On Thu, Jun 20, 2019 at 11:26:08PM +1000, Andrew McGlashan wrote: > Shodan [1] reports loads of vulnerable [2] servers running pre 4.92 > versions of Exim, those include Debian Exim variants reporting 4.89 > .... even for fully patched servers.
General answer: https://www.debian.org/security/faq (especially <https://www.debian.org/security/faq#oldversion>) For this particular issue: https://www.debian.org/security/2019/dsa-4456 https://security-tracker.debian.org/tracker/CVE-2019-10149 And the entry in the Debian changelog for the stretch package: ============================================================================= exim4 (4.89-2+deb9u4) stretch-security; urgency=high * Non-maintainer upload by the Security Team. * Fix remote command execution vulnerability (CVE-2019-10149) -- Salvatore Bonaccorso <car...@debian.org> Tue, 28 May 2019 22:13:55 +0200 =============================================================================
