ESB-2017.3079 - [Debian] exim4: Multiple vulnerabilities 2017-12-01

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.3079
                           exim4 security update
                              1 December 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           exim4
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-16944 CVE-2017-16943 

Reference:         ESB-2017.3036
                   ESB-2017.3016

Original Bulletin: 
   http://www.debian.org/security/2017/dsa-4053

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4053-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 30, 2017                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : exim4
CVE ID         : CVE-2017-16943 CVE-2017-16944
Debian Bug     : 882648 882671

Several vulnerabilities have been discovered in Exim, a mail transport
agent. The Common Vulnerabilities and Exposures project identifies the
following issues:

CVE-2017-16943

    A use-after-free vulnerability was discovered in Exim's routines
    responsible for parsing mail headers. A remote attacker can take
    advantage of this flaw to cause Exim to crash, resulting in a denial
    of service, or potentially for remote code execution.

CVE-2017-16944

    It was discovered that Exim does not properly handle BDAT data
    headers allowing a remote attacker to cause Exim to crash, resulting
    in a denial of service.

For the stable distribution (stretch), these problems have been fixed in
version 4.89-2+deb9u2. Default installations disable advertising the
ESMTP CHUNKING extension and are not affected by these issues.

We recommend that you upgrade your exim4 packages.

For the detailed security status of exim4 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/exim4

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlofuHlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0T0mw/+Mze38efCqxBiAaQcM0i6SG5/B47CAsioeWyc06a8MQtOqjs+picslsDu
Z3XM+zA4aRSHQs0APowF8mlcSfMLvtaHWIy7zmxAv+LuBvZ/otvxZwWGVfJ0SYEl
ZDvvLZT1SZZfFsB4n2zUcGZSHm2Tt1tYXOjWpi53jwuqWVuO4kdo7oOcapYCabsp
OMRLDBaH4+AFisr+zN215DNn71m4RfI1SyL902/RaCvxOiMDyNCbH7tg7PLLYyqi
vPJrOMcVKtkRAeoVPo5HckWrxRzNiDvY16R+pFDretB+mIB0ncWIXQ+GTjFDSeVa
HNC5t/vWhYdzl5mpdF5YpsgrCa2Ot2bBQkajBsC4FvTT7cW9V6fHzz3gCsl8zBkM
aFTEsm7yUn3Ef+lsX4KI9cj6G9f7O+3B4h4r9h/XM3/z7qwcZi2vWwYhG8jrGddF
yTRLqp4fbJTjG13c9wCRAR4K0gBfOSzYdzc4dn0mI0OrUoijl9nqkPmXdoWNyfO2
UUYZHIuYlDCSqVWpjzWtujNu8MYM95AYzcC9/UkKXOpljzrhQYRxgee3/VGVdeFP
pwumIMin3XFg/ahOFZ2L5Jvy2HaL9gAj1DfhHgAuIkuCcavgxDsZBM8bzOODY0HC
0F8plwbMeBgt3YlxI8YPvWx56PBtzy/zBvd+aSbS2ZgRETOgXeY=
=0OFH
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWiDjFYx+lLeg9Ub1AQjZuA/+P9UqWsI3s+5P8sjA0Rh9wV6hpx2kMX4S
fE0GvUNH8TfSTaB/ZytfjYhQx205io8xIiqXALVQ+4uyPILYVTOJwa8vRk3Kbye2
Tej/RQuBt+bDn6cusSVxU9D/2TyQMM7G8kxdD38KI39gF3XoOyTsGpuevzUAY+cv
wgdsHYNpFvj9wReAPHvGNRhsY5f0uApI8NKZQ8kvrmG2wECKBW62zPNwfEOmyJBl
dtcnQrkiZ/WbnQjVOaD21w5s5q5KDuPCdxgoukcptVEQQPlQ5n4IMydAoJQjFhtN
ncI6uePOt1ExR7tJ8XNJ6+O9tklSguCO0/V+NfqoiR3tb/jjAmrnMOo9qtLBL5BB
d0+0MhiSsrHT8mZILbouY2UABPlKP/oWPIeWoM0i0QP5mDBn/EB+L0QAN3dCeSdQ
4za7FM2ecgYw/jiA8CPIVFW+DWFWsqE3CWM16QRMrbhlSV+/gD2EoNlHC/h2C1Bx
i52n9V1X/prmGUNkRwexI7q11GySsA8aVJ0AJbMiXkfXy6GpzUn/587hznLeXX9x
PBRVL1k3O6c2SslMFkEoG0MDeJqwoG8cnFFr6l6aZpgPkf/BzLQ5cupXuMSxRz2t
uSt4o9OLAOnpcr8Of4BiohlWKBYh60oXUOmV6fba2sPi++5JClCXX6urZDyVmN0n
xdJj5npDAuI=
=0rK7
-----END PGP SIGNATURE-----

« Back to bulletins