{"id":"USN-2933-1","summary":"exim4 vulnerabilities","details":"It was discovered that Exim incorrectly filtered environment variables when\nused with the perl_startup configuration option. If the perl_startup option\nwas enabled, a local attacker could use this issue to escalate their\nprivileges to the root user. This issue has been fixed by having Exim clean\nthe complete execution environment by default on startup, including any\nsubprocesses such as transports that call other programs. This change in\nbehaviour may break existing installations and can be adjusted by using two\nnew configuration options, keep_environment and add_environment.\n(CVE-2016-1531)\n\nPatrick William discovered that Exim incorrectly expanded mathematical\ncomparisons twice. A local attacker could possibly use this issue to\nperform arbitrary file operations as the Exim user. This issue only\naffected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-2972)\n","modified":"2026-04-22T09:22:43.288490Z","published":"2016-03-15T12:28:25Z","related":["UBUNTU-CVE-2014-2972","UBUNTU-CVE-2016-1531"],"upstream":["CVE-2014-2972","CVE-2016-1531","UBUNTU-CVE-2014-2972","UBUNTU-CVE-2016-1531"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-2933-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2014-2972"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2016-1531"}],"affected":[{"package":{"name":"exim4","ecosystem":"Ubuntu:14.04:LTS","purl":"pkg:deb/ubuntu/exim4@4.82-3ubuntu2.1?arch=source&distro=trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.82-3ubuntu2.1"}]}],"versions":["4.80-7ubuntu3","4.80-7ubuntu4","4.80-9ubuntu1","4.80-9ubuntu2","4.82-3ubuntu1","4.82-3ubuntu2"],"ecosystem_specific":{"binaries":[{"binary_version":"4.82-3ubuntu2.1","binary_name":"exim4"},{"binary_version":"4.82-3ubuntu2.1","binary_name":"exim4-base"},{"binary_version":"4.82-3ubuntu2.1","binary_name":"exim4-config"},{"binary_version":"4.82-3ubuntu2.1","binary_name":"exim4-daemon-heavy"},{"binary_version":"4.82-3ubuntu2.1","binary_name":"exim4-daemon-light"},{"binary_version":"4.82-3ubuntu2.1","binary_name":"eximon4"}],"availability":"No subscription required"},"database_specific":{"cves_map":{"cves":[{"id":"CVE-2014-2972","severity":[{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2016-1531","severity":[{"score":"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}],"ecosystem":"Ubuntu:14.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-2933-1.json"}}],"schema_version":"1.7.5"}