| Summary: | <mail-mta/exim-4.92.2: privilege escalation (CVE-2019-15846) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | major | CC: | bertrand, grobian, himbeere, jaco, marat, scott |
| Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://www.openwall.com/lists/oss-security/2019/09/04/1 | ||
| Whiteboard: | A2 [glsa+ cve] | ||
| Package list: |
mail-mta/exim-4.92.2
|
Runtime testing required: | --- |
| Bug Depends on: | |||
| Bug Blocks: | 692394 | ||
|
Description
GLSAMaker/CVETool Bot
2019-09-04 15:45:42 UTC
From $URL:
CVE ID: CVE-2019-15846
Version(s): up to and including 4.92.1
Issue: A local or remote attacker can execute programs with root
privileges.
Details: Will be made public at CRD. Currently there is no known
exploit, but a rudimentary POC exists.
Coordinated Release Date (CRD) for Exim 4.92.2:
2019-09-06 10:00 UTC
Proposed Timeline
=================
2019-09-03:
- initial notification to distros@...nwall.org and
exim-maintainers@...m.org
2019-09-04: <-- NOW
- This Heads-up notice to oss-security@...ts.openwall.com,
exim-users@...m.org, and exim-announce@...m.org
2019-09-06 10:00 UTC:
- Coordinated relase date
- Notice to oss-security, exim-users, and exim-announce
- Publish the patches in our official and public Git repositories
and the packages on our FTP server.
Downloads available starting at CRD (not yet)
=============================================
The downloads are not yet available. They will be made available
at the above mentioned CRD.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5c1968d993330fcd3d593e014de4d7eccfd05872 commit 5c1968d993330fcd3d593e014de4d7eccfd05872 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2019-09-06 13:16:23 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-09-06 13:17:49 +0000 mail-mta/exim: bump to v4.92.2 (CVE-2019-15846) Ebuild changes: - EAPI bumped to EAPI=7 Bug: https://bugs.gentoo.org/693494 Package-Manager: Portage-2.3.75, Repoman-2.3.17 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> mail-mta/exim/Manifest | 2 + mail-mta/exim/exim-4.92.2.ebuild | 582 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 584 insertions(+) Added to an existing GLSA. x86 stable This issue was resolved and addressed in GLSA 201909-06 at https://security.gentoo.org/glsa/201909-06 by GLSA coordinator Thomas Deutschmann (whissi). Re-opening for remaining architectures. ppc/ppc64 stable amd64 stable sparc stable arm stable ia64 stable hppa stable I cannot find an issue for CVE-2019-16928. Is it hidden or doesn't exist at all? the CVE isn't this bug, but here's the email I copied it's number from for 4.92.3: https://lists.exim.org/lurker/message/20190928.232024.589b2ef5.nl.html alpha stable all arches done The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=090c2b8964bdab171450acfbe10a585c23064118 commit 090c2b8964bdab171450acfbe10a585c23064118 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2019-10-26 18:15:52 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-10-26 18:15:52 +0000 mail-mta/exim: security cleanup (#693494) Bug: https://bugs.gentoo.org/693494 Package-Manager: Portage-2.3.78, Repoman-2.3.17 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> mail-mta/exim/Manifest | 4 - mail-mta/exim/exim-4.92-r3.ebuild | 563 ----------------------------------- mail-mta/exim/exim-4.92-r4.ebuild | 578 ------------------------------------ mail-mta/exim/exim-4.92.1-r1.ebuild | 578 ------------------------------------ 4 files changed, 1723 deletions(-) All done, repository is clean! |
