lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1PR4fH-0008GQ-4I@chopin.debian.org>
Date: Fri, 10 Dec 2010 15:13:43 +0000
From: Stefan Fritsch <sf@...ian.org>
To: debian-security-announce@...ts.debian.org
Subject: [SECURITY] [DSA-2131-1] New exim4 packages fix
	remote code execution

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-2131-1                  security@...ian.org
http://www.debian.org/security/                           Stefan Fritsch
December 10, 2010                     http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : exim4
Vulnerability  : arbitrary code execution
Problem type   : remote
Debian-specific: no
CVE Id(s)      : CVE-2010-4344

Several vulnerabilities have been found in exim4 that allow a remote
attacker to execute arbitrary code as root user. Exploits for these
issues have been seen in the wild.

This update fixes a memory corruption issue that allows a remote
attacker to execute arbitrary code as the Debian-exim user
(CVE-2010-4344).

A fix for an additional issue that allows the Debian-exim user to
obtain root privileges (CVE-2010-4345) is currently being checked for
compatibility issues. It is not yet included in this upgrade but will
released soon in an update to this advisory.

For the stable distribution (lenny), this problem has been fixed in
version 4.69-9+lenny1.

This advisory only contains the packages for the alpha, amd64, hppa,
i386, ia64, powerpc, and s390 architectures. The packages for the
arm, armel, mips, mipsel, and sparc architectures will be released
as soon as they are built.

For the testing distribution (squeeze) and the unstable distribution
(sid), this problem has been fixed in version 4.70-1.

We strongly recommend that you upgrade your exim4 packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny (stable)
- -----------------------------------------

Stable updates are available for alpha, amd64, hppa, i386, ia64, powerpc, and s390.

Source archives:

  http://security.debian.org/pool/updates/main/e/exim4/exim4_4.69-9+lenny1.diff.gz
    Size/MD5 checksum:   540338 02b14a5203dad202b090d360b0b2dcc9
  http://security.debian.org/pool/updates/main/e/exim4/exim4_4.69.orig.tar.gz
    Size/MD5 checksum:  1659309 f0176239d54546526f519e266182c019
  http://security.debian.org/pool/updates/main/e/exim4/exim4_4.69-9+lenny1.dsc
    Size/MD5 checksum:     1599 c4dbede4f942a293245a8b0e1345663b

Architecture independent packages:

  http://security.debian.org/pool/updates/main/e/exim4/exim4-config_4.69-9+lenny1_all.deb
    Size/MD5 checksum:   347928 2c69c70452196863d68efa0ddaf11899
  http://security.debian.org/pool/updates/main/e/exim4/exim4_4.69-9+lenny1_all.deb
    Size/MD5 checksum:     7456 34aca3975b72dcef0eff854c55382f99

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/e/exim4/eximon4_4.69-9+lenny1_alpha.deb
    Size/MD5 checksum:   107042 3c23a5ca361eae84d8206fcbd03be2ac
  http://security.debian.org/pool/updates/main/e/exim4/exim4-dbg_4.69-9+lenny1_alpha.deb
    Size/MD5 checksum:   268366 61e70a2e40c28490c5439ea574a42a1e
  http://security.debian.org/pool/updates/main/e/exim4/exim4-dev_4.69-9+lenny1_alpha.deb
    Size/MD5 checksum:    70452 bd403eea6c21a33aabed594970bb7ca0
  http://security.debian.org/pool/updates/main/e/exim4/exim4-daemon-light_4.69-9+lenny1_alpha.deb
    Size/MD5 checksum:   485246 4b73bb0a4969431ed2e1ba85f29cc33c
  http://security.debian.org/pool/updates/main/e/exim4/exim4-daemon-light-dbg_4.69-9+lenny1_alpha.deb
    Size/MD5 checksum:   695552 06295b37a3d103ca6d1ca2600278efaa
  http://security.debian.org/pool/updates/main/e/exim4/exim4-daemon-heavy_4.69-9+lenny1_alpha.deb
    Size/MD5 checksum:   545914 6d0656f5f30bdcf940a0ece3b0e766a6
  http://security.debian.org/pool/updates/main/e/exim4/exim4-base_4.69-9+lenny1_alpha.deb
    Size/MD5 checksum:   997988 6ef1e3418c34bd8d9754dec44435301f
  http://security.debian.org/pool/updates/main/e/exim4/exim4-daemon-heavy-dbg_4.69-9+lenny1_alpha.deb
    Size/MD5 checksum:   782276 76b5512c6462f2a6f51c8a47e69732ed

