Softaculous


Topic : Exim / cve-2019-10149


Posted By: interserver on June 10, 2019, 2:01 pm
Exim needs to update to 4.92 for https://www.exim.org/static/doc/security/CVE-2019-10149.txt

When I checked last webuzo has offered no exim updates.

Posted By: interserver on June 12, 2019, 5:07 pm | Post: 1
To patch follow the below:

A standard install will have:
sudo  yum provides exim
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.mirror.constant.com
* epel: epel.mirror.constant.com
* extras: centos.mirror.constant.com
* updates: centos.mirror.constant.com
exim-4.84-4.el7.x86_64 : The exim mail transfer agent
Repo        : Softaculous



exim-4.88-3.el7.x86_64 : The exim mail transfer agent
Repo        : Softaculous



exim-4.90.1-2.el7.x86_64 : The exim mail transfer agent
Repo        : Softaculous




on centos7



Step 1: Install epel release

sudo yum install epel-release


Step 2: Run yum update

sudo yum update



You will update to:
exim-4.92-1.el7.x86_64


To verify:
sudo rpm -q exim

This should return:
exim-4.92-1.el7.x86_64


Once epel is on:
CT-c1fb3812 yum.repos.d# yum provides exim
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.mirror.constant.com
* epel: epel.mirror.constant.com
* extras: centos.mirror.constant.com
* updates: centos.mirror.constant.com
exim-4.84-4.el7.x86_64 : The exim mail transfer agent
Repo        : Softaculous



exim-4.88-3.el7.x86_64 : The exim mail transfer agent
Repo        : Softaculous



exim-4.90.1-2.el7.x86_64 : The exim mail transfer agent
Repo        : Softaculous



exim-4.92-1.el7.x86_64 : The exim mail transfer agent
Repo        : epel



exim-4.92-1.el7.x86_64 : The exim mail transfer agent
Repo        : @epel



Epel repo exim will be used over the not patched softaculous repo.

Edited by interserver : June 12, 2019, 5:07 pm

Posted By: interserver on June 22, 2019, 12:53 pm | Post: 2
This is a serious root exploit, a bit worrying there has been no official update and the default config will install an exim with such an exploit on any new install of webuzo if exim is chosen to be installed.

I recommend the following changes:

1) Officially address exim and build an update

2) offer something to auto update software that can be called via cron instead of just the ability to update in the webuzo login.

3) rpm's being installed should be done from a repo that is more managed by a third party. For example consider moving off to epel repo for software to have faster updates instead of rolling your own.

Powered By AEF 1.0.8 © 2007-2008 Electron Inc.