int(1266)

Vulnerability Bulletins


Múltiples vulnerabilidades en exim

Vulnerability classification

Property Value
Confidence level Oficial
Impact Obtener acceso
Dificulty Principiante
Required attacker level Acceso remoto sin cuenta a un servicio estandar

System information

Property Value
Affected manufacturer GNU/Linux
Affected software exim 4.x
exim-tls

Description

Se han encontrado dos vulnerabilidades en exim:

CAN-2005-0021 - La función host_aton() puede generar una situación de desbordamiento de búfer debido a un manejo incorrecto de direcciones IPv6 con más de 8 componentes.

CAN-2005-0022 - Existe una vulnerabilidad desbordamiento de búfer en la función spa_base64_to_bits(), que forma parte de la autenticación SPA. La vulnerabilidad solo es explotable si se utiliza este tipo de autenticación.

Solution



Actualización de software

Fedora Linux
Fedora Linux Core 2
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/SRPMS/exim-4.43-1.FC2.1.src.rpm
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/x86_64/exim-4.43-1.FC2.1.x86_64.rpm
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/x86_64/exim-mon-4.43-1.FC2.1.x86_64.rpm
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/x86_64/exim-doc-4.43-1.FC2.1.x86_64.rpm
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/x86_64/exim-sa-4.43-1.FC2.1.x86_64.rpm
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/x86_64/debug/exim-debuginfo-4.43-1.FC2.1.x86_64.rpm
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/i386/exim-4.43-1.FC2.1.i386.rpm
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/i386/exim-mon-4.43-1.FC2.1.i386.rpm
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/i386/exim-doc-4.43-1.FC2.1.i386.rpm
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/i386/exim-sa-4.43-1.FC2.1.i386.rpm
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/i386/debug/exim-debuginfo-4.43-1.FC2.1.i386.rpm
Fedora Linux Core 3
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/SRPMS/exim-4.43-1.FC3.1.src.rpm
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/x86_64/exim-4.43-1.FC3.1.x86_64.rpm
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/x86_64/exim-mon-4.43-1.FC3.1.x86_64.rpm
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/x86_64/exim-doc-4.43-1.FC3.1.x86_64.rpm
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/x86_64/exim-sa-4.43-1.FC3.1.x86_64.rpm
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/x86_64/debug/exim-debuginfo-4.43-1.FC3.1.x86_64.rpm
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/i386/exim-4.43-1.FC3.1.i386.rpm
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/i386/exim-mon-4.43-1.FC3.1.i386.rpm
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/i386/exim-doc-4.43-1.FC3.1.i386.rpm
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/i386/exim-sa-4.43-1.FC3.1.i386.rpm
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/i386/debug/exim-debuginfo-4.43-1.FC3.1.i386.rpm

Debian Linux

Debian Linux 3.0
Fuentes:
http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody4.dsc
http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody4.diff.gz
http://security.debian.org/pool/updates/main/e/exim/exim_3.35.orig.tar.gz
Alpha:
http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody4_alpha.deb
http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody4_alpha.deb
ARM:
http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody4_arm.deb
http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody4_arm.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody4_i386.deb
http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody4_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody4_ia64.deb
http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody4_ia64.deb
HPPA:
http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody4_hppa.deb
http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody4_hppa.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody4_m68k.deb
http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody4_m68k.deb
Big endian MIPS:
http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody4_mips.deb
http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody4_mips.deb
Little endian MIPS:
http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody4_mipsel.deb
http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody4_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody4_powerpc.deb
http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody4_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody4_s390.deb
http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody4_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody4_sparc.deb
http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody4_sparc.deb

Debian Linux (exim-tls)

Debian Linux 3.0
Source:
http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody3.dsc
http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody3.diff.gz
http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35.orig.tar.gz
Alpha:
http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody3_alpha.deb
ARM:
http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody3_arm.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody3_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody3_ia64.deb
HPPA:
http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody3_hppa.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody3_m68k.deb
Big endian MIPS:
http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody3_mips.deb
Little endian MIPS:
http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody3_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody3_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody3_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody3_sparc.deb

SuSE Linux
Distribuciones basadas en SuSE Linux - Actualizar mediante YaST Online Update

Red Hat Linux

Red Hat Desktop (v. 4)
SRPMS
exim-4.43-1.RHEL4.3.src.rpm
IA-32
exim-4.43-1.RHEL4.3.i386.rpm
exim-doc-4.43-1.RHEL4.3.i386.rpm
exim-mon-4.43-1.RHEL4.3.i386.rpm
exim-sa-4.43-1.RHEL4.3.i386.rpm
x86_64
exim-4.43-1.RHEL4.3.x86_64.rpm
exim-doc-4.43-1.RHEL4.3.x86_64.rpm
exim-mon-4.43-1.RHEL4.3.x86_64.rpm
exim-sa-4.43-1.RHEL4.3.x86_64.rpm
https://rhn.redhat.com/

