From ${URL} : Privilege escalation vulnerability was found in all installations having Exim set-uid root and using 'perl_startup'. Any user who can start an instance of Exim can gain root privileges. https://lists.exim.org/lurker/message/20160302.191005.a72d8433.en.html @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
I'm testing it now. I was busy on bug #563478 to get keywords due to a new dep. Anyway, I think when USE=-perl, it should be safe (as per linked ML-message), even though Exim will warn about *_environment vars not being set. To speed up #563478, we could mask the new dep/use-flag on missing archs.
Added to existing GLSA request.
(In reply to Fabian Groffen from comment #1) > I'm testing it now. I was busy on bug #563478 to get keywords due to a new > dep. > > Anyway, I think when USE=-perl, it should be safe (as per linked > ML-message), even though Exim will warn about *_environment vars not being > set. > > To speed up #563478, we could mask the new dep/use-flag on missing archs. Fabian, Any News on this? This is a B1
(In reply to Yury German from comment #3) > (In reply to Fabian Groffen from comment #1) > > I'm testing it now. I was busy on bug #563478 to get keywords due to a new > > dep. testing 4.86.2 went fine, I think it's good to go from that perspective > > To speed up #563478, we could mask the new dep/use-flag on missing archs. I think this is the responsibility of the arch teams, but I could apply the mask if need be. > Fabian, > Any News on this? This is a B1 I'm sorry, btu I'm not familiar with the terminology here. If you need something from me, please let me know!
Any update on this?
Just pinged the arches for Keywording in Bug 563478
(In reply to Yury German from comment #6) > Just pinged the arches for Keywording in Bug 563478 Fabian or the net-mail team. There are two minor arches left. Can you please call for stabilization knowing that it will take some time for those arches (Hopefully not). I would call for stabilization but I am not sure what we are doing with arm arch. With this being a B1 we should probably get a stable package for the major arches ASAP.
Being Stabilized in Bug # 585212 =mail-mta/exim-4.87
This issue was resolved and addressed in GLSA 201607-12 at https://security.gentoo.org/glsa/201607-12 by GLSA coordinator Aaron Bauman (b-man).