On 2011-01-06 at 03:15 +0000, Andreas M. Kirchwitz wrote: > Nigel Metheringham <[email protected]> wrote: > > > 1. TWO MAJOR SECURITY FIXES:- > > + CVE-2010-4344 exim remote code execution flaw > > + CVE-2010-4345 exim privilege escalation > > I've just updated from Exim 4.72 (which has been said to be secure > already) to Exim 4.73 and haven't touched any of the security options > like ALT_CONFIG_PREFIX or TRUSTED_CONFIG_LIST in Local/Makefile. > > Unfortunately, on installation (sudo make install) I get this error: > > 2011-01-06 02:53:43 Exim configuration file /dev/null has the wrong owner, > group, or mode > > # ls -l /dev/null > crw-rw-rw-. 1 root root 1, 3 Jan 5 21:39 /dev/null > > Of course, /dev/null is world-writable. ;-)
Deoh. http://git.exim.org/exim.git/commit/fea24b2ea4e2c2a4b77d6fb222054e32e658b227 I've exempted /dev/null from these checks. If someone has messed with he ownership or permissions of /dev/null, that's no longer reasonably Exim's problem. > Furtheremore, until now, I used to run exicyclog as user exim (why do I've left this for further careful consideration. Thanks, -Phil -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
