Debian has released security update for exim4 package.
This release fixes vulnerability against exim4 package.
Date Reported: 05-June-2019
Fix Released On: N/A
Severity Level: Critical
Affected Packages: exim4
Affected Operating System & Version:
- Debian 8 (Jessie) – Not Affected
- Debian 9 (Stretch)
The Qualys Research Labs reported a flaw in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.
It’s recommended to update the Exim4 package ASAP.
For more details about the security issues, and other related information, refer to the CVE pages.
Debian Security Advisory References:
Security Database References (CVE):
- This issue have been fixed on Debian 9 (Stretch) in version 4.89-2+deb9u4.
Run the following command to install the above updates.
$ sudo apt install --only-upgrade exim4
The installed security fixes can be verified in the package change log using the following methods.
Using manual method.
$ zgrep -i "CVE-2019-10149" /usr/share/doc/exim4/changelog.Debian.gz
Using debsecan command.
$ debsecan | grep CVE-2019-10149