Das prüfe ich lieber erst mal auf meinem Root-Server, denn... Am Sonntag, den 30.01.2011, 10:41 +0000 schrieb Stefan Fritsch: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - ------------------------------------------------------------------------ > Debian Security Advisory DSA-2154-1 secur...@debian.org > http://www.debian.org/security/ Stefan Fritsch > January 30, 2011 http://www.debian.org/security/faq > - ------------------------------------------------------------------------ > [..] > If you use the -C > or -D options or use the system filter facility, you should evaluate > the changes carefully and adjust your configuration accordingly. ... es könnte mit der greylisting-Einbindung Probleme bereiten!
> The > Debian default configuration is not affected by the changes. > > The detailed list of changes is described in the NEWS.Debian file in > the packages. The relevant sections are also reproduced below. > > In addition to that, missing error handling for the setuid/setgid > system calls allowed the Debian-exim user to cause root to append > log data to arbitrary files (CVE-2011-0017). > > For the stable distribution (lenny), these problems have been fixed in > version 4.69-9+lenny3. > > For the testing distribution (squeeze) and the unstable distribution > (sid), these problem have been fixed in version 4.72-4. > > Further information about Debian Security Advisories, how to apply > these updates to your system and frequently asked questions can be > found at: http://www.debian.org/security/ > > - ------------------------------------------------------------------------ > Excerpt from the NEWS.Debian file from the packages exim4-daemon-light > and exim4-daemon-heavy: > > Exim versions up to and including 4.72 are vulnerable to > CVE-2010-4345. This is a privilege escalation issue that allows the > exim user to gain root privileges by specifying an alternate > configuration file using the -C option. The macro override facility > (-D) might also be misused for this purpose. > > In reaction to this security vulnerability upstream has made a number > of user visible changes. This package includes these changes. > > If exim is invoked with the -C or -D option the daemon will not regain > root privileges though re-execution. This is usually necessary for > local delivery, though. Therefore it is generally not possible anymore > to run an exim daemon with -D or -C options. > > However this version of exim has been built with > TRUSTED_CONFIG_LIST=/etc/exim4/trusted_configs. TRUSTED_CONFIG_LIST > defines a list of configuration files which are trusted; if a config > file is owned by root and matches a pathname in the list, then it may > be invoked by the Exim build-time user without Exim relinquishing root > privileges. > > As a hotfix to not break existing installations of mailscanner we have > also set WHITELIST_D_MACROS=OUTGOING. i.e. it is still possible to > start exim with -DOUTGOING while being able to do local deliveries. > > If you previously were using -D switches you will need to change your > setup to use a separate configuration file. The ".include" mechanism > makes this easy. > > The system filter is run as exim_user instead of root by default. If > your setup requies root privileges when running the system filter you > will need to set the system_filter_user exim main configuration > option. > - ------------------------------------------------------------------------ > > Mailing list: debian-security-annou...@lists.debian.org > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > > iD8DBQFNRUAWbxelr8HyTqQRAnoKAJ9yvfLsBBM+zDddAF0Bg1PRknw1vQCgoL4q > GRsuFBCpLRszeIrSYf6rIjk= > =6Cy/ > -----END PGP SIGNATURE----- > > > -- > To UNSUBSCRIBE, email to debian-security-announce-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/e1pjujg-00024b...@chopin.debian.org > -- Kai Moritz Entwicklung Telefon: 0234/7090883 Mobil: 0176/20504747 E-Mail: k...@coolibri.de --------------------------------------------------------- coolibri Büro in Bochum: Telefon: 0234/93737-0 Fax: 0234/93737-99 E-Mail: i...@coolibri.de coolibri - Deutschlands meistgelesene Stadtillustrierte, 279.000 Leser pro Ausgabe (AWA 2009) www.coolibri.de - Freizeitverführer Metropole West coolibri, Sponsorpartner von RUHR.2010 Roland Scherer Verlags- und Werbeservice GmbH Ehrenfeldstr. 34 44789 Bochum --------------------------------------------------------- Sitz der Gesellschaft: Bochum Registergericht: Amtsgericht Bochum HRB 3259 Geschäftsführer: Roland Scherer -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1296394271.8789.2.camel@macbook