> Hello,
>
> On Wed, Jan 26, 2011 at 09:34:36AM +0000, Hugo Mills wrote:
>> It needn't be a single root-gaining attack: it could be a
>> combination of a remote non-root attack (e.g. on apache) and a local
>> root escalation.
>
> If this is a Debian install then the recent Exim exploit is a good
> candidate. I've had quite a few people caught by that and expect to
> find more who still haven't realised they've been compromised yet.
> :(
>
> Cheers,
> Andy
I get the daily-digest and have just seen Andy R's reply in the
archive who seems to confirm that this was the culprit.
I was aware of a patch to exim just recently, from
/usr/share/doc/exim4/changelog.Debian.gz
exim4 (4.69-9+lenny1) stable-security; urgency=high
* Non-maintainer upload by the Security Team.
* Fix SMTP file descriptors being leaked to processes invoked with ${run...}
* Fix memory corruption issue in string_format(). CVE-2010-4344
* Fix potential memory pool corruption issue in internal_lsearch_find().
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4344
The unattended-upgrades package is useful here so things like this are
applied automatically (see "aptitude show unattended-upgrades").
--
GPG Key fingerprint = B323 477E F6AB 4181 9C65 F637 BC5F 7FCC 9CC9 CC7F
“Live as if you were to die tomorrow. Learn as if you were to live
forever.” - Indian political and spiritual leader Mahatma Gandhi
(1869-1948)
