Amazon Linux 1 Security Advisory: ALAS-2021-1497
Advisory Release Date: 2021-05-06 19:11 Pacific
Advisory Updated Date: 2021-05-07 20:34 Pacific
FAQs regarding Amazon Linux ALAS/CVE Severity
Prior versions of Exim 4 have Improper Neutralization of Line Delimiters. Local users can alter the behavior of root processes because a recipient address can have a newline character. (CVE-2020-28015)
Prior versions of Exim 4 allowed Integer Overflow to Buffer Overflow in receive_add_recipient via an e-mail message with fifty million recipients. NOTE: remote exploitation may be difficult because of resource consumption. (CVE-2020-28017)
Prior versions of Exim 4 allowed Use After Free in smtp_reset in certain situations that may be common for builds with OpenSSL. (CVE-2020-28018)
Prior versions of Exim 4 have Improper Neutralization of Line Delimiters. An authenticated remote SMTP client can insert newline characters into a spool file (which indirectly leads to remote code execution as root) via AUTH= in a MAIL FROM command. (CVE-2020-28021)
Affected Packages:
exim
Issue Correction:
Run yum update exim to update your system.
i686:
exim-mysql-4.92-1.27.amzn1.i686
exim-mon-4.92-1.27.amzn1.i686
exim-debuginfo-4.92-1.27.amzn1.i686
exim-4.92-1.27.amzn1.i686
exim-greylist-4.92-1.27.amzn1.i686
exim-pgsql-4.92-1.27.amzn1.i686
src:
exim-4.92-1.27.amzn1.src
x86_64:
exim-4.92-1.27.amzn1.x86_64
exim-mon-4.92-1.27.amzn1.x86_64
exim-greylist-4.92-1.27.amzn1.x86_64
exim-pgsql-4.92-1.27.amzn1.x86_64
exim-mysql-4.92-1.27.amzn1.x86_64
exim-debuginfo-4.92-1.27.amzn1.x86_64