[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Exim latest update reports to world as 4.89, which the world thinks is vulnerable.

On Thu, Jun 20, 2019 at 11:26:08PM +1000, Andrew McGlashan wrote:
> Shodan [1] reports loads of vulnerable [2] servers running pre 4.92
> versions of Exim, those include Debian Exim variants reporting 4.89
> .... even for fully patched servers.

General answer:

https://www.debian.org/security/faq
(especially <https://www.debian.org/security/faq#oldversion>)

For this particular issue:

https://www.debian.org/security/2019/dsa-4456
https://security-tracker.debian.org/tracker/CVE-2019-10149

And the entry in the Debian changelog for the stretch package:

=============================================================================
exim4 (4.89-2+deb9u4) stretch-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * Fix remote command execution vulnerability (CVE-2019-10149)

 -- Salvatore Bonaccorso <carnil@debian.org>  Tue, 28 May 2019 22:13:55 +0200
=============================================================================
Reply to: