openSUSE Security Update : exim (openSUSE-2016-326)

Medium Nessus Plugin ID 89909

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 7.4

Synopsis

The remote openSUSE host is missing a security update.

Description

This update to exim 4.86.2 fixes the following issues :

- CVE-2016-1531: local privilege escalation for set-uid root exim when using 'perl_startup' (boo#968844)

Important: Exim now cleans the complete execution environment by default. This affects Exim and subprocesses such as transports calling other programs. The following new options are supported to adjust this behaviour :

- keep_environment

- add_environment A warning will be printed upon startup if none of these are configured.

Also includes upstream changes, improvements and bug fixes :

- Support for using the system standard CA bundle.

- New expansion items $config_file, $config_dir, containing the file and directory name of the main configuration file. Also $exim_version.

- New 'malware=' support for Avast.

- New 'spam=' variant option for Rspamd.

- Assorted options on malware= and spam= scanners.

- A commandline option to write a comment into the logfile.

- A logging option for slow DNS lookups.

- New $(env (<variable>)) expansion.

- A non-SMTP authenticator using information from TLS client certificates.

- Main option 'tls_eccurve' for selecting an Elliptic Curve for TLS.

- Main option 'dns_trust_aa' for trusting your local nameserver at the same level as DNSSEC.

Solution

Update the affected exim packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=968844

Plugin Details

Severity: Medium

ID: 89909

File Name: openSUSE-2016-326.nasl

Version: 2.8

Type: local

Agent: unix

Published: 2016/03/14

Updated: 2020/06/04

Dependencies: 12634

Risk Information

Risk Factor: Medium

VPR Score: 7.4

CVSS v2.0

Base Score: 6.9

Temporal Score: 5.7

Vector: CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSS v3.0

Base Score: 7

Temporal Score: 6.5

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:exim, p-cpe:/a:novell:opensuse:exim-debuginfo, p-cpe:/a:novell:opensuse:exim-debugsource, p-cpe:/a:novell:opensuse:eximon, p-cpe:/a:novell:opensuse:eximon-debuginfo, p-cpe:/a:novell:opensuse:eximstats-html, cpe:/o:novell:opensuse:13.2, cpe:/o:novell:opensuse:42.1

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2016/03/11

Vulnerability Publication Date: 2016/04/07

Exploitable With

Core Impact

Reference Information

CVE: CVE-2016-1531