All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
exim CVE-2016-1531
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
cPanel Security Team: exim CVE-2016-1531
Background Information
On Wednesday, March 2, 2016, Exim announced a vulnerability in all versions of the Exim software.
Impact
According to Exim development: "All installations having Exim set-uid root and using 'perl_startup' are vulnerable to a local privilege escalation. Any user who can start an instance of Exim (this is normally any user) can gain root privileges."
Releases
The following versions of cPanel & WHM were patched to have the correct version of Exim. All previous versions of cPanel & WHM, including 11.48.x and below, are vulnerable to a set-uid attack on Exim.
11.50 11.50.5.0
11.52 11.52.4.0
11.54 11.54.0.18
EDGE 11.55.9999.106
CURRENT 11.54.0.18
RELEASE 11.54.0.18
STABLE 11.54.0.18
How to determine if your server is up to date
The updated RPMs provided by cPanel will contain a changelog entry with the CVE number. You can check for this changelog entry with the following command:
rpm -q --changelog exim | grep CVE-2016-1531
The output should resemble below:
- Fixes CVE-2016-1531
What to do if you are not up to date
If your server is not running one of the above versions, update immediately.
You can upgrade your server by navigating to WHM Home > cPanel > Upgrade to Latest Version and clicking "Click to Upgrade" (https://documentation.cpanel.net/display/ALD/Update+Preferences)
Alternatively, you can run the below commands to upgrade your server from the command line:
/scripts/upcp
/usr/bin/perl /scripts/check_cpanel_rpms --fix --long-list
Verify the new Exim RPM was installed:
rpm -q --changelog exim | grep CVE-2016-1531
The output should resemble below:
- Fixes CVE-2016-1531
What has changed
Exim now provides two configuration options which limit what environment variables are available to Exim and all of its child processes. The variables are keep_environment and add_environment. For the initial release with this feature, cPanel will be setting the variables as follows in all supported cPanel & WHM systems. These values can be modified in the Advanced Configuration Editor if necessary, though we advise caution on adding too many variables to keep_environment.
/etc/exim.conf
keep_environment = X-SOURCE : X-SOURCE-ARGS : X-SOURCE-DIR
add_environment = PATH=/usr/local/sbin::/usr/local/bin::/sbin::/bin::/usr/sbin::/usr/bin::/sbin::/bin
Additional Information
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1531
Initial Public Disclosure: https://lists.exim.org/lurker/message/20160302.191005.a72d8433.en.html
Documentation: https://documentation.cpanel.net/display/CKB/CVE-2016-1531+Exim
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCgAGBQJW153WAAoJEJUhvtyr2U3fdyQQALdQPmElkIUgyKi32ty4I0SX
bnBqHyGiNzUfPDLsFrjl2L3W/WT75pKgwDIB7YI9CMlWKs9QOApL7pxZSdFknYMO
oty9krcHXitK6sQqN2RT6RxJkXMbC6MgEBVIE97d9oQgI6lYjDApkt5cXX2EEcdg
2vVqyQpvosnWzxvBQWXcegp4hxPUcRfkfbcNtudiBBpcrvd52GHdYQBvyVQ+pOSI
7y3ZGiODinBnKPCbu+1gwSiJ+6qxC4NCJ8bXsYVeSyZKvw/nGGSNNOlW2N4pT3cM
/JG3fDMpdGzVH59JoVIFg9SeHrbcdtZw2uXEwDiFuA9hhLxOEH/1ndSyDbcRKSa1
4S5QRwYlg3RMYdE/CtpZxGyRSsgQ06DJUekzka3PbL3EYAcyuPDi7RKpvc/2E8wA
Ml0BwSppXywLC4qgppalQsP7tiXpHtPert64e1Fms6t422o2LABmy1+zmnTYm2+7
QEbREQDS27ag66RUHocG9w2kNT64E2nV3WjyxDTu9+itKKnoXKblWxY/U3BpxU2w
rsolgGGLWNGKtN6W/CpB3tDMUtnM4rxmdDZZ5YJhnE1+klmwodSUwXNAWJGVoPKp
5VKkXDZG6zk2x/FoMgJeNvfZcskv9SYj9t1ycRcTvGTDoMgZB0/i2XmE5+Ghbzp7
RaySkqyNcLp4RqHzzhnz
=PvMK
-----END PGP SIGNATURE-----
cPanel, Inc. | 2550 North Loop W. Suite 4006 | Houston | TX | 77092 | US
Comments
Another exim privilege escalation? Oh well, at least they're being proactive.
Appreciated, boss.
Now that was a quick and easy fix.