[Spce-user] Multiple vulnerability issues on exim4 packages: 3 RCEs (Remote Code Executions)
Alex Lutay
alutay at sipwise.com
Wed May 5 09:00:41 EDT 2021
Dear community,
We would like to highlight that critical security fixes for the
'exim4' project have been released and we strongly recommend
upgrading the package as soon as possible. Qualys Research Labs
reported several vulnerabilities in Exim, a mail transport agent,
which could result in local privilege escalation and remote code
execution.
Details can be found in the Qualys advisory at
https://www.qualys.com/2021/05/04/21nails/21nails.txt
For the stable distribution Debian 10 (buster), these problems have been
fixed in version 4.92-8+deb10u6.
For the old stable distribution Debian 9 (stretch), these problems have
been fixed in version 4.89-2+deb9u8.
The following NGCP releases use Debian 10 (buster):
- mr7.5.x
- mr8.5.x
- mr9.y.x
The following NGCP releases use Debian 9 (stretch):
- mr6.5.x
We strongly recommend that you upgrade the exim4 packages.
For the detailed security status of exim4 please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/exim4
How to check whether the system is still affected
1. Check your NGCP and Debian versions:
> # cat /etc/ngcp_version
> # lsb_release -a
2. Check the package version installed:
> # dpkg -l "*exim*"| grep ^ii
3. Check the table in
https://security-tracker.debian.org/tracker/source-package/exim4
corresponding to your Debian release.
If your package version is equal (or greater) to the "fixed"
Version your are not affected anymore. If your version is equal to
the corresponding Version with "vulnerable" Status, you need to
upgrade the packages to the next Version with "Fixed" status
corresponding to your Debian Release.
How to upgrade the packages:
a. You should run the following command:
> # apt-get update
b. Check whether the "fixed" version is available for your Debian release:
> # apt-cache policy exim4
c. If so, upgrade all the exim4* packages listed in previous point 2,
example:
> # root at spce:/var/sipwise# dpkg -l "*exim*" | grep ^ii
> ii exim4 4.92-8+deb10u4 all metapackage to ease Exim MTA (v4) installation
> ii exim4-base 4.92-8+deb10u4 amd64 support files for all Exim MTA (v4) packages
> ii exim4-config 4.92-8+deb10u4 all configuration for the Exim MTA (v4)
> ii exim4-daemon-light 4.92-8+deb10u4 amd64 lightweight Exim MTA (v4) daemon
In this case you should run:
> # apt-get -o Dpkg::Options::=--force-confold install exim4 exim4-base exim4-config exim4-daemon-light
> # service exim4 restart
You can safely upgrade exim packages during on-peak hours, as this
activity will not have any impact on the system functionality, thus call
functionality and features remain intact.
--
Alex Lutay
More information about the Spce-user
mailing list