Summary: | <mail-mta/exim-4.87: Local privilege escalation for set-uid root exim when using perl_startup (CVE-2016-1531) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | alexander, bertrand, grobian, net-mail+disabled |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1314293 | ||
Whiteboard: | B1 [glsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 563478, 585212 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2016-03-06 11:37:35 UTC
I'm testing it now. I was busy on bug #563478 to get keywords due to a new dep. Anyway, I think when USE=-perl, it should be safe (as per linked ML-message), even though Exim will warn about *_environment vars not being set. To speed up #563478, we could mask the new dep/use-flag on missing archs. Added to existing GLSA request. (In reply to Fabian Groffen from comment #1) > I'm testing it now. I was busy on bug #563478 to get keywords due to a new > dep. > > Anyway, I think when USE=-perl, it should be safe (as per linked > ML-message), even though Exim will warn about *_environment vars not being > set. > > To speed up #563478, we could mask the new dep/use-flag on missing archs. Fabian, Any News on this? This is a B1 (In reply to Yury German from comment #3) > (In reply to Fabian Groffen from comment #1) > > I'm testing it now. I was busy on bug #563478 to get keywords due to a new > > dep. testing 4.86.2 went fine, I think it's good to go from that perspective > > To speed up #563478, we could mask the new dep/use-flag on missing archs. I think this is the responsibility of the arch teams, but I could apply the mask if need be. > Fabian, > Any News on this? This is a B1 I'm sorry, btu I'm not familiar with the terminology here. If you need something from me, please let me know! Any update on this? Just pinged the arches for Keywording in Bug 563478 (In reply to Yury German from comment #6) > Just pinged the arches for Keywording in Bug 563478 Fabian or the net-mail team. There are two minor arches left. Can you please call for stabilization knowing that it will take some time for those arches (Hopefully not). I would call for stabilization but I am not sure what we are doing with arm arch. With this being a B1 we should probably get a stable package for the major arches ASAP. Being Stabilized in Bug # 585212 =mail-mta/exim-4.87 This issue was resolved and addressed in GLSA 201607-12 at https://security.gentoo.org/glsa/201607-12 by GLSA coordinator Aaron Bauman (b-man). |