options +----------- + +We had to introduce two new configuration options: + + keep_environment = + add_environment = + +Both options are empty per default. That is, Exim cleans the complete +environment on startup. This affects Exim itself and any subprocesses, +as transports, that may call other programs via some alias mechanisms, +as routers (queryprogram), lookups, and so on. + +** THIS MAY BREAK your existing installation ** + +If both options are not used in the configuration, Exim issues a warning +on startup. This warning disappears if at least one of these options is +used (even if set to an empty value). + +keep_environment should contain a list of trusted environment variables. +(Do you trust PATH?). This may be a list of names and REs. + + keep_environment = ^LDAP_ : FOO_PATH + +To add (or override) variables, you can use add_environment: + + add_environment = <; PATH=/sbin:/usr/sbin + + +New behaviour +------------- + +Now Exim changes it's working directory to / right after startup, +even before reading it's configuration. (Later Exim changes it's working +directory to $spool_directory, as usual.) + +Exim only accepts an absolute configuration file path now, when using +the -C option. + + +Thank you for your understanding. diff --git a/templates/web/index.xsl b/templates/web/index.xsl index 4e91c28..c1fafd7 100644 --- a/templates/web/index.xsl +++ b/templates/web/index.xsl @@ -50,6 +50,8 @@

The current version is + This is a security update. Please read CVE-2016-1531 + for more information.