漏洞类别:Amazon Linux
漏洞等级: 
漏洞信息
Use-after-free in receive_msg function via vectors involving BDAT commands
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands. (CVE-2017-16943 )
Infinite loop and stack exhaustion in receive_msg function via vectors involving BDAT commands
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a '.' character signifying the end of the content, related to the bdat_getc function. (CVE-2017-16944 )
QID Detection Logic:
This authenticated QID verifies if the version of the following files is lesser than 4.89-4.17.amzn1: exim-debuginfo,exim,exim-greylist,exim-mysql,exim-pgsql,exim-mon
漏洞危害
Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
解决方案
Please refer to Amazon advisory ALAS-2017-932 for affected packages and patching details, or update with your package manager.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
ALAS-2017-932: Amazon Linux (exim (4.89-4.17.amzn1) on i686)
ALAS-2017-932: Amazon Linux (exim (4.89-4.17.amzn1) on x86_64)
0daybank
文章评论