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/e/exim4/exim4-daemon-light-dbg_4.69-9+lenny1_amd64.deb
    Size/MD5 checksum:   730276 02b380cb498097cb3ec5181b65379b52
  http://security.debian.org/pool/updates/main/e/exim4/exim4-dbg_4.69-9+lenny1_amd64.deb
    Size/MD5 checksum:   270376 01b04f5b698a4d037abd7630101ac449
  http://security.debian.org/pool/updates/main/e/exim4/exim4-daemon-light_4.69-9+lenny1_amd64.deb
    Size/MD5 checksum:   451556 ff86270a77ce1bdf92fdc259eb0215ad
  http://security.debian.org/pool/updates/main/e/exim4/exim4-daemon-heavy-dbg_4.69-9+lenny1_amd64.deb
    Size/MD5 checksum:   822322 30718293430eb39c6d33a4c9857e4d33
  http://security.debian.org/pool/updates/main/e/exim4/exim4-daemon-heavy_4.69-9+lenny1_amd64.deb
    Size/MD5 checksum:   503132 4a568aee8ee55837efabe0e721af541f
  http://security.debian.org/pool/updates/main/e/exim4/exim4-base_4.69-9+lenny1_amd64.deb
    Size/MD5 checksum:   990794 79fb07ee829608b95a2fd362360d14ae
  http://security.debian.org/pool/updates/main/e/exim4/eximon4_4.69-9+lenny1_amd64.deb
    Size/MD5 checksum:   101578 2093fbcfc7fc0a725e663241459e4d1e
  http://security.debian.org/pool/updates/main/e/exim4/exim4-dev_4.69-9+lenny1_amd64.deb
    Size/MD5 checksum:    70436 bcd7d1ff8951ba07244caa0093e27bcd

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/e/exim4/exim4-daemon-light_4.69-9+lenny1_hppa.deb
    Size/MD5 checksum:   459820 47f60e827fbae0082ab858475118c13f
  http://security.debian.org/pool/updates/main/e/exim4/eximon4_4.69-9+lenny1_hppa.deb
    Size/MD5 checksum:   104404 e698b32f0a154d793d4c15a85844ed94
  http://security.debian.org/pool/updates/main/e/exim4/exim4-dev_4.69-9+lenny1_hppa.deb
    Size/MD5 checksum:    70432 3b2159106cb03501521f9ea7bc762f13
  http://security.debian.org/pool/updates/main/e/exim4/exim4-daemon-heavy-dbg_4.69-9+lenny1_hppa.deb
    Size/MD5 checksum:   797562 5df0c0e7b2ac32bd7db5701991d452c0
  http://security.debian.org/pool/updates/main/e/exim4/exim4-dbg_4.69-9+lenny1_hppa.deb
    Size/MD5 checksum:   269638 a8c0c36e980a6b22368223b943c70b02
  http://security.debian.org/pool/updates/main/e/exim4/exim4-base_4.69-9+lenny1_hppa.deb
    Size/MD5 checksum:   995296 0327487ce183070cc34c0b9ea92089ff
  http://security.debian.org/pool/updates/main/e/exim4/exim4-daemon-heavy_4.69-9+lenny1_hppa.deb
    Size/MD5 checksum:   513740 93c376bc2945367b6b58011e41726d7c
  http://security.debian.org/pool/updates/main/e/exim4/exim4-daemon-light-dbg_4.69-9+lenny1_hppa.deb
    Size/MD5 checksum:   708374 060dc9ae73ef8bb4b98f1eb7c1b78502

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/e/exim4/exim4-daemon-light_4.69-9+lenny1_i386.deb
    Size/MD5 checksum:   422176 7da1afa89308957a060e3281b359d874
  http://security.debian.org/pool/updates/main/e/exim4/exim4-daemon-heavy-dbg_4.69-9+lenny1_i386.deb
    Size/MD5 checksum:   758182 855b16b433613e5ea59363b99dc6a51c
  http://security.debian.org/pool/updates/main/e/exim4/exim4-daemon-heavy_4.69-9+lenny1_i386.deb
    Size/MD5 checksum:   469844 cf0a48604846b8632b5356f7e621dcc5
  http://security.debian.org/pool/updates/main/e/exim4/exim4-base_4.69-9+lenny1_i386.deb
    Size/MD5 checksum:   991462 6c09d3fe98c8871a27f1e7a15a063ad5
  http://security.debian.org/pool/updates/main/e/exim4/exim4-daemon-light-dbg_4.69-9+lenny1_i386.deb
    Size/MD5 checksum:   673206 9ed34917a025ee6d32602cf09fe823e5
  http://security.debian.org/pool/updates/main/e/exim4/eximon4_4.69-9+lenny1_i386.deb
    Size/MD5 checksum:    98200 727f9dbc2991efe8615e6dcfd48a057a
  http://security.debian.org/pool/updates/main/e/exim4/exim4-dev_4.69-9+lenny1_i386.deb
    Size/MD5 checksum:    70440 fc1f17f43556c74bab524c60a47087b0
  http://security.debian.org/pool/updates/main/e/exim4/exim4-dbg_4.69-9+lenny1_i386.deb
    Size/MD5 checksum:   263162 0b4541a79cd0b007ace3ef537faf5f86

