—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgende Warnung des Debian-Teams. Wir geben
diese Informationen unveraendert an Sie weiter.

Bitte beachten Sie, dass mit den Paketen zu DSA-2154-1 ein Rueckschritt
eingefuegt wurde, welcher mit DSA-2154-2 behoben wurde.

CVE-2010-4345 – Schwachstelle erlaubt das Erweitern von Privilegien

In Exim vor Version 4.70 gibt es eine Schwachstelle, die es dem
unprivilegierten Exim-User erlaubt, den Exim-Daemon dazu zu veranlassen,
eine andere Konfigurationsdatei einzulesen. Ein lokaler Angreifer kann
dies ausnutzen, um Root-Rechte zu erlangen.

CVE-2011-0017 – Schwachstelle in Exim ermoeglicht Zugriff auf Logdaten

In Exim werden die setuid/setgid System-calls in unsicherer Weise
behandelt; fehlende Fehlerbehandlung ermoeglicht einem lokalen Angreifer
das Anhaengen von Logdaten mit den Rechten von root an beliebige Dateien
zu veranlassen.

Betroffen sind die folgenden Software Pakete und Plattformen:

Paket exim4 in der stable Distribution (lenny) vor Version
4.69-9+lenny4
Paket exim4 in der testing Distribution (squeeze) und der unstable
Distribution (sid) vor Version 4.72-4.
Bitte beachten Sie, dass fuer letztere der eingefuegte Rueckschritt
noch nicht behoben wurde.

Stable Distribution (lenny)
Testing Distribution (squeeze)
Unstable Distribution (sid)

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
Detlev O. Matthies

– —

Detlev O. Matthies, M.Sc. (Incident Response Team)

DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-590
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

Automatische Warnmeldungen https://www.cert.dfn.de/autowarn

– —–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

– – ————————————————————————
Debian Security Advisory DSA-2154-1 security@debian.org
http://www.debian.org/security/ Stefan Fritsch
January 30, 2011 http://www.debian.org/security/faq
– – ————————————————————————

Package : exim4
Vulnerability : privilege escalation
Problem type : local
CVE Id(s) : CVE-2010-4345 CVE-2011-0017
Behaviour change : yes

A design flaw (CVE-2010-4345) in exim4 allowed the loal Debian-exim
user to obtain root privileges by specifying an alternate
configuration file using the -C option or by using the macro override
facility (-D option). Unfortunately, fixing this vulnerability is not
possible without some changes in exim4’s behvaviour. If you use the -C
or -D options or use the system filter facility, you should evaluate
the changes carefully and adjust your configuration accordingly. The
Debian default configuration is not affected by the changes.

The detailed list of changes is described in the NEWS.Debian file in
the packages. The relevant sections are also reproduced below.

In addition to that, missing error handling for the setuid/setgid
system calls allowed the Debian-exim user to cause root to append
log data to arbitrary files (CVE-2011-0017).

For the stable distribution (lenny), these problems have been fixed in
version 4.69-9+lenny3.

For the testing distribution (squeeze) and the unstable distribution
(sid), these problem have been fixed in version 4.72-4.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

– – ————————————————————————
Excerpt from the NEWS.Debian file from the packages exim4-daemon-light
and exim4-daemon-heavy:

Exim versions up to and including 4.72 are vulnerable to
CVE-2010-4345. This is a privilege escalation issue that allows the
exim user to gain root privileges by specifying an alternate
configuration file using the -C option. The macro override facility
(-D) might also be misused for this purpose.

In reaction to this security vulnerability upstream has made a number
of user visible changes. This package includes these changes.

If exim is invoked with the -C or -D option the daemon will not regain
root privileges though re-execution. This is usually necessary for
local delivery, though. Therefore it is generally not possible anymore
to run an exim daemon with -D or -C options.

