CVE-2019-15846: Exim - local or remote attacker can execute programs with root privs

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,339
Location
LT, EU
Already on files1, mirrors might take a couple of hours to sync.
 

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,461
@smtalk, Thank you very much! However I wonder how was you able to get the new release so soon? It is not even available on git yet: https://github.com/Exim/exim/releases

Maybe you are entitled to access Exim non-public security repository? If so, did you see this message?: https://lists.exim.org/lurker/message/20190906.054016.db2b9408.en.html

The branch got two new commits, fixing a small tool. This tool is not
designed to process untrusted data, so there is no security issue, but
it was buggy. It is unlikely to be critical.

You may consider including the fix in the packages to be
released at CRD (today, 10.00 UTC) or schedule it for a later
maintainance release of the Exim packages.
So my question is, does the version in Custombuild include thoise two new commits?

Edit: Just seconds after I wrote this, the new version was released on Git.
 

HeyDev

New member
Joined
Aug 4, 2011
Messages
4
Can someone explain how exim is handled/managed by DirectAdmin?

My installation is using CustomBuild and I see that it is compiled from source. However, on the server I also notice that there is an older rpm package for exim.

Code:
[root@server ~]# rpm -qa | grep da_exim
da_exim-4.89.1-1.x86_64
[root@server ~]# exim --version | head -1
Exim version 4.92.2 #5 built 08-Sep-2019 19:56:50
2019-09-08 20:07:06 cwd=/root 2 args: exim --version
Am I safe to remove the older exim rpm package?
 
Top