Welcome Guest. Please Login or Register  


You are here: Index > Webuzo > Bugs > Topic : Exim / cve-2019-10149



Threaded Mode | Print  

 Exim / cve-2019-10149 (2 Replies, Read 3867 times)
interserver
Group: NOC
Post Group: Newbie
Posts: 5
Status:
Exim needs to update to 4.92 for https://www.exim.org/static/doc/security/CVE-2019-10149.txt

When I checked last webuzo has offered no exim updates.
IP: --   

Exim / cve-2019-10149
interserver
Group: NOC
Post Group: Newbie
Posts: 5
Status:
To patch follow the below:

A standard install will have:
sudo  yum provides exim
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.mirror.constant.com
* epel: epel.mirror.constant.com
* extras: centos.mirror.constant.com
* updates: centos.mirror.constant.com
exim-4.84-4.el7.x86_64 : The exim mail transfer agent
Repo        : Softaculous



exim-4.88-3.el7.x86_64 : The exim mail transfer agent
Repo        : Softaculous



exim-4.90.1-2.el7.x86_64 : The exim mail transfer agent
Repo        : Softaculous




on centos7



Step 1: Install epel release

sudo yum install epel-release


Step 2: Run yum update

sudo yum update



You will update to:
exim-4.92-1.el7.x86_64


To verify:
sudo rpm -q exim

This should return:
exim-4.92-1.el7.x86_64


Once epel is on:
CT-c1fb3812 yum.repos.d# yum provides exim
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.mirror.constant.com
* epel: epel.mirror.constant.com
* extras: centos.mirror.constant.com
* updates: centos.mirror.constant.com
exim-4.84-4.el7.x86_64 : The exim mail transfer agent
Repo        : Softaculous



exim-4.88-3.el7.x86_64 : The exim mail transfer agent
Repo        : Softaculous



exim-4.90.1-2.el7.x86_64 : The exim mail transfer agent
Repo        : Softaculous



exim-4.92-1.el7.x86_64 : The exim mail transfer agent
Repo        : epel



exim-4.92-1.el7.x86_64 : The exim mail transfer agent
Repo        : @epel



Epel repo exim will be used over the not patched softaculous repo.

Edited by interserver : June 12, 2019, 5:07 pm
IP: --   

Exim / cve-2019-10149
interserver
Group: NOC
Post Group: Newbie
Posts: 5
Status:
This is a serious root exploit, a bit worrying there has been no official update and the default config will install an exim with such an exploit on any new install of webuzo if exim is chosen to be installed.

I recommend the following changes:

1) Officially address exim and build an update

2) offer something to auto update software that can be called via cron instead of just the ability to update in the webuzo login.

3) rpm's being installed should be done from a repo that is more managed by a third party. For example consider moving off to epel repo for software to have faster updates instead of rolling your own.
IP: --   

« Previous    Next »

Threaded Mode | Print  



Jump To :


Users viewing this topic
1 guests, 0 users.


All times are GMT. The time now is August 20, 2019, 1:30 am.

  Powered By AEF 1.0.8 © 2007-2008 Electron Inc.Queries: 11  |  Page Created In:0.178