Red Hat Enterprise Linux AS (v. 4)
SRPMS
exim-4.43-1.RHEL4.3.src.rpm
IA-32
exim-4.43-1.RHEL4.3.i386.rpm
exim-doc-4.43-1.RHEL4.3.i386.rpm
exim-mon-4.43-1.RHEL4.3.i386.rpm
exim-sa-4.43-1.RHEL4.3.i386.rpm
IA-64
exim-4.43-1.RHEL4.3.ia64.rpm
exim-doc-4.43-1.RHEL4.3.ia64.rpm
exim-mon-4.43-1.RHEL4.3.ia64.rpm
exim-sa-4.43-1.RHEL4.3.ia64.rpm
PPC
exim-4.43-1.RHEL4.3.ppc.rpm
exim-doc-4.43-1.RHEL4.3.ppc.rpm
exim-mon-4.43-1.RHEL4.3.ppc.rpm
exim-sa-4.43-1.RHEL4.3.ppc.rpm
s390
exim-4.43-1.RHEL4.3.s390.rpm
exim-doc-4.43-1.RHEL4.3.s390.rpm
exim-mon-4.43-1.RHEL4.3.s390.rpm
exim-sa-4.43-1.RHEL4.3.s390.rpm
s390x
exim-4.43-1.RHEL4.3.s390x.rpm
exim-doc-4.43-1.RHEL4.3.s390x.rpm
exim-mon-4.43-1.RHEL4.3.s390x.rpm
exim-sa-4.43-1.RHEL4.3.s390x.rpm
x86_64
exim-4.43-1.RHEL4.3.x86_64.rpm
exim-doc-4.43-1.RHEL4.3.x86_64.rpm
exim-mon-4.43-1.RHEL4.3.x86_64.rpm
exim-sa-4.43-1.RHEL4.3.x86_64.rpm
https://rhn.redhat.com/

Red Hat Enterprise Linux ES (v. 4)
SRPMS
exim-4.43-1.RHEL4.3.src.rpm
IA-32
exim-4.43-1.RHEL4.3.i386.rpm
exim-doc-4.43-1.RHEL4.3.i386.rpm
exim-mon-4.43-1.RHEL4.3.i386.rpm
exim-sa-4.43-1.RHEL4.3.i386.rpm
IA-64
exim-4.43-1.RHEL4.3.ia64.rpm
exim-doc-4.43-1.RHEL4.3.ia64.rpm
exim-mon-4.43-1.RHEL4.3.ia64.rpm
exim-sa-4.43-1.RHEL4.3.ia64.rpm
x86_64
exim-4.43-1.RHEL4.3.x86_64.rpm
exim-doc-4.43-1.RHEL4.3.x86_64.rpm
exim-mon-4.43-1.RHEL4.3.x86_64.rpm
exim-sa-4.43-1.RHEL4.3.x86_64.rpm
https://rhn.redhat.com/

Red Hat Enterprise Linux WS (v. 4)
SRPMS
exim-4.43-1.RHEL4.3.src.rpm
IA-32
exim-4.43-1.RHEL4.3.i386.rpm
exim-doc-4.43-1.RHEL4.3.i386.rpm
exim-mon-4.43-1.RHEL4.3.i386.rpm
exim-sa-4.43-1.RHEL4.3.i386.rpm
IA-64
exim-4.43-1.RHEL4.3.ia64.rpm
exim-doc-4.43-1.RHEL4.3.ia64.rpm
exim-mon-4.43-1.RHEL4.3.ia64.rpm
exim-sa-4.43-1.RHEL4.3.ia64.rpm
x86_64
exim-4.43-1.RHEL4.3.x86_64.rpm
exim-doc-4.43-1.RHEL4.3.x86_64.rpm
exim-mon-4.43-1.RHEL4.3.x86_64.rpm
exim-sa-4.43-1.RHEL4.3.x86_64.rpm
https://rhn.redhat.com/

Standar resources

Property Value
CVE CAN-2005-0021
CAN-2005-0022
BID

Other resources

Secunia Advisories SA13713
http://secunia.com/advisories/13713/

Fedora Core 2 Update Notification FEDORA-2005-001
http://www.redhat.com/archives/fedora-announce-list/2005-January/msg00015.html

Fedora Core 3 Update Notification FEDORA-2005-001
http://www.redhat.com/archives/fedora-announce-list/2005-January/msg00016.html

Debian Security Advisory DSA-635-1
http://www.debian.org/security/2005/dsa-635

Debian Security Advisory DSA-637-1
http://www.debian.org/security/2005/dsa-637

SUSE Security Summary Report SUSE-SR:2005:002
http://www.novell.com/linux/security/advisories/2005_02_sr.html

Red Hat Security Advisory RHSA-2005:025-08
https://rhn.redhat.com/errata/RHSA-2005-025.html

Version history

Version Comments Date
1.0 Aviso emitido 2005-01-11
1.1 Aviso emitido por Debian Linux (DSA-635-1) 2005-01-12
1.2 Nuevo aviso emitido por Debian Linux (DSA-637-1) 2005-01-14
1.3 Aviso emitido por SuSE (SUSE-SR:2005:002) 2005-01-28
2.0 Exploit público disponible. Aviso emitido por Red Hat (RHSA-2005:025-08). 2005-02-16
Ministerio de Defensa
CNI
CCN
CCN-CERT