Format: 1.7
Date: Tue, 08 Feb 2011 15:51:38 -0500
Source: exim4
Binary: eximon4 exim4-daemon-custom exim4-daemon-heavy exim4-base exim4 exim4-daemon-light exim4-config
Architecture: hppa
Version: 4.60-3ubuntu3.3
Distribution: dapper
Urgency: low
Maintainer: Ubuntu/hppa Build Daemon <buildd@kohnen.buildd>
Changed-By: Marc Deslauriers <marc.deslauriers@ubuntu.com>
Description: 
 exim4-base - support files for all exim MTA (v4) packages
 exim4-daemon-heavy - exim MTA (v4) daemon with extended features, including exiscan-ac
 exim4-daemon-light - lightweight exim MTA (v4) daemon
 eximon4    - monitor application for the exim MTA (v4) (X11 interface)
Changes: 
 exim4 (4.60-3ubuntu3.3) dapper-security; urgency=low
 .
   * SECURITY UPDATE: local privilege escalation via alternate config file
     (LP: #697934)
     - debian/patches/80_CVE-2010-4345.dpatch: backport massive behaviour-
       altering changes from upstream git to fix issue.
     - debian/patches/81_CVE-2010-4345-docs.dpatch: backport documentation
       changes.
     - debian/patches/67_unnecessaryCopt.dpatch: Do not use exim's -C option
       in utility scripts. This would not work with ALT_CONFIG_PREFIX.
       Patch obtained from Debian's 4.69-9+lenny2.
     - Build with WHITELIST_D_MACROS=OUTGOING. After this security update,
       exim will not regain root privileges (usually necessary for local
       delivery) if the -D option was used. Macro identifiers listed in
       WHITELIST_D_MACROS are exempted from this restriction. mailscanner
       (4.79.11-2.2) uses -DOUTGOING.
     - Build with TRUSTED_CONFIG_LIST=/etc/exim4/trusted_configs. After this
       security update, exim will not re-gain root privileges (usually
       necessary for local delivery) if the -C option was used. This makes
       it impossible to start a fully functional damon with an alternate
       configuration file. /etc/exim4/trusted_configs (can) contain a list
       of filenames (one per line, full path given) to which this
       restriction does not apply.
     - debian/exim4-daemon-*.NEWS: Add description of changes. Thanks to
       Debian and Andreas Metzler for the text.
     - CVE-2010-4345
   * SECURITY UPDATE: arbitrary file append via symlink attack (LP: #708023)
     - debian/patches/82_CVE-2011-0017.dpatch: check setuid and setgid return
       codes in src/exim.c, src/log.c.
     - CVE-2011-0017
   * SECURITY UPDATE: denial of service and possible arbitrary code
     execution via hard link to another user's file (LP: #609620)
     - debian/patches/CVE-2010-2023.dpatch: check for links in
       src/transports/appendfile.c.
     - CVE-2010-2023
   * SECURITY UPDATE: denial of service and possible arbitrary code
     execution via symlink on a lock file (LP: #609620)
     - debian/patches/CVE-2010-2024.dpatch: improve lock file handling in
       src/exim_lock.c, src/transports/appendfile.c.
     - CVE-2010-2024
Files: 
 3cc532d60ce3b7b94bbac5cc9d0615bf 880310 mail standard exim4-base_4.60-3ubuntu3.3_hppa.deb
 477dd78f326b3662dad20f92963dd8ba 432180 mail standard exim4-daemon-light_4.60-3ubuntu3.3_hppa.deb
 c3f578ee072633e59d4b00e6881e9c6c 90690 mail optional eximon4_4.60-3ubuntu3.3_hppa.deb
 27f71205e1bc0d870e937d1584c4b31f 490938 mail optional exim4-daemon-heavy_4.60-3ubuntu3.3_hppa.deb