Ubuntu
exim4 package

remote code execution as per DSA-2131-1

Bug #688672 reported by gpredrag
32
This bug affects 5 people
Affects Status Importance Assigned to Milestone
exim4 (Debian)
Fix Released
Unknown
exim4 (Ubuntu)
Fix Released
High
Unassigned

Bug Description

Binary package hint: exim4

There is a remote code vulerability CVE-2010-4344. It was fixed in debian today 10.12.2010. for lenny version, 4.69. Apparently bug affects versions of Exim4 in dapper and hardy

CVE References

Anders Kaseorg (andersk)
Changed in exim4 (Ubuntu):
status: New → Confirmed
Revision history for this message
Andrew Schulman (andrex) wrote :

Can someone please clarify exactly which versions of exim4 are affected? Is version 4.72-1ubuntu1 in maverick affected? I've read all of the announcements and can't find this information.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

The remote code execution (CVE-2010-4344) affected 4.69 and earlier (Ubuntu 9.10 and earlier). This was fixed last week in http://www.ubuntu.com/usn/usn-1032-1. The privilege escalation issue (CVE-2010-4345) affects all releases but has not been fixed yet since upstream hasn't decided on the best way to fix it. The exploit in the wild would exploit CVE-2010-4344 to execute arbitrary code and then use the vulnerability in CVE-2010-4345 to escalate to root. By fixing CVE-2010-4344, the remote attack vector is closed. A fix for CVE-2010-4345 will be provided when one becomes available.

Changed in exim4 (Ubuntu):
status: Confirmed → Triaged
status: Triaged → Fix Released
importance: Undecided → High
Bug Watch Updater (bug-watch-updater)
Changed in exim4 (Debian):
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.