Fixes CVE-2019-15846: Local or remote attacker can execute programs with
root privileges
For details, see the advisory:
https://exim.org/static/doc/security/CVE-2019-15846.txt
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes CVE-2019-13917:
http://www.exim.org/static/doc/security/CVE-2019-13917.txtd185889f47
added new code to "Prebuild the data structure for builtin macros".
This function needs a host-built binary called macro_predef, it depends
on host-berkeleydb, host-pcre and optionally on host-openssl.
With an openssl-enabled exim the host build of macro_predef will fail
if host-openssl is missing:
/usr/bin/gcc -DMACRO_PREDEF macro_predef.c
In file included from hash.h:14,
from exim.h:485,
from macro_predef.c:11:
sha_ver.h:37:12: fatal error: openssl/ssl.h: No such file or directory
because macro_predef also has the an optional dependency on openssl:
https://github.com/Exim/exim/blob/exim-4.92%2Bfixes/src/src/macro_predef.c#L130
Removed patches applied upstream:
0004: 98913c8ea2
0005: cf3cd30606
0007: 7ea1237c78 (diff-58af16fe62ea674adf1730edc078d175R6243)
Added patch to fix uClibc build.
Added license hash, switched _SITE to https.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
No features are added or removed. This release contains
just a fix for CVE-2016-9963
- Fix CVE-2016-9963 - Info leak from DKIM. When signing DKIM, if
either LMTP or PRDR was used for delivery, the key could appear in
logs. Additionally, if the experimental feature "DSN_INFO" was used,
it could appear in DSN messages (and be sent offsite).
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
CVE-2016-1531 - All installations having Exim set-uid root and using
'perl_startup' are vulnerable to a local privilege escalation. Any user
who can start an instance of Exim (and this is normally *any* user) can
gain root privileges. If you do not use 'perl_startup' you *should* be
safe.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