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/e/exim4/exim4-daemon-heavy-dbg_4.69-9+lenny1_ia64.deb
    Size/MD5 checksum:   808168 217648adc9beeaef0457a6b1ec344174
  http://security.debian.org/pool/updates/main/e/exim4/exim4-daemon-light_4.69-9+lenny1_ia64.deb
    Size/MD5 checksum:   649130 08c2b30ac372463345ec2d0f791b7b27
  http://security.debian.org/pool/updates/main/e/exim4/exim4-dbg_4.69-9+lenny1_ia64.deb
    Size/MD5 checksum:   268344 ad1fee4c3347d3196e3d6bca8cab611a
  http://security.debian.org/pool/updates/main/e/exim4/eximon4_4.69-9+lenny1_ia64.deb
    Size/MD5 checksum:   120268 94e425a8d0f7aac0493ea83533d174f2
  http://security.debian.org/pool/updates/main/e/exim4/exim4-daemon-heavy_4.69-9+lenny1_ia64.deb
    Size/MD5 checksum:   725504 b504ff4c200e079847644cc1b67339e0
  http://security.debian.org/pool/updates/main/e/exim4/exim4-dev_4.69-9+lenny1_ia64.deb
    Size/MD5 checksum:    70428 80fb3a62362526ff7bd199fe9c9f4cee
  http://security.debian.org/pool/updates/main/e/exim4/exim4-daemon-light-dbg_4.69-9+lenny1_ia64.deb
    Size/MD5 checksum:   719612 b6e8101c9b75122f4bd2752ea94d0c50
  http://security.debian.org/pool/updates/main/e/exim4/exim4-base_4.69-9+lenny1_ia64.deb
    Size/MD5 checksum:  1001900 e0f2423c26bcff7999b1a573798ddc93

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/e/exim4/exim4-daemon-heavy_4.69-9+lenny1_powerpc.deb
    Size/MD5 checksum:   516252 b4b01c81b24a0815fee01e63549d0fdb
  http://security.debian.org/pool/updates/main/e/exim4/exim4-dbg_4.69-9+lenny1_powerpc.deb
    Size/MD5 checksum:   278010 28aafc3202b2b6c898c6bef9e3a3f8ae
  http://security.debian.org/pool/updates/main/e/exim4/exim4-base_4.69-9+lenny1_powerpc.deb
    Size/MD5 checksum:   999716 f081a917ee8a7565b80a8a7e3f634714
  http://security.debian.org/pool/updates/main/e/exim4/exim4-dev_4.69-9+lenny1_powerpc.deb
    Size/MD5 checksum:    70450 b067c3c2532ab5562288e909fda32107
  http://security.debian.org/pool/updates/main/e/exim4/eximon4_4.69-9+lenny1_powerpc.deb
    Size/MD5 checksum:   106878 50dea9833a19929b7b45979f399362a4
  http://security.debian.org/pool/updates/main/e/exim4/exim4-daemon-light-dbg_4.69-9+lenny1_powerpc.deb
    Size/MD5 checksum:   723668 d40607cc70449a3c74949c29d526e1bf
  http://security.debian.org/pool/updates/main/e/exim4/exim4-daemon-light_4.69-9+lenny1_powerpc.deb
    Size/MD5 checksum:   461508 08ddcdeac3b248a42b3ad8415297e003
  http://security.debian.org/pool/updates/main/e/exim4/exim4-daemon-heavy-dbg_4.69-9+lenny1_powerpc.deb
    Size/MD5 checksum:   812956 83c7f0c195df1fb6f378b6d9c2867824

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/e/exim4/exim4-daemon-heavy-dbg_4.69-9+lenny1_s390.deb
    Size/MD5 checksum:   826020 fe652ff45f897f642b48d9b9e9bb4468
  http://security.debian.org/pool/updates/main/e/exim4/eximon4_4.69-9+lenny1_s390.deb
    Size/MD5 checksum:   103964 67a88572dd097a47cc5681257248c21e
  http://security.debian.org/pool/updates/main/e/exim4/exim4-dbg_4.69-9+lenny1_s390.deb
    Size/MD5 checksum:   270662 df3284678ba711a0ea5a54a20bf0d2ab
  http://security.debian.org/pool/updates/main/e/exim4/exim4-dev_4.69-9+lenny1_s390.deb
    Size/MD5 checksum:    70462 58c68883e8e16f7c46ea4ed780c51804
  http://security.debian.org/pool/updates/main/e/exim4/exim4-daemon-light-dbg_4.69-9+lenny1_s390.deb
    Size/MD5 checksum:   734468 eb2f61d7bf0f1d63e17ee7ea7e8b2f61
  http://security.debian.org/pool/updates/main/e/exim4/exim4-daemon-heavy_4.69-9+lenny1_s390.deb
    Size/MD5 checksum:   498378 4494d9ef50447b9e5c5729bce31b01b3
  http://security.debian.org/pool/updates/main/e/exim4/exim4-daemon-light_4.69-9+lenny1_s390.deb
    Size/MD5 checksum:   445274 0f34546a198f6c9f680dab68b42a361f
  http://security.debian.org/pool/updates/main/e/exim4/exim4-base_4.69-9+lenny1_s390.deb
    Size/MD5 checksum:   998510 a5509affe7bee9a2d32da8fb60e38f34


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFNAkHjbxelr8HyTqQRAjasAJ9nk4OGBY1kEWYYjKupXHzRgpO+nQCg2KJ0
kvzhvhC408r0LXtjjqdHSgM=
=KKHv
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