However this version of exim has been built with
TRUSTED_CONFIG_LIST=/etc/exim4/trusted_configs. TRUSTED_CONFIG_LIST
defines a list of configuration files which are trusted; if a config
file is owned by root and matches a pathname in the list, then it may
be invoked by the Exim build-time user without Exim relinquishing root
privileges.

As a hotfix to not break existing installations of mailscanner we have
also set WHITELIST_D_MACROS=OUTGOING. i.e. it is still possible to
start exim with -DOUTGOING while being able to do local deliveries.

If you previously were using -D switches you will need to change your
setup to use a separate configuration file. The “.include” mechanism
makes this easy.

The system filter is run as exim_user instead of root by default. If
your setup requies root privileges when running the system filter you
will need to set the system_filter_user exim main configuration
option.
– – ————————————————————————

Mailing list: debian-security-announce@lists.debian.org

– —–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFNRUAWbxelr8HyTqQRAnoKAJ9yvfLsBBM+zDddAF0Bg1PRknw1vQCgoL4q
GRsuFBCpLRszeIrSYf6rIjk=
=6Cy/
– —–END PGP SIGNATURE—–
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2.0.9 (GNU/Linux)

iQEcBAEBAgAGBQJNRtm5AAoJEJtyb8U7iGZBa7EH/0xUYAgOeYcJ/gTU6F1b60YD
beTSYVNyS1cti3wVw/vw2CPt/d7Ni2cRp2xUtID5UKJkFdoJyGCBZeRGcYqtEnwE
nr7/KAminINXmRlN/JaTerz214MvjfvHTo3ZX28CXGT2pPv3GTZ4DuLLKlSZWlZb
BjTEAS1bsxyqXlnl7Knqj4vr70lFpQsC0b1gOhSbREeG9UEl4BlwML7DI9pz45Js
+af69hkSvOhuM7n0RdIT0pyuy+Dczt6mDGucEKRq5lUq8g6iqI9OjSGeTO/p2+FP
SU0GlYAFakoWx/ipSbhLcKQu+YmaBGT4PZ5Yln6oQgmzrMfbEn0XL5K2j6AL2xA=
=GDA8
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgende Warnung des Debian-Teams. Wir geben
diese Informationen unveraendert an Sie weiter.

Bitte beachten Sie, dass mit den Paketen zu DSA-2154-1 eine Regression
eingefuegt wurde, welche mit DSA-2154-2 behoben wurde.

CVE-2010-4345 – Schwachstelle erlaubt das Erweitern von Privilegien

In Exim vor Version 4.70 gibt es eine Schwachstelle, die es dem
unprivilegierten Exim-User erlaubt, den Exim-Daemon dazu zu veranlassen,
eine andere Konfigurationsdatei einzulesen. Ein lokaler Angreifer kann
dies ausnutzen, um Root-Rechte zu erlangen.

CVE-2011-0017 – Schwachstelle in Exim ermoeglicht Zugriff auf Logdaten

In Exim werden die setuid/setgid System-calls in unsicherer Weise
behandelt; fehlende Fehlerbehandlung ermoeglicht einem lokalen Angreifer
das Anhaengen von Logdaten mit den Rechten von root an beliebige Dateien
zu veranlassen.

Betroffen sind die folgenden Software Pakete und Plattformen:

Paket exim4 in der stable Distribution (lenny) vor Version
4.69-9+lenny4

Stable Distribution (lenny)
Testing Distribution (squeeze)
Unstable Distribution (sid)

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
Detlev O. Matthies

– —

Detlev O. Matthies, M.Sc. (Incident Response Team)

DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-590
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

Automatische Warnmeldungen https://www.cert.dfn.de/autowarn

– —–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

– – ————————————————————————
Debian Security Advisory DSA-2154-1 security@debian.org
http://www.debian.org/security/ Stefan Fritsch
January 30, 2011 http://www.debian.org/security/faq
– – ————————————————————————

Package : exim4
Vulnerability : privilege escalation
Problem type : local
CVE Id(s) : CVE-2010-4345 CVE-2011-0017
Behaviour change : yes

A design flaw (CVE-2010-4345) in exim4 allowed the loal Debian-exim
user to obtain root privileges by specifying an alternate
configuration file using the -C option or by using the macro override
facility (-D option). Unfortunately, fixing this vulnerability is not
possible without some changes in exim4’s behvaviour. If you use the -C
or -D options or use the system filter facility, you should evaluate
the changes carefully and adjust your configuration accordingly. The
Debian default configuration is not affected by the changes.

