CVE-2019-10149 : Debian has Released Critical Security Update for Exim

Debian has released security update for exim4 package.

This release fixes vulnerability against exim4 package.

Date Reported: 05-June-2019

Fix Released On: N/A

Severity Level: Critical

Affected Packages: exim4

Affected Operating System & Version:

  • Debian 8 (Jessie) – Not Affected
  • Debian 9 (Stretch)


The Qualys Research Labs reported a flaw in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.

It’s recommended to update the Exim4 package ASAP.

For more details about the security issues, and other related information, refer to the CVE pages.

Debian Security Advisory References:

Security Database References (CVE):


  • This issue have been fixed on Debian 9 (Stretch) in version 4.89-2+deb9u4.

Run the following command to install the above updates.

$ sudo apt install --only-upgrade exim4

The installed security fixes can be verified in the package change log using the following methods.

Using manual method.

$ zgrep -i "CVE-2019-10149" /usr/share/doc/exim4/changelog.Debian.gz

Using debsecan command.

$ debsecan | grep CVE-2019-10149

Leave a Reply

Your email address will not be published. Required fields are marked *