openSUSE Security Update : exim (openSUSE-2017-980) (Stack Clash)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

This update for exim fixes the following issues :

Changes in exim :

- specify users with ref:mail, to make them dynamic.
(boo#1046971)

- CVE-2017-1000369: Fixed memory leaks that could be
exploited to 'stack crash' local privilege escalation
(boo#1044692)

- Require user(mail) group(mail) to meet new users
handling in TW.

- Prerequire permissions (fixes rpmlint).

- conditionally disable DANE on SuSE versions with OpenSSL
< 1.0

- CVE-2016-1531: when installed setuid root, allows local
users to gain privileges via the perl_startup argument.

- CVE-2016-9963: DKIM information leakage (boo#1015930)



- Makefile tuning :

+ add sqlite support

+ disable WITH_OLD_DEMIME

+ enable AUTH_CYRUS_SASL

+ enable AUTH_TLS

+ enable SYSLOG_LONG_LINES

+ enable SUPPORT_PAM

+ MAX_NAMED_LIST=64

+ enable EXPERIMENTAL_DMARC

+ enable EXPERIMENTAL_EVENT

+ enable EXPERIMENTAL_PROXY

+ enable EXPERIMENTAL_CERTNAMES

+ enable EXPERIMENTAL_DSN

+ enable EXPERIMENTAL_DANE

+ enable EXPERIMENTAL_SOCKS

+ enable EXPERIMENTAL_INTERNATIONAL

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=1015930
https://bugzilla.opensuse.org/show_bug.cgi?id=1044692
https://bugzilla.opensuse.org/show_bug.cgi?id=1046971

Solution :

Update the affected exim packages.

Risk factor :

Medium / CVSS Base Score : 6.9
(CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C)
Public Exploit Available : true

Family: SuSE Local Security Checks

Nessus Plugin ID: 102834 ()

Bugtraq ID:

CVE ID: CVE-2016-1531
CVE-2016-9963
CVE-2017-1000369

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now