SB2012102802 - Fedora EPEL 6 update for exim
Published: October 28, 2012 Updated: April 24, 2025
Security Bulletin ID
SB2012102802
Severity
High
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2011-1407)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The DKIM implementation in Exim 4.7x before 4.76 permits matching for DKIM identities to apply to lookup items, instead of only strings, which allows remote attackers to execute arbitrary code or access a filesystem via a crafted identity.
2) Use of externally-controlled format string (CVE-ID: CVE-2011-1764)
The vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code on the target system.The weakness exists in the dkim_exim_verify_finish function in src/dkim.c due to use of externally-controlled format string. A remote attacker can cause the service to crash or execute arbitrary code via format string specifiers in data used in DKIM logging, as demonstrated by an identity field containing a % (percent) character.
Successful exploitation of the vulnerability may result in system compromise.
Remediation
Install update from vendor's website.