Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2010-4344

Source

Debian Bug report logs - #606612
exim4: Exploitable memory corruption vulnerability (CVE-2010-4344)

Package: exim4; Maintainer for exim4 is Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>; Source for exim4 is src:exim4 (PTS, buildd, popcon).

Reported by: Dominic Hargreaves <dom@earth.li>

Date: Fri, 10 Dec 2010 11:03:01 UTC

Severity: critical

Tags: confirmed, lenny, security

Found in version exim4/4.69-9

Fixed in versions exim4/4.70-1, 4.69-9+lenny1

Done: Julien Cristau <jcristau@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#606612; Package exim4. (Fri, 10 Dec 2010 11:03:04 GMT) (full text, mbox, link).

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. (Fri, 10 Dec 2010 11:03:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: exim4
Version: 4.69-9
Severity: critical
Tags: security
Justification: root security hole

There is a discussion on exim-dev[0] relating to an incident of root-level
compromise owing to a couple of bugs. The first (the remote attack)
appears[1] to be related to a bug already fixed in mainline[2].

[0] <http://www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html>
[1] <http://www.exim.org/lurker/message/20101210.071922.233697ac.en.html#exim-dev>
[2] <http://bugs.exim.org/show_bug.cgi?id=787>

I hadn't seen any response from any Debian people on this (publically
at least) so I thought it would be worth filing this bug, to make
sure the right people are aware of the issue.

Cheers,
Dominic.

Bug Marked as fixed in versions exim4/4.70-1. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Fri, 10 Dec 2010 11:09:07 GMT) (full text, mbox, link).

Forcibly Merged 606527 606612. Request was from Julien Cristau <jcristau@debian.org> to control@bugs.debian.org. (Fri, 10 Dec 2010 11:13:25 GMT) (full text, mbox, link).

Forcibly Merged 606527 606612. Request was from Julien Cristau <jcristau@debian.org> to control@bugs.debian.org. (Fri, 10 Dec 2010 11:15:05 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#606612; Package exim4. (Fri, 10 Dec 2010 11:21:05 GMT) (full text, mbox, link).

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. (Fri, 10 Dec 2010 11:21:05 GMT) (full text, mbox, link).

Message #16 received at 606612@bugs.debian.org (full text, mbox, reply):

Julien, I just wanted to point out that there are two separate issues
here, and only one of them has been fixed in newer versions. #606527
relating to the root upgrade is AFAIK still an issue.

Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

Disconnected #606612 from all other report(s). Request was from Julien Cristau <jcristau@debian.org> to control@bugs.debian.org. (Fri, 10 Dec 2010 11:27:06 GMT) (full text, mbox, link).

Changed Bug title to 'exim4: Exploitable memory corruption vulnerability (CVE-2010-4344)' from 'exim4: Exploitable memory corruption vulnerability' Request was from Julien Cristau <jcristau@debian.org> to control@bugs.debian.org. (Fri, 10 Dec 2010 11:27:08 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#606612; Package exim4. (Fri, 10 Dec 2010 11:30:07 GMT) (full text, mbox, link).

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. (Fri, 10 Dec 2010 11:30:07 GMT) (full text, mbox, link).

Message #25 received at 606612@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Fri, Dec 10, 2010 at 11:19:24 +0000, Dominic Hargreaves wrote:

> Julien, I just wanted to point out that there are two separate issues
> here, and only one of them has been fixed in newer versions. #606527
> relating to the root upgrade is AFAIK still an issue.
> 
Yeah sorry about that.  I think I've undone the wrong merge now.

Cheers,
Julien

[signature.asc (application/pgp-signature, inline)]

Removed tag(s) squeeze. Request was from Julien Cristau <jcristau@debian.org> to control@bugs.debian.org. (Fri, 10 Dec 2010 11:30:09 GMT) (full text, mbox, link).

Severity set to 'critical' from 'grave' Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Fri, 10 Dec 2010 14:00:05 GMT) (full text, mbox, link).

Reply sent to Julien Cristau <jcristau@debian.org>:
You have taken responsibility. (Fri, 10 Dec 2010 15:33:15 GMT) (full text, mbox, link).

Notification sent to Dominic Hargreaves <dom@earth.li>:
Bug acknowledged by developer. (Fri, 10 Dec 2010 15:33:15 GMT) (full text, mbox, link).

Message #34 received at 606612-done@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Version: 4.69-9+lenny1

On Fri, Dec 10, 2010 at 11:01:09 +0000, Dominic Hargreaves wrote:

> Package: exim4
> Version: 4.69-9
> Severity: critical
> Tags: security
> Justification: root security hole
> 
> There is a discussion on exim-dev[0] relating to an incident of root-level
> compromise owing to a couple of bugs. The first (the remote attack)
> appears[1] to be related to a bug already fixed in mainline[2].
> 
Fixed in DSA 2131-1.

Cheers,
Julien

[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 23 Jan 2011 07:31:08 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:43:25 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

exim4: Exploitable memory corruption vulnerability (CVE-2010-4344)

Debian Bug report logs - #606612
exim4: Exploitable memory corruption vulnerability (CVE-2010-4344)

Vulmon Search

About

Products

Connect

exim4: Exploitable memory corruption vulnerability (CVE-2010-4344)

Debian Bug report logs - #606612 exim4: Exploitable memory corruption vulnerability (CVE-2010-4344)

Vulmon Search

About

Products

Connect

Debian Bug report logs - #606612
exim4: Exploitable memory corruption vulnerability (CVE-2010-4344)