Debian Bug report logs -
#606612
exim4: Exploitable memory corruption vulnerability (CVE-2010-4344)
Reported by: Dominic Hargreaves <dom@earth.li>
Date: Fri, 10 Dec 2010 11:03:01 UTC
Severity: critical
Tags: confirmed, lenny, security
Found in version exim4/4.69-9
Fixed in versions exim4/4.70-1, 4.69-9+lenny1
Done: Julien Cristau <jcristau@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>
:
Bug#606612
; Package exim4
.
(Fri, 10 Dec 2010 11:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Dominic Hargreaves <dom@earth.li>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>
.
(Fri, 10 Dec 2010 11:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: exim4
Version: 4.69-9
Severity: critical
Tags: security
Justification: root security hole
There is a discussion on exim-dev[0] relating to an incident of root-level
compromise owing to a couple of bugs. The first (the remote attack)
appears[1] to be related to a bug already fixed in mainline[2].
[0] <http://www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html>
[1] <http://www.exim.org/lurker/message/20101210.071922.233697ac.en.html#exim-dev>
[2] <http://bugs.exim.org/show_bug.cgi?id=787>
I hadn't seen any response from any Debian people on this (publically
at least) so I thought it would be worth filing this bug, to make
sure the right people are aware of the issue.
Cheers,
Dominic.
Bug Marked as fixed in versions exim4/4.70-1.
Request was from Dominic Hargreaves <dom@earth.li>
to control@bugs.debian.org
.
(Fri, 10 Dec 2010 11:09:07 GMT) (full text, mbox, link).
Forcibly Merged 606527 606612.
Request was from Julien Cristau <jcristau@debian.org>
to control@bugs.debian.org
.
(Fri, 10 Dec 2010 11:13:25 GMT) (full text, mbox, link).
Forcibly Merged 606527 606612.
Request was from Julien Cristau <jcristau@debian.org>
to control@bugs.debian.org
.
(Fri, 10 Dec 2010 11:15:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>
:
Bug#606612
; Package exim4
.
(Fri, 10 Dec 2010 11:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Dominic Hargreaves <dom@earth.li>
:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>
.
(Fri, 10 Dec 2010 11:21:05 GMT) (full text, mbox, link).
Message #16 received at 606612@bugs.debian.org (full text, mbox, reply):
Julien, I just wanted to point out that there are two separate issues
here, and only one of them has been fixed in newer versions. #606527
relating to the root upgrade is AFAIK still an issue.
Dominic.
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
Disconnected #606612 from all other report(s).
Request was from Julien Cristau <jcristau@debian.org>
to control@bugs.debian.org
.
(Fri, 10 Dec 2010 11:27:06 GMT) (full text, mbox, link).
Changed Bug title to 'exim4: Exploitable memory corruption vulnerability (CVE-2010-4344)' from 'exim4: Exploitable memory corruption vulnerability'
Request was from Julien Cristau <jcristau@debian.org>
to control@bugs.debian.org
.
(Fri, 10 Dec 2010 11:27:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>
:
Bug#606612
; Package exim4
.
(Fri, 10 Dec 2010 11:30:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Julien Cristau <jcristau@debian.org>
:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>
.
(Fri, 10 Dec 2010 11:30:07 GMT) (full text, mbox, link).
Message #25 received at 606612@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Fri, Dec 10, 2010 at 11:19:24 +0000, Dominic Hargreaves wrote:
> Julien, I just wanted to point out that there are two separate issues
> here, and only one of them has been fixed in newer versions. #606527
> relating to the root upgrade is AFAIK still an issue.
>
Yeah sorry about that. I think I've undone the wrong merge now.
Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]
Removed tag(s) squeeze.
Request was from Julien Cristau <jcristau@debian.org>
to control@bugs.debian.org
.
(Fri, 10 Dec 2010 11:30:09 GMT) (full text, mbox, link).
Severity set to 'critical' from 'grave'
Request was from Dominic Hargreaves <dom@earth.li>
to control@bugs.debian.org
.
(Fri, 10 Dec 2010 14:00:05 GMT) (full text, mbox, link).
Reply sent
to Julien Cristau <jcristau@debian.org>
:
You have taken responsibility.
(Fri, 10 Dec 2010 15:33:15 GMT) (full text, mbox, link).
Notification sent
to Dominic Hargreaves <dom@earth.li>
:
Bug acknowledged by developer.
(Fri, 10 Dec 2010 15:33:15 GMT) (full text, mbox, link).
Message #34 received at 606612-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 4.69-9+lenny1
On Fri, Dec 10, 2010 at 11:01:09 +0000, Dominic Hargreaves wrote:
> Package: exim4
> Version: 4.69-9
> Severity: critical
> Tags: security
> Justification: root security hole
>
> There is a discussion on exim-dev[0] relating to an incident of root-level
> compromise owing to a couple of bugs. The first (the remote attack)
> appears[1] to be related to a bug already fixed in mainline[2].
>
Fixed in DSA 2131-1.
Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 23 Jan 2011 07:31:08 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:43:25 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.