-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 cPanel Security Team: exim CVE-2016-1531 Background Information On Wednesday, March 2, 2016, Exim announced a vulnerability in all versions of the Exim software. Impact According to Exim development: "All installations having Exim set-uid root and using 'perl_startup' are vulnerable to a local privilege escalation. Any user who can start an instance of Exim (this is normally *any* user) can gain root privileges." Releases The following versions of cPanel & WHM were patched to have the correct version of Exim. All previous versions of cPanel & WHM, including 11.48.x and below, are vulnerable to a set-uid attack on Exim. 11.50 11.50.5.0 11.52 11.52.4.0 11.54 11.54.0.18 EDGE 11.55.9999.106 CURRENT 11.54.0.18 RELEASE 11.54.0.18 STABLE 11.54.0.18 How to determine if your server is up to date The updated RPMs provided by cPanel will contain a changelog entry with the CVE number. You can check for this changelog entry with the following command: rpm -q --changelog exim | grep CVE-2016-1531 The output should resemble below: - - Fixes CVE-2016-1531 What to do if you are not up to date If your server is not running one of the above versions, update immediately. You can upgrade your server by navigating to WHM Home > cPanel > Upgrade to Latest Version and clicking "Click to Upgrade" (https://documentation.cpanel.net/display/ALD/Update+Preferences) Alternatively, you can run the below commands to upgrade your server from the command line: /scripts/upcp /scripts/check_cpanel_rpms --fix --long-list Verify the new Exim RPM was installed: rpm -q --changelog exim | grep CVE-2016-1531 The output should resemble below: - - Fixes CVE-2016-1531 What has changed Exim now provides two configuration options which limit what environment variables are available to Exim and all of its child processes. The variables are keep_environment and add_environment. For the initial release with this feature, cPanel will be setting the variables as follows in all supported cPanel & WHM systems. These values can be modified in the Advanced Configuration Editor if necessary, though we advise caution on adding too many variables to keep_environment. /etc/exim.conf keep_environment = X-SOURCE : X-SOURCE-ARGS : X-SOURCE-DIR add_environment = PATH=/usr/local/sbin::/usr/local/bin::/sbin::/bin::/usr/sbin::/usr/bin::/sbin::/bin Additional Information CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1531 Initial Public Disclosure: https://lists.exim.org/lurker/message/20160302.191005.a72d8433.en.html Documentation: https://documentation.cpanel.net/display/CKB/CVE-2016-1531+Exim -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJW2F++AAoJEJUhvtyr2U3fjYkP/3a2+QjhNf7BOqg9CK3KY3eA tXcd+VQH78lizgSTR1St6MY1mmyf8VdnK4dO9P8Crz6ce30+gfk7xKKqADknPhkY nKPWE9EylP3ZNXV842BeW7gVhwhOlPswO0pMRW6LvNYV2dLfHSw0dghmfQwK6OQo ZnTLjWWUSmavWvXES2FLvB1Ytxe2kB9jzlLkpz8D9skdDXi1EGQmFq9KXJ5aKv3D 32qGIMFh/J2cLq9AT29Dl8etHxyCJGA2GY6/y7GBVk/zb19KmPCNN2+6VwlbhN2x Ilh8D/gvDcI1Ctqri8hAI7/XI9e6FnbLUSMjo0nnJDUjjyBL7smgoxRb9LgAEKHF ekXp/kM2ERIDSZ+Lel1OCKy324vOz/5CBdTqe4COYLF0gBczeAhkmYj5QW3g3wC1 C5Eg6g6WzqdJlJ0r88TQTGornq1L8EIrzFIjpKe6Q0UD3W1xWLc3XTlmp0YmPBs2 z/DLKCf5geESTs8q7amUadHxg7u12+LJsj0rBLJ9CBcZJm5bYjQdc/HN3/3yQIlZ jLls+/fTPWXb66Q/pKHUQe5oE2DiCTRriqvTCXecunhgFbum5hOLUBtvKMsjL7iM l1/BmXpU2B4fieOtj9gOdYsHISJLKQA+zadZo5FnAeLLDUnUF3BQAqAbXn1+Eb2n CNpTlzj7c0XKfG5GA7Hb =JEPK -----END PGP SIGNATURE-----