Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 26677 - Security bug found in Exim by Philip Hazel
Summary: Security bug found in Exim by Philip Hazel
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2003-08-15 09:25 UTC by Christian Gut
Modified: 2003-09-22 00:11 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Gut 2003-08-15 09:25:51 UTC
There has been found a security in all exim versions prior to 4.21.

Perhaps we should apply the patch in the stable version of the ebuild to provide
stable-users security?

The bugreport can be found here:
http://www.exim.org/pipermail/exim-users/Week-of-Mon-20030811/057720.html

A minor security problem has been found in Exim 3 and 4 (many thanks to
Nick Cleaton). The bug is not thought to be exploitable, but one can
never be absolutely certain.

The bug is fixed in Exim 4.21, which I have just released. Patches for
Exim 4.20 and Exim 3.36 are below. For other releases, these patches may
also work, or can be trivially adapted if the patch program has problems
with the line numbers. The actual code in question has hardly changed
for many years.

Reproducible: Always
Steps to Reproduce:
Comment 1 Tim Yamin (RETIRED) gentoo-dev 2003-08-15 15:28:06 UTC
[Security dept.: The patches are at the URL if you are confused] Forwarding on to security dept.
Comment 2 Nick Hadaway 2003-08-17 22:32:16 UTC
exim-4.21 is now in portage.  including ipv6 support.  exiscan has been deprecated.  exiscan-acl is now the only choice.

4.20 and 3.36 still need the patches added.
Comment 3 Nick Hadaway 2003-08-18 17:22:28 UTC
exim-4.22 has been added to portage.  I will be adding the patch for 3.36 but as we have newer version fof exim available I think it would be wise to make 4.22 stable after we get a couple more "this one works fine" reports.
Comment 4 Nick Hadaway 2003-08-18 17:29:32 UTC
Okay... I take that back.  I thought we still had a 3.x build in portage.  Guess we don't ;)
Comment 5 Christian Gut 2003-08-25 04:04:13 UTC
anyone could tell how long it would take to get a fixed stable version?
Comment 6 Christian Gut 2003-09-03 00:21:51 UTC
This bug is now on bugtraq and major news sites (heise.de). I think we should definitely get a stable ebuild, either with patch or with 2.4.21. Also a GLSA would be in need, i think.
Comment 7 solar (RETIRED) gentoo-dev 2003-09-22 00:11:19 UTC
Bugs have been fixed ( thanks to Nick raker@gentoo.org )
A GLSA was sent http://forums.gentoo.org/viewtopic.php?t=84447

Changing resolution to FIXED