The detailed list of changes is described in the NEWS.Debian file in
the packages. The relevant sections are also reproduced below.

In addition to that, missing error handling for the setuid/setgid
system calls allowed the Debian-exim user to cause root to append
log data to arbitrary files (CVE-2011-0017).

For the stable distribution (lenny), these problems have been fixed in
version 4.69-9+lenny3.

For the testing distribution (squeeze) and the unstable distribution
(sid), these problem have been fixed in version 4.72-4.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

– – ————————————————————————
Excerpt from the NEWS.Debian file from the packages exim4-daemon-light
and exim4-daemon-heavy:

Exim versions up to and including 4.72 are vulnerable to
CVE-2010-4345. This is a privilege escalation issue that allows the
exim user to gain root privileges by specifying an alternate
configuration file using the -C option. The macro override facility
(-D) might also be misused for this purpose.

In reaction to this security vulnerability upstream has made a number
of user visible changes. This package includes these changes.

If exim is invoked with the -C or -D option the daemon will not regain
root privileges though re-execution. This is usually necessary for
local delivery, though. Therefore it is generally not possible anymore
to run an exim daemon with -D or -C options.

However this version of exim has been built with
TRUSTED_CONFIG_LIST=/etc/exim4/trusted_configs. TRUSTED_CONFIG_LIST
defines a list of configuration files which are trusted; if a config
file is owned by root and matches a pathname in the list, then it may
be invoked by the Exim build-time user without Exim relinquishing root
privileges.

As a hotfix to not break existing installations of mailscanner we have
also set WHITELIST_D_MACROS=OUTGOING. i.e. it is still possible to
start exim with -DOUTGOING while being able to do local deliveries.

If you previously were using -D switches you will need to change your
setup to use a separate configuration file. The “.include” mechanism
makes this easy.

The system filter is run as exim_user instead of root by default. If
your setup requies root privileges when running the system filter you
will need to set the system_filter_user exim main configuration
option.
– – ————————————————————————

Mailing list: debian-security-announce@lists.debian.org

– —–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFNRUAWbxelr8HyTqQRAnoKAJ9yvfLsBBM+zDddAF0Bg1PRknw1vQCgoL4q
GRsuFBCpLRszeIrSYf6rIjk=
=6Cy/
– —–END PGP SIGNATURE—–
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2.0.9 (GNU/Linux)

iQEcBAEBAgAGBQJNRrlxAAoJEJtyb8U7iGZBDnoH/RI/uIfLhClTaQmoRzVk8k7e
y+PkDdcEsFJJNHAQDQ8MLZbo4LyZX9uKbYO2Xit32RUhxuWnGofePVpOjppxAcX4
Xo0ynFxW87Emrc6607fXOwUyYBBH7KFvtvVxEL0dvEU9ZFmLJmGbevUnEtP0uo8O
j5zxI6kgeJroL4ix/9cQoMiWLcPzUvYke00x2WrZA10Td9bgrynwpLAfk48vFoxW
/XpOz97Foca7empxBqFyImqtVtTgZ/jL20WTmcGRdPM3mBTZRBOhj98mQJTPLyp5
tZjh7hSEoscJ9kk8YlggJdq0stCPqWjE84TKs0T8X78k2pk3b2XI/q01tHWsOUU=
=CfMT
—–END PGP SIGNATURE—–