- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201906-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Exim: Remote command execution Date: June 06, 2019 Bugs: #687336 ID: 201906-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability in Exim could allow a remote attacker to execute arbitrary commands. Background ========== Exim is a message transfer agent (MTA) designed to be a a highly configurable, drop-in replacement for sendmail. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 mail-mta/exim < 4.92 >= 4.92 Description =========== A vulnerability was discovered in how Exim validates recipient addresses in the deliver_message() function. Impact ====== A remote attacker could execute arbitrary commands by sending an email with a specially crafted recipient address to the affected system. Workaround ========== There is no known workaround at this time. Resolution ========== All Exim users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=mail-mta/exim-4.92" References ========== [ 1 ] CVE-2019-10149 https://nvd.nist.gov/vuln/detail/CVE-2019-10149 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201906-01 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2019